Radu Luchian(ov): Pastime:
Commentary: Various Peeves

For more of my writing, you may check my Literature area.

Malicious code

Radu: On-line email services are pretty safe. If the company that offers it does its job well, no virus can hide in the software-generated message (which is just an HTML page that stays on my computer for 5 minutes while I read the message, then expires.)

---- Andrew Brook  wrote:

Andy: ... and if you open an attachment?

Radu: I'm careful with attachments. Attachment-based viruses use human gullibility as their spreading vector. Protection is easy as 1,2,3:

• Rule#1: never open .pif, .lnk, .bat, .exe, .com attachments (as they can contain system-based viruses), nor .doc, .xls (or other advanced file formats which can contain macro viruses). Web mail is good because it tells you exactly what sort of file you are downloading. Ask whoever's sending to give you .rtf documents (SaveAs Rich text format from Word or WP) or if they can, .pdf. Be wary of self-extracting archives (ask for .zip or .rar, etc., never for .exe) If you DO receive an archive that uses an .exe extension, try to open it from the program it created it (WinZip or WinRar, etc.)
• Rule#2: Never "open files from their original location". Right-click the link and choose "Save to disk" if you must see the contents of an attachment. It takes some time to go through Rule#3, but it's worth in the long run. If you value the contents of your disk, of course.
• Rule#3: if you have time, open the file (whatever it is), in WordPad and check that the first 2 characters are not MZ, followed by garble. In that case, even if the file has extension .rtf, it's just an executable in sheep's skin.
• And another rule, that doesn't have much to do with viruses, but it helps: Never keep your Recycle Bin full. Files in there take up space on the disk and add to the fragmentation. Some viruses even hide their payload or whatever they gather from your system, in the trash :)

Andy: The first page comes up when you open the message, the one which used to say 'Part 1', which when you click on it brings up the the telltale pseudo-message (some mailers open it automatically)

Radu: Those mailers should not be trusted. I hate Outlook for this precise reason.

Andy: 1. This worm uses a variety of extensions.

Radu: The most primitive form of polymorphism. Some rogue code is taught to "mutate" automatically, following a pattern or (pseudo)randomly. This one mutates a couple of things: the cover (the text it generates to fool the human into opening the attachment), the two wrappers (the system wrapper: "extension" and the payload wrapper: the code that actually does the work) and also it picks files of certain types to mask its passage.

Fortunately, it does not seem to mutate the 'feet' of the worm. Actually the whole code looks like it's put together by a college student. It doesn't have any of the elegance of real hacker work.

Andy: What is interesting and I think not yet commented on elsewhere...

Radu: Yes, it is commented on in any security-related newsgroup, discussion list or FAQ. There are plenty of extensions that the system will recognize as executables, and it seems like each version of Windows creates new ones.

Andy: ...is that they all have two extensions, the original document extension and (I suspect) one added by the worm.

Radu: Correct. To be precise, this worm uses files of types: .doc, .jpg, .mpg, .pdf, .png, .ps, .mov, .zip to mask its passage. The list is exhaustive, I got it from the code :)

Andy: The added ones include: .com, .lnk, and .pif . I wonder if there others.

Radu: Complete list for this worm: .pif, .lnk, .bat, .exe, .com

Andy: So you need to make your rule a *whole* lot more complicated at least.

Radu: Right. I know that there are other extensions which could be used to trick the system into running the code. Maybe I should work a little on my rules and post a complete set on my web site. :)

Andy: 2. Your web mailer is not catching all the malignant code.

Radu: Sure it's not. But at least it allows me to choose what I open and what I don't. AND any harmful code resides on the mail server and not on my computer.

Andy: At least two messages have got by it.

Radu: The old-fashioned ones. My guess is that the one that was caught was using some form of server-side Java 'feet'.

Andy: [ViruScan] is catching some versions of the worm, however, which is good. I don't know if Carleton scans incoming attachments for viruses.

Radu: I'll repeat: no scanner can catch polymorphic viruses, or new versions for which the scanner doesn't have signatures.

Andy: 3. Your web mailer is opening the first attachment. Isn't this risky in itself?

Radu: No. That is an "attachment" because it is html format. It's done so in order to "blind" the user into opening the actual attachment out of inertia.

Andy: On the .bmp file you sent: it shows as 528K in the mailer but only 385K saved to disk.

Radu: Any binary file is "hex-ed", transformed into text-only format before being sent through email. That is usually done by transforming 8-bit bytes into 7-bit ones, thus effectively increasing the size of the file by 1/8 and a little more for the header and footer.

For more on hackers, you can read this bit.

Unusability

Most people are lazy. They go to software to do things they can't do by other means, or if they want to do it faster or more accurately. But who writes the software? Programmers, who are even lazier (that's why we're programmers, right?) So they write software their way: they are trained to think very much like the computers they work with (because they are continuously facing the limitations of computers), and they understand them too well; also they deal with piles and piles of algorythms and half-baked standards, they work under pressure, in teams where the credit gets distributed very rarely in fair ways, most of the time they don't get with the people they're writing for and the feedback gets lost in hierarchical bottlenecks, and so on. There are many reasons why user interfaces suck. What is obvious, though, is that in the process of understanding and working with the computer, they lose track of the human needs and limitations their software was supposed to address. Or if they don't, they struggle for a while against the bureaucracy that's making a much better living on their backs, until either they crack under pressure or they go out to try to make a living for themselves. And sometimes the giants crush them, sometimes they buy them out, and very rarely do concepts like Anderson's HTML or Kai Krause's novel interfaces make it to the general public, only to be later integrated in "the machine" or forgotten when their champion tires of the fight.

Evaluation

On Thu, 24 January 2002, "Richard F. Dillon" wrote: 
> "It's my experience that neither users nor customers can articulate what  
> it is they want, nor can they evaluate it when they see it."	What do you  
> think? Alan Cooper makes a big distinction between interface designer and  
> interaction designer. What do you think?

From my experience it's true that customers (e.g. management people, IT support personnel, etc.) have no idea what features the actual users need and the users themselves have a hard time articulating what they need or even suggesting ways their needs may be met.

The evaluation side is trickier: nobody can properly evaluate a complex piece of software or a complex interface in the short span theoretically allocated to confirmation studies. Sometimes it takes weeks only to get even an inkling of what a package like a DBMS system allows, and that if you have prior experience with other DBMS packages or if you really *know* the principles of DBMS. Same for editors (programming, text, graphical, sound), process controllers, etc.

On the distinction between interaction and interface, I think he chose his terms badly. I think I ran into the distinction he means while I was working at StudioVISIA, a professional Web editing company where I was supposed to coordinate a couple of excellent artists and a bunch of programmers. Obviously all interfaces do is facilitate interaction. But a good functional-oriented designer does not necessarily have the artistic prowess necessary for arranging functional controls and extra gingles'n'bells in an aesthetic layout. The same way, an artist may not know how to choose the right labels for controls, or select the right control type for the right job, etc. A truly usable interface should be both easy to use AND pleasant to work with, but it's almost impossible to find someone who really thinks both functionally and artistically. Make sure you have a sound card, a Flash plugin, and take a look at http://www.giger.com The interface (top and left) took 3 artists and 5 programmers, and it's still being re-evaluated :)