[TriLUG] How not to run a network

[William Sutton]

The points are:
- If I can rename it anyway, then all that does is provide a slightly 
higher barrier to the stupidity level, meaning I can still send some luser 
a file labeled "your program.dat", tell them that it is useful in some way 
or other, and have them wipe out their system.
- Likewise, it makes it a serious pain in my backside to send them 
legitimate programs (the more so since the IS folks took away IM file 
transfer).

In other words, it puts a crimp in my ability to do my job and doesn't (as 
far as I can analyze the situation) do anything beyond stop Outlook from 
being stupid.  Frankly that's not a sufficient reason to me.

Of course the fact that I have to use Windows to do UNIX development work 
is a whole other sore point...

I should also like to point out that can/can't and will/won't are very 
different things.  I agree that "can't" is probably indicative that 
someone shouldn't be using a computer.  "won't" is debatable.  "doesn't 
want to" is a whole other option that you left out in what sounded like a 
targeted attack :)

William

On Wed, 16 Feb 2005, Dan Monjar wrote:

> William Sutton wrote:
> > - any files with extensions (it seems) other than .txt or .dat are banned 
> > from email attachments (but you can rename them to .dat if you like...)
> > 
> 
> I am a corporate IS security geek and I do this...  actually I strip 10 
> or so attachments from mail messages.  Anything executable like .cmd, 
> .exe, .bat, .scr, etc.... If you want to send it out then rename it to 
> something innocuous.  It prevents dumbasses from clicking on unknown 
> attachments and prevents *helpful* programs from running things auto 
> magically.  Haven't had an email virus since the Kournikova one.
> 
> Since W2K added native zip handling I strip those as well.
> 
> If you can't or won't rename a file then your computer should be taken away.
> 
>