[svlug] Virus FUD
J C Lawrence
claw at cp.net
Fri May 5 17:20:15 PDT 2000
On Fri, 5 May 2000 16:35:52 -0700
Richard Jennings <Richard_Jennings at sandia.gov> wrote:
> I emailed someone in our corporate headquarters the suggestion
> that maybe it's time to look at something other than Outlook as a
> corporate standard. Here was his reply:
>> Maybe. Maybe not. 2-3 of the natl and intl stories I read on it
>> this morning make the point that Outlook was apparently targeted
>> primarily because it's widely used. If we and most other orgs
>> move to X, then hackers will target X. there's nothing inherent
>> in Outlook that makes it more vulnerable than other systems, they
>> point out.
> I think I'll spend part of the weekend gathering some data to send
> his way.:) Any pointers appreciated.
There an implicit assumption in there that a "majority" of people
will be (and perhaps should be) all using the same product. I don't
see that that assumption is supportable, or is in fact one that
should be encouraged. Widespread variance in base types, outside of
protocol definitions of course, lends its own protection, much as it
does in genetics. Just as the probability of a pandemic
extinguishing all human life is lessened by the single fact of human
genetic variance (we're not all the same), given a broadly
distributed range/variance of mail clients in use, the probability
of any single virii causing widespread disaster (as verus being
isolated in "islands" of its client mail client type) is also lower.
There are a wide array of factors which make Outlook more exposed
than others, several of the them discussed on this list. This
doesn't say that other Windows or *ix based mail clients don't also
have exposures (there is no non-trivial bug-free software), just
that there is a difference in degree between them due to the poor
security archicture of Outlook/VBScript.
J C Lawrence Internet: claw at kanga.nu
----------(*) Internet: coder at kanga.nu
...Honorary Member of Clan McFud -- Teamer's Avenging Monolith...
More information about the svlug