Interesting People mailing list archives
IP: How not to distribute white papers OR WILL THEY EVER LEARN Risks Digest 20.90
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 06 Jun 2000 01:21:08 -0700
Date: Thu, 1 Jun 2000 17:45:34 GMT From: rubin () research att com (Avi Rubin) Subject: How not to distribute white papers I was reading a white paper from Microsoft about Windows 2000 security. In particular, I am interested in how the Encrypted File System (EFS) works. Someone at Microsoft informed me that there was a new version of the white paper available at http://www.microsoft.com/windows2000/library/howitworks/security/encrypt.asp Great. I went to that site, and I found a copy of the introduction and a link to the paper. The only catch was that the only way to download the paper is to download a file called encrypt.exe. Once you download this file, you can run the program, which unzips a word file. Obviously, Microsoft is doing this to save storage space on their server and to reduce latency on the downloads. Of all companies, Microsoft should be the last one to encourage users to get into the habit of downloading .exe programs and running them. The way I handled it was to download the file to a sacrificial machine that I use for this purpose. Then, I took it off the network and ran the program. I then physically copied the .doc file to a floppy and transfered it using sneakernet to my regular PC. Of course, I was still taking a chance. If the downloaded program were malicious, then it could do its damage the next time I connect the machine to the network. The problem is that it is very difficult to know that a program is harmless, just because it does something that you expect it to do. I could not believe that this is how Microsoft distributes its white papers. It is beyond comprehension. Avi Rubin http://avirubin.com/
Current thread:
- IP: How not to distribute white papers OR WILL THEY EVER LEARN Risks Digest 20.90 Dave Farber (Jun 06)