On 8/2/07, Nicholas Moreau <nicholasmoreau(a)gmail.com> wrote:
People can,
and have, externally linked to malicious software from our sites.
I remember the time that hit the news about three months ago, and
almost all outlets wrote the software was actually uploaded to our
site.
Yes and that wasn't accurate.
Of course,
that can happen anywhere on the net and users (and their
browser software) should be smart enough not to execute such code, but
Wikipedia looks rather respectable so people may be more inclined to
bypass security measures based on something on our site.
Okay, so none of this stuff would be automatically loading, it would
all be "This site is requesting you activate ****.*** [Yes] [No]" sort
of thing?
Right. It would be a 'click the link', then your browser would
download and say 'Are you sure you want to run this probably malicious
software, "Brittney_spears_boobies.exe"?', then the user clicks yes.
;)
At the moment
there are 209 external links to .exe files from the main
namespace of English Wikipedia.
Is there a list of where these links are, so they can be reviewed?
I've listed them in the past and went through and fixed a bunch of
them myself. I think there were far feaer then and I removed many of
them... :(
I've put up a list:
http://en.wikipedia.org/wiki/User:Gmaxwell/extff/exe
You can see the older version in the history of the page.. I think
that might have been the list after I'd already made one pass at
removing them.
Or
have they indeed already been reviewed? If they're linking to freeware
or open source programs, for example, they likely should all be
linking to a product page, not directly to the download.
You are absolutely correct.
I'd say we should deny, by policy and possibly technical means,
external linking to URLs with certian names or which transmit certian
mime types...
Actually pulling it off might be hard: a number of the exe's are
really just ZIP files converted into self-extracting archives. The
data in them may not be easily available in other forms. There is
almost certantly a launch page for these, but finding them when all
you know is the deep link name can be hard.