IP: How not to distribute white papers OR WILL THEY EVER LEARN Risks Digest 20.90

[Dave Farber <farber@cis.upenn.edu>]

>Date: Thu, 1 Jun 2000 17:45:34 GMT
>From: rubin@research.att.com (Avi Rubin)
>Subject: How not to distribute white papers
>
>I was reading a white paper from Microsoft about Windows 2000 security.
>In particular, I am interested in how the Encrypted File System (EFS)
>works. Someone at Microsoft informed me that there was a new version of
>the white paper available at
> 
>http://www.microsoft.com/windows2000/library/howitworks/security/encrypt.asp
>
>Great. I went to that site, and I found a copy of the introduction and a
>link to the paper. The only catch was that the only way to download the
>paper is to download a file called encrypt.exe. Once you download this file,
>you can run the program, which unzips a word file. Obviously, Microsoft is
>doing this to save storage space on their server and to reduce latency on
>the downloads.
>
>Of all companies, Microsoft should be the last one to encourage users to get
>into the habit of downloading .exe programs and running them. The way I
>handled it was to download the file to a sacrificial machine that I use for
>this purpose. Then, I took it off the network and ran the program. I then
>physically copied the .doc file to a floppy and transfered it using
>sneakernet to my regular PC. Of course, I was still taking a chance. If the
>downloaded program were malicious, then it could do its damage the next time
>I connect the machine to the network. The problem is that it is very
>difficult to know that a program is harmless, just because it does something
>that you expect it to do. I could not believe that this is how Microsoft
>distributes its white papers. It is beyond comprehension.
>
>Avi Rubin
>
>http://avirubin.com/