IP: How not to distribute white papers OR WILL THEY EVER LEARN Risks Digest 20.90

[Dave Farber <farber () cis upenn edu>]

> Date: Thu, 1 Jun 2000 17:45:34 GMT
> From: rubin () research att com (Avi Rubin)
> Subject: How not to distribute white papers
>
> I was reading a white paper from Microsoft about Windows 2000 security.
> In particular, I am interested in how the Encrypted File System (EFS)
> works. Someone at Microsoft informed me that there was a new version of
> the white paper available at
>
> http://www.microsoft.com/windows2000/library/howitworks/security/encrypt.asp
>
> Great. I went to that site, and I found a copy of the introduction and a
> link to the paper. The only catch was that the only way to download the
> paper is to download a file called encrypt.exe. Once you download this file,
> you can run the program, which unzips a word file. Obviously, Microsoft is
> doing this to save storage space on their server and to reduce latency on
> the downloads.
>
> Of all companies, Microsoft should be the last one to encourage users to get
> into the habit of downloading .exe programs and running them. The way I
> handled it was to download the file to a sacrificial machine that I use for
> this purpose. Then, I took it off the network and ran the program. I then
> physically copied the .doc file to a floppy and transfered it using
> sneakernet to my regular PC. Of course, I was still taking a chance. If the
> downloaded program were malicious, then it could do its damage the next time
> I connect the machine to the network. The problem is that it is very
> difficult to know that a program is harmless, just because it does something
> that you expect it to do. I could not believe that this is how Microsoft
> distributes its white papers. It is beyond comprehension.
>
> Avi Rubin
>
> http://avirubin.com/