XYplorer Beta Club

Hallgren:

SkyFrontier wrote:
On the other hand, why the hell a FILE MANAGER should behave like a web browser?

Maybe because in this case, that's what a user is normally asking it to do?

Of course! I am not voting for banishing the thing. I'm voting for a secure environment to work with in first place, THEN user will decide how far he wants to go despite the risks. So it will not be XY fault, in the event of a disaster.

Erm.. I see no point in warning before previewing files. This is just needlessly coddling the user. Just accessing files through any software can cause infection.

Should XY also warn you before running/opening any item, because you might infect your machine?

There's the new vulnerability that only requires that Windows attempt to extract a lnk/pif's icon to exploit the machine, should XY now disable non-generic icons by default and then sound the sirens and flash the screen to warn the user when they change this setting?

The user needs to start acting responsible instead of blaming their tools all the time.

Might as well just convert XYplorer to a single dialog: "The mere act of using a computer could lead to it being infected by a virus. To protect you XYplorer insists you turn your computer off and go outside."

SkyFrontier wrote:

Hallgren:

SkyFrontier wrote:
On the other hand, why the hell a FILE MANAGER should behave like a web browser?

Maybe because in this case, that's what a user is normally asking it to do?

Of course! I am not voting for banishing the thing. I'm voting for a secure environment to work with in first place, THEN user will decide how far he wants to go despite the risks. So it will not be XY fault, in the event of a disaster.

1. If I'm opening a web file on my computer, it's highly likely that it's been opened before in a web browser and then saved. If it was a security threat, you would have already been exploited.

2. If we want to protect users from security threats, then we have to apply the same rationale to lots of file formats.

3. With the above said, I can see a use where a user might want to inspect potentially dangerous files. Maybe a separate entry in the preview format that allows users to list which extensions should have a warning on the preview page before the file is loaded?

I'm a bit skeptical here...

When I "Preview" a textfile it's "browsed", i.e. not opened in Editor.
But when I "Preview" a html-file it's "executed" in IE?

Shouldn't doubleclick be enough for "Execute"? And Preview only preview (the text)?

This said with respect to the security issues shown by SkyFrontier...

PeterH wrote:When I "Preview" a textfile it's "browsed", i.e. not opened in Editor.
But when I "Preview" a html-file it's "executed" in IE?

Correct. It's like an email client that has a "preview" pane. It has to open (download) the entire email into your computer and then render it as if you opened it in a separate window.

cpusrvc wrote:

PeterH wrote:When I "Preview" a textfile it's "browsed", i.e. not opened in Editor.
But when I "Preview" a html-file it's "executed" in IE?

Correct. It's like an email client that has a "preview" pane. It has to open (download) the entire email into your computer and then render it as if you opened it in a separate window.

If I understand you right, I disagree!

If I want to edit a file, I double click.
If I want to see ("exec") a web-page I double click.

Shouldn't "Preview" be something else? I think even the name implies that?

TheQwerty:

Erm.. I see no point in warning before previewing files.

Only one time, TheQwerty. Defaults to .txt/raw/code and warns when enabling live preview. Easy like that, unobtrusive like that. Safe like that.

TheQwerty:

Should XY also warn you before running/opening any item, because you might infect your machine?

That's not the case, since "running/opening" involves a decision.
Previewing a file simply "happens" when you have the preview pane open. If you happen to stumble upon an infected file, the whole thing starts no matter if you have chosen to or not. But this will only happen with "live preview", in certain cases. Depends on how the file manager/program deals with what it is showing. I do not preview anything, by the way. Not my fight.

PeterH wrote:

cpusrvc wrote:

PeterH wrote:When I "Preview" a textfile it's "browsed", i.e. not opened in Editor.
But when I "Preview" a html-file it's "executed" in IE?

Correct. It's like an email client that has a "preview" pane. It has to open (download) the entire email into your computer and then render it as if you opened it in a separate window.

If I understand you right, I disagree!

