Reader feedback on banning attachments to e-mail brings out a range of opinions
One of the most interesting things about writing a column is that I never know what's going to excite you readers. I figure I have three communities of readers, and their interests don't always overlap. Many of you read this column in print, and others get it through InfoWorld's Security Watch newsletter (which is cleverly plugged at the end of this column; don't miss it). Finally, there are those of you who either deliberately look me up online or stumble across the column some other way.
The last group is really unpredictable. For example, a couple of months ago, I wrote a column discussing some Linux security enhancements that had come out of a National Security Agency project. The Linux-NSA column attracted something like 50,000 hits in the first couple of days it was online, which is about ten times what usually happens. I don't know what it will prove if this week's installment peaks similarly; it might indicate only that some people will read anything that mentions Linux and security in the same sentence.
And since I took over this column at the beginning of the year, I don't think any topic has generated as much e-mail from readers as when I wrote a few weeks ago about the futility of banning e-mail attachments (see "Banning attachments is like tying an arm behind your back and expecting results," March 5). Some of you who wrote were offering products that tried to address the problem with either hardware or software. Don't call me; I'll call you.
A lot of you wrote to point out an intermediate solution to the attachment problem: banning executable attachments. This works if your filter can tell what's an executable and what's not. For example, in a Windows shop, you can usually assume that a file whose name ends in .exe or .vbs is something that should be examined thoroughly. Unfortunately, it's easy for an attacker to camouflage the sucker by compressing the hostile executable into a zip file and sending that file to 10,000 users in an organization. Sure as shooting, one of the myriad users will have an unzipping tool, probably one that will run the concealed program with a single click. Other readers mentioned that you allow executables through if they are zipped; that's probably the best compromise if you insist on moving executables by mail.
Quite a few of you pointed out that Microsoft -- or at least its Outlook and Outlook Express applications -- was the root of the problem. I agree, for the most part, that applications shouldn't be blindly executing code with system-level privileges, but I got my Microsoft-bashing out of the way last week, so 'nuff said on that subject.
One theme that kept surfacing in your e-mails was the "stupidity of end-users," who can't get it through their thick skulls that they need to be a lot more careful about opening attachments, even when they know who the source is. Given that many of these e-mail virus/worm attacks use the address book of an unsuspecting victim, a little paranoia in this respect among users would go a long way. Even my mother knows better than to open an attachment that looks sketchy. Of course, she had to learn the hard way. It's a good thing that the Navidad virus is relatively benign, or else my Christmas vacation would have been even busier.
One reader told me that his company was essentially following my (facetiously offered) advice about gluing drive doors shut. In lieu of using any anti-virus packages, they use "stern warning" stickers that say something like, "If you use SneakerNet in this shop because the network's down, expect to find yourself in hot water." That's just backwards.
A few of you pointed out that I was discussing a problem without offering any solutions. Gee, I thought that's what columnists were supposed to do. Seriously though, discussing solutions in the context of Microsoft's inherently insecure e-mail software is like deciding what kind of paint you're going to put on the barn once the fire's out.
Get Security Watch free via e-mail
Get my column free via e-mail each week. Sign up at www.iwsubscribe.com/newsletters