Tuesday, February 20, 2007

Thanks for ruining it for the rest of us, guys!

Behold the power of stupidity on the internet, as I tried to e-mail a university computer science assignment to my professor:


 

https://mail.google.com

OlivierDagenais-Assignment1.zip contains an executable file. For security reasons, Gmail does not allow you to send this type of file.

I can sort of see how something like this could have come about: logs show users e-mailing executable files of various degrees of maliciousness.  Google reacts by deciding one malicious executable file is one too many and refuses to accept executable files as Gmail attachments.

Some clever user then thinks "My nefarious H@xx0Rz.EXE must be e-mailed to my clueless buddies... I know: I'll just zip it!".  Google notices again and here we are.  Encrypting my ZIP file would probably do nothing as you can list the names of the files without the key and so Google's clever little ZipSecurityPeeker.py only needs to check for the presence of files ending with .exe.

I ended up submitting the assignment using another e-mail account. I bet I could have CCed my GMail account and received the "insecure" attachment no problem.

UPDATE: Whoa! I didn't even have a .exe file in my ZIP archive! I have some .bat, some .cmd and some .pl, as well as one or two shell scripts without an extension. Most of those files, incidentally, shipped as part of Apache Ant, which I included in my assignment's ZIP archive so the professor wouldn't have to go hunt it down, install it, etc.

UPDATE 2: Nope, I can't receive it either because I apparently broke the law:


Your message cannot be delivered to the following recipients:

(...)
Reason: SMTP transmission failure has occurred
Diagnostic code: smtp;552 5.7.0 Illegal Attachment c5si5493294qbc
(...)

No comments: