Two Slashes

If you’re reading this, the topic of Windows 7 has probably already been worn so thin it’s liable to be used as the cling-wrap protecting your next party dish.  If it has, I apologize in advance.  If it hasn’t…well, I’ll put up money towards the first person who isn’t tired of a Microsoft-branded discussion by the end of this.  Oh, and the Geeky categorization?  It’s been earned at least three times over in this post, so avoid at all costs if you don’t want to be wearing a confused look for the next month.

The release candidate for the next version of the must-have-if-you-work-in-an-office-setting operating system has been put out and the critiques are already coming in.  (In short, they can be summed up as saying that Windows 7 is the better-looking younger brother to Windows Vista, though they’re both of about equal intelligence, but that’s beside the point.)

The group of people I’ve been most concerned with hearing from regarding the operating system upgrade is security researchers.  Given that this is a field I take  a reasonable amount of interest in, I’m actually rather alarmed that the only topic I seem to be watching pop up is the same “issue” that’s plagued Windows for over a decade.  And yes, those quotation marks are intentional and completely reasonable.

Once upon a time, there was DOS and Windows 3.1.  You were limited to 11-character filenames in the “8-dot-3″ format, where the first 8 characters were a user-specified name for the file and the last three were an extension denoting the type of file it was.  Then came Windows 95, and lo and behold the world was amazed that you could have these amazing 255-character filenames (which were really just an overlay to the old 8-dot-3 system) and give your files reasonably descriptive names!  And you could use punctuation (granted that the punctuation you wanted wasn’t a question mark, backslash, forward slash, pipe, or any of another two or three characters) too, which made things even better!  Sure, the file extensions were still there (and are to this day, as is the legacy 8-dot-3 filename), but nobody complained for they could name their files “My Letter To My Boss About Me Quitting Next Week.doc” and all was right with the world.

Of course, nobody complained until this file extension voodoo was abused.  You see, Windows defaults to a setting where you don’t have to see those ugly file extensions because they take up screen space and confuse newbies.  And, in my book, it’s a reasonable expectation that most people don’t want to see them.  (For the record, I turn this functionality off, but that’s a whole different topic.)

With the advent of the Internet, people (even the newbies) have been blindly trained to start recognizing certain file extensions for what they are anyway, even if they aren’t technically inclined to do so.  For example, even if you aren’t a geek, I’m sure you know what a .jpg, .gif, .doc, or .zip at the end of a filename denotes.  It’s useful knowledge, even for someone who prefers things that Just Work™.

Expanding this same notion to the contents of a user’s local files, that user is just as unafraid and accepting of seeing .jpg as they are online to the point where they don’t even think twice.  After all, what’s the worst thing that could come out of an image?  Porn?  An old photograph of Aunt Millie?

If you answered in the affirmative to either of those two suggestions, most people would urge you to jump off of the nearest highway overpass, though I’ll accept either of those as correct answers.  This giant group of security researchers, some of whom work for the same companies that ultimately provide the software your favorite pimply-faced Geek Squad employee will be installing on your next PC, have nothing better to do with their time than to complain about a well-intentioned feature.

I cannot count (on one hand, at least) the number of articles I have seen recently (like this one) that cry “Wolf!” over a trivial morsel like hiding file extensions only to have a piece of malware call itself “AuntMillie.jpg.exe.”  And here’s where my post title comes into play.  Is it Microsoft’s fault for adding what amounts to a (in my opinion) useful feature?  Is it the Symantec and McAfee developers (to name the recognizable duo, though just about any security suite provider should be included here) who kindly will alert you that you installed Cain (and then promptly remove it) but refuse to sound an alarm or do anything about legitimate malware (I’ve had this issue)?  Is it the end user for not disabling the feature and being vigilant and knowing what they’re doing?

I suppose we’ve become too dependent on file extensions for me to suggest that Microsoft ditch the idea, join the Unix crowd, and start using the contents of the file to figure out what it is rather than its name.  For example, web servers will use the file extension to determine what type of file you’re requesting and whether anything needs to be done (like executing it) before it gets passed along to the end user.  Granted, file extension hackery can be fun (who knew), but it would be a small price to pay (and the files would still be accessible by other applications, so it really doesn’t even ruin the fun).

However, it seems perfectly reasonable to me to demand why these same security gurus are not busy including a feature of their own to warn of questionably-named files.  I can think of few legitimate reasons for someone to have two or more extensions appended to their filename, so warning of files that end in “.txt.exe” on creation or execution probably isn’t a bad idea.

And to think that I've done more work in thirty seconds with the Visual Studio form designer than the security gurus have in over a decade. (For the technical: Yes, I realize that user conventions would switch the position of these buttons. However, you don't want anyone going to the "Yes" button out of habit, do you?)

If I wasn’t starting my final exams tomorrow, I’d probably write a proof-of-concept that accomplished this simply because I don’t know of anything similar that already exists.  (On the other hand, it is something for me to work on rather than study… )

For a group of security-focused people, their intentions are in approximately the right place.  However, they seem to be forgetting that there’s more to computing (and life) than three or four extra characters on a screen and the bright intentions of a few developers in Redmond.

(Cripes, and to think I would be writing over one thousand words in defense of Microsoft…  I really must be off my rocker.)