The exact same thing? Really? Your bash script would have grabbed all the addresses that the user had
on the computer and mailed itself to them? It would have overwritten several system libraries? It would
have also overwritten every gif, jpeg and html file on the machine, no matter who they belonged to?
That's pretty amazing; you obviously know something about bash that I don't.
One of the fundamental differences between your average *nix and Windows 95/98 is that the *nix was designed from the ground up as a multiuser system, whilst Windows was designed more for personal use, and as such has no real idea about permissions and the concept of separating root/system files from user accessible files.
As such, the analogy is more accurate if you considered the script to be run as root - you may consider the "anyuser=root" design of Windows to be a bug, but I think it is one of the things that allow people to grasp the concepts of the OS better (not that I necessarily agree with the design, but I can see where Microsoft is coming from when they use that model for their OS).
And as for the functionality of the bash script - yes, it is possible for bash to grep through the addressbook locations of common mailers to find a list of addresses, and (call sendmail and send|directly send) emails to other users.
And it is theoretically, although extremely unlikely possible that the script could exploit some root hole in a program somewhere to get root privileges.
Now, maybe you have a really different setup on your Linux machine than I do, but if I send your script to
myself it just shows me the text of it; it runs nothing. Even if I send a compiled binary, it doesn't give me
the option of running it, only saving it to disk. And even then, it doesn't save it as executable. I have to
chmod it myself if I actually want to run it.
My mailer, KMail, seems to want to run attachments that you send to it as soon as you click on the icon, although as it saves the temp files as 664, it doesnt have the permissions to. You have to right click to save the file somewhere else. The behaviour is pretty broken, though. It's mailer-dependant on what the default behaviour is. I think it should be saving to disk too, but the author doesnt seem to agree with me (not that I've asked...)
I'm sure someone who was really motivated could come up with something that would do some damage
to someone. I'm also extremely sure that the kind of carnage we saw with the ILOVEYOU virus isn't going
to happen to a Unix based system any time soon. Not that I believe a destructive Unix virus is completely
impossible. It's just that it would be so difficult, that the people with the skills to make it happen probably
have better things to do with their time.
The problem I have with ILOVEYOU is that it _isnt_ a virus - it's a Trojan worm. As such it requires the user to perform some action to actually activate it (in this case, double-clicking on the attachment).
The issue seems to be here that Windows makes running malicious code easier than Unix. Unix users on a whole seem more informed about the idea of auditing source, and not running unknown executables just because an email tells you to. Windows users on the other hand have always been handed an EXE file, and told 'run this'.
But should Microsoft take the blame for something the user did? I dont think so. The ILOVEYOU mess reminds me of the case where someone walked into a bar, got blind drunk, stepped outside and got injured. He then proceeded to sue the bar for making it too easy for him to drink.
The whole concept of personal responsibility has seem to have gone out the window in society today, with people wanting to blame scapegoats rather than accept that they made a mistake.
Should Microsoft have made it harder to run untrusted executables? Yes. Should they be held liable for damages because they didnt? No.
What is the helix?
[ Parent ]