On 15/06/07, Scott (angrykeyboarder) <<a href="mailto:geekboy@angrykeyboarder.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> geekboy@angrykeyboarder.com</a>> wrote:<div><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Derek Broughton spake thusly on 06/14/2007 06:28 AM: > Scott (angrykeyboarder) wrote: > >> Nils Kassube spake thusly on 06/11/2007 11:36 AM: >>> Scott (angrykeyboarder) wrote: >>>> Malicious software targeting OpenOffice.org documents is spreading >>>> through multiple operating systems (Including Linux), according to >>>> Symantec.... >>>> >>>> <a href="http://news.com.com/OpenOffice+worm+Badbunny+hops+across+operating+syst" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://news.com.com/OpenOffice+worm+Badbunny+hops+across+operating+syst</a> >>>> ems/2100-7349_3-6189961.html?tag=html.alert.hed >>>> >>>> (or <a href="http://preview.tinyurl.com/2qmqjj" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://preview.tinyurl.com/2qmqjj</a> if you prefer). >>> Which is mostly harmless according to >>> >>> <<a href="http://blogs.sun.com/malte/entry/sb_badbunny_a_harmless_little" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://blogs.sun.com/malte/entry/sb_badbunny_a_harmless_little </a>> >> If you have a brain, then yes that's correct. >> >> However, not everyone fits in that category. :) > > LOL.  If you have a brain, viruses aren't a problem on Windows either :-) That was precisely my point.  Windows bashers love to point out how insecure Windows is. While I agree it's typically less secure than Linux, I also point out that the biggest Windows security problem isn't Windows, it's (most) Windows users. And just because a program doesn't have root/administrator access doesn't mean it can't do damage. The last I checked most Linux users don't have to have root access to open their personal files (e.g. Photos, Videos, "important" documents and so forth). There are plenty of ways to do damage to those files without root access.  After all, I as a user can install and run software in ~/foo can I not?</blockquote></div><div> Actually it's not that simple. Whose was the original sin? The windows users being stupid or windows's bad design teaching the users to be stupid? It's a chicken and the egg problem. As a windows design fault let's take for example the current Vista 'Cancel or Allow' dialogs. Because you need to click 'allow' in order to do some simple tasks, the users gradually learns that it is Ok to click the 'allow' button because it is probably something simple anyway. While this particular example is a new design flaw, windows has had many more in the past, all of which have helped to create the 'stupid windows user' of today. Of course windows isn't the only one that suffers design flaws of this kind. Indeed a very on-topic example would be OpenOffice.org's very own 'Cancel or Allow' dialog. If you want to add a button to change a paragraphs colour for instance, that would naturally require a script. If you wanted a button to gather info on the file you just wrote and send that data of http to a remote server, that too would require writing a script. In both instances you'd get the macros 'Cancel or Allow' dialog when loading the file. Most scripts are of the 1st type, harmless, affecting the local document only. Such scripts do not need a Cancel or Allow dialog as they are harmless outside the local document in which they are contained, but because the dialog keeps popping up people get used to clicking allow for trivial things. So now when an ugly bunny raises it's head, there are a number of people who see the 'Cancel or Allow' and think 'Yes please, I'd like pretty colours, thank you.'. Is it their fault for being naive or is it the program designers fault for teaching them to be? As you can probably tell from the above I'm of the opinion that the <a href="http://oo.org">oo.org</a> security team needs to be hit with a clue stick and quickly, before something nasty gets through. The 'Cancel or Allow' dialog is at best a quick hack, not an almighty security feature like the oo.o people seem to be saying it is. Arwyn </div></div>