Phill Hallam-Baker's Security Blog
Monday, August 25, 2003
The Outlook is better than most think.
Scott Rosenberg raises the old 'viruses are caused by Outlook' claim. Well yes viruses are more likely to affect outlook than other clients, but no the reasons have little to do with the design of the code.

Older versions of Outlook did have bad habbits, like automatically running possibly malicious code when the user clicked on an attachment. This behavior was not unique to Outlook, Netscape Communicator would at one time automatically run Javascript code when it displayed an email with HTML code. Microsoft fixed outlook over two years ago. Anyone can download a patch for Outlook paid edition or download a complete upgrade for Outlook Express.

I get annoyed when people blame viruses on end users, they are an architectural flaw. The fact is however that all email programs currently used on the Internet share the same flaw - they do not authenticate the source address that an email purports to come from. This is how spammers can hijack my email address to send spam - and have done so on many occasions in the past.

A typical virus spreads by reading a victim's email address book and sending out copies of itself to each address in the book. More recently viruses have disguised their origin by using a source address that is also chosen at random from the email address book.

This behavior has two consequences, first the virus must be able to read the victim's email address book to spread. Outlook makes this easy because the address book is readable through a standard API. It is possible to do this with any mail client, but a virus can only spread from an infected host if it reads the address book format of the particular user who is infected. Eudora - and for that matter most other email clients have a tiny market share compared to Outlook - about a tenth of outlook's installed base. That means that a virus that attempted to propagate through Eudora will be passed on to a tenth the number of new victims at each stage than a virus that attacks Outlook. This difference has nothing to do with design, it is all about how viruses spread.

If the virus problem was merely the design of outlook one would have expected the problem to have reduced after the patches went in two years ago. Instead the virus problem is far worse because so many people have broadband connections these days.

This suggests that viruses would be less of a problem if there were more email clients in use. Actually this is not quite the case. More email clients would certainly slow the spread of viruses that could only infect one type of email client. However it is not difficult to write a virus that attacks more than one type of client at a time. The only reason this does not happen is that there is not a big enough incentive.

A better solution would be to design an email client in such a way that malicious code simply could not read the address book. This is impossible on an operating system such as Windows 98 where the O/S does not provide compartmentalized security. It might be possible with some effort to create such a system on Windows 2000 or Windows XP and is certainly possible using the next generation security technology from Microsoft 'the operating system formerly known as Palladium'.

OK so much for propagation. What about the other consequence of the way viruses spread? Pretending to be another person has become an essential technique for viruses to propagate. It follows that we can reduce the rate of spread of spam by preventing viruses (and spam) using this impersonation technique. This means using security mechaisms such as S/MIME which Outlook, Lotus Notes and Netscape all support and Eudora conspicuously fails to support.

The key to stopping virus propagation is to ensure that each time a virus infects a victim the infection will be passed on to an average of less than one additional victim.

Thursday, August 07, 2003
Patent Ruling Goes Against EBay (
Patent Ruling Goes Against EBay (

A federal judge Wednesday ordered online auction house eBay to pay $29.5 million to a Virginia inventor who accused the company of stealing his ideas.

The 'idea' in question being the idea of fixed price bidding, the 'buy it now' option on EBay.

Yet another stupid patent issued by the USPTO that does not have a shred of originality and would be rejected by any other country's patent office with derisory laughter.

Fixed price bidding has had a long history. There is nothing novel about saying do something over the Internet.

The USPTO can engage in whatever sophistry it likes and claim that their definition of novelty is different. That is not what the legislators intended when they passed the act - nor is it what the USPTO says when defending the principle of patents. When it comes to defending the principle of patents they are only issued for substantially novel ideas that provide real benefit, or so they cwould have us believe.

There is no social benefit to this 'invention' being granted a 20 year monopoly. It is an idea that is clearly obvious because several people have have the same idea independently. We did not need the incentive of the monoploy for the world to have the benefit of this idea, we would have got it anyway for free.

Powered by Blogger