April 17, 2001, 4:04 PM — One of the most interesting things about writing a column is that I never know what's going to excite you readers. I figure I have three communities of readers, and their interests don't always overlap. Many of you read this column in print, and others get it through InfoWorld's Security Watch newsletter (which is cleverly plugged at the end of this column; don't miss it). Finally, there are those of you who either deliberately look me up online or stumble across the column some other way.
The last group is really unpredictable. For example, a couple of months ago, I wrote a column discussing some Linux security enhancements that had come out of a National Security Agency project. The Linux-NSA column attracted something like 50,000 hits in the first couple of days it was online, which is about ten times what usually happens. I don't know what it will prove if this week's installment peaks similarly; it might indicate only that some people will read anything that mentions Linux and security in the same sentence.
And since I took over this column at the beginning of the year, I don't think any topic has generated as much e-mail from readers as when I wrote a few weeks ago about the futility of banning e-mail attachments (see "Banning attachments is like tying an arm behind your back and expecting results," March 5). Some of you who wrote were offering products that tried to address the problem with either hardware or software. Don't call me; I'll call you.
A lot of you wrote to point out an intermediate solution to the attachment problem: banning executable attachments. This works if your filter can tell what's an executable and what's not. For example, in a Windows shop, you can usually assume that a file whose name ends in .exe or .vbs is something that should be examined thoroughly. Unfortunately, it's easy for an attacker to camouflage the sucker by compressing the hostile executable into a zip file and sending that file to 10,000 users in an organization. Sure as shooting, one of the myriad users will have an unzipping tool, probably one that will run the concealed program with a single click. Other readers mentioned that you allow executables through if they are zipped; that's probably the best compromise if you insist on moving executables by mail.
Quite a few of you pointed out that Microsoft -- or at least its Outlook and Outlook Express applications -- was the root of the problem. I agree, for the most part, that applications shouldn't be blindly executing code with system-level privileges, but I got my Microsoft-bashing out of the way last week, so 'nuff said on that subject.