I posted this to a mailing list earlier.

We've witnessed a horrific event, a week ago Tuesday. It didn't come without warning -- this nation has experienced terrorism attacks for most of the past decade, including previous attacks and attempts on its own shores. And it wasn't unimaginable. For the X-Files buffs in the crowd, an episode of the spinoff show The Lone Gunman featured a plot in which terrorists planning on slamming an airliner into the World Trade Center were thwarted.

In a similar vein, the problems associate with email clients which execute untrusted content with no intervention from the user, particularly when such clients are widespread and provide a fertile monoculture on which to host hostile attacks, have been known for years. Attacks to date have largely been crude pranks, the constant theme running through the Monday-night quarterbacking of the latest MS Outlook email exploit: ILoveYou, Melissa, Marijuana, Kournikova, Cartolina, SirCam, nimda, ... is how trivial it would be for the worms to be modified to be truly destructive.

We had one wakeup call last Tuesday. What are the rest of you waiting for? This war has been escalating since 1999 and before. Your email system need not be the fastest way to turn your systems against yourself.

Do you really want to be in the position of explaining to your boss, employees, customers, and shareholders, with the smoking wreck of your datacenter in the background, how three years and more of advance notice wasn't sufficient to avert disaster?

One post, of which I quote from my partial response. I'm looking for help on this, I'd like it to be short, sweet, and irrefutable. It's currently long, sour, and.... Feedback appreciated.

> Karsten, I wonder (and this is a genuine question, not a rhetorical
> one) whether Outlook is actually all that much worse, or more
> 'exploitable', than are many of the potential alternatives? It's
> tempting to think that the main reason most of the attacks have
> involved exploitation of this particular product is that, as you say,
> it is so ubiquitous (even though I've virtually never used it myself
> :-). If everyone changed to some (inevitably imperfect) product
> tomorrow, I suspect that it would not be long before that was being
> 'exploited' in a similar fashion.

You could write a buggy, insecure, and wildly popular email client under
GNU/Linux. It's probably been done. Chances are it would do far less
harm than MS Outlook.

There are a number of factors which contribute to the effectiveness of
an exploit:

- System architecture.
- User behavior.
- System administraton (particularly application of patches).
- System adoption.

Legacy MS Windows systems lose on all four fronts.

The system architecture tends to magnify the results of security
exploits: users have access to system facilities (directories, files,
and programs). File associations and a large number of applications
that don't handle suspect executable content sanely are another large
issue. Tight coupling of facilities means that programs have both
access and impacts on other parts of the system. A single point of
access on the system often provides total control over vital resources.

Legacy MS Windows OS and application features are such that users
routinely send, and are expected to utilized, arbitrary content, much of
which may be executable. Which might be translated as "the user is an
idiot", but is conditioned by the fact that the user has been trained
that acting like an idiot: running arbitrary software, or engaging
arbitrary methods, which may or may not include executing code, on
arbitrary content, is not only a perfectly acceptable standard of
operation, but _is required to perform basic job functions_.

WinNT and Win2K have been advertised as requiring less system
administration than Unix and GNU/Linux systems. While this may be true
it also leads to a large number of boxes being administered by idiots.
As GNU/Linux, UNIX, and Mac OS/X become more prevalant, we can expect
the number of idiot admins to increase as well. However, while there
are active incentives to produce low quality software in certain
proprietary contexts, to defer bugfixes, and to make administrative
updates difficult (or at least non-trivial), there are strong incentives
toward the opposite goals in free software (and, to a lesser extent,
with subscription models such as SAS).

In light of the above four failings, widespread adoption is the final
nail. Monocultures mean that, once a vulnerability is found, it can be
distributed broadly. A monoculture with a system architecture that's
averse to security, requires unsafe actions of its users, and fosters
sloppy system administration practices, is a prime breeding ground.


Free software addresses this .... [so help me here, people]

Peace.