If I want to edit a file, I double click.
If I want to see ("exec") a web-page I double click.

Shouldn't "Preview" be something else? I think even the name implies that?

To edit a TXT file, it must be opened and then the program allows editing. TXT also has no active elements. Viewing an HTML file, so that it looks correct, involves showing the active elements. To not do so, is to show the raw text in the file. Consider previewing a music file. It has to interpret the data in the file and then creates the sound. TXT files are raw, no processing to them. Editing is entirely different process though it usually (but doesn't have to) include viewing.

cpusrvc:

Viewing an HTML file, so that it looks correct, involves showing the active elements.

Just to clarify: it can execute external or internal files, doing whatever they were programmed to do.
That's why browser-based e-mail disable even the viewing of "innocent" image files, THEN giving user option to show live content as it is. User decision, and they will never be blamed for anything...
I afraid auto previewing and avoid it as the devil. If I want to see anything, I do that by CONSCIOUSLY choosing to do so. Suspect files? Sandboxie. And even then with extreme caution... So far, I had ONE single infection on a machine using such procedures - and that happened thru a bad-a$$ code that caught my VACCINED pen-drive/"all autorun off" system. Hats off to the coder - I hate him!

SkyFrontier wrote:TheQwerty:

Should XY also warn you before running/opening any item, because you might infect your machine?

That's not the case, since "running/opening" involves a decision.
Previewing a file simply "happens" when you have the preview pane open. If you happen to stumble upon an infected file, the whole thing starts no matter if you have chosen to or not. But this will only happen with "live preview", in certain cases. Depends on how the file manager/program deals with what it is showing. I do not preview anything, by the way. Not my fight.

Previewing from a fresh copy of XY also takes decisions.
1. You have to open the IP and set it to the Preview pane for it to happen automatically. OR You have to explicitly say Preview this item.
2. You have to focus the file to preview. (Navigating in/out of folders doesn't trigger the preview.)

And just showing the icon is enough to exploit all versions of Windows since XP... so what now?


Maybe XYplorer should monitor everything I do and pop up a little animated character, perhaps a paperclip or a dog, that can provide me with some guidance and warn/prevent me from doing anything that might be dangerous.

TheQwerty wrote:And just showing the icon is enough to exploit all versions of Windows since XP... so what now?

I believe that issue goes futher back than XP...I know that my W2K is vunerable.

Maybe XYplorer should monitor everything I do and pop up a little animated character, perhaps a paperclip or a dog, that can provide me with some guidance and warn/prevent me from doing anything that might be dangerous.

And remember that XY users are not likely to be as clueless as the avg user who clicks on anything...so if they do something that may be hazardous, then it was a willing choice...besides, how would the HTML that is being previewed get on users system to begin with as someone else said? Most likely from a "Save" from a browser so it's ALREADY been opened and any issues should have been flagged at that point.

SkyFrontier wrote:
On the other hand, why the hell a FILE MANAGER should behave like a web browser?

Here's a simple solution if you don't want XY to preview dangerous formats: just disable those formats in Config | Previewed Formats and then it's just as you want.

j_c_hallgren wrote:

TheQwerty wrote:And just showing the icon is enough to exploit all versions of Windows since XP... so what now?

I believe that issue goes futher back than XP...I know that my W2K is vunerable.

I thought it did as well, but Microsoft's security vulnerability doesn't go further back, or maybe they only show those OSes that they still support?

TheQwerty wrote:Erm.. I see no point in warning before previewing files. This is just needlessly coddling the user. Just accessing files through any software can cause infection.

Should XY also warn you before running/opening any item, because you might infect your machine?

There's the new vulnerability that only requires that Windows attempt to extract a lnk/pif's icon to exploit the machine, should XY now disable non-generic icons by default and then sound the sirens and flash the screen to warn the user when they change this setting?

The user needs to start acting responsible instead of blaming their tools all the time.

Might as well just convert XYplorer to a single dialog: "The mere act of using a computer could lead to it being infected by a virus. To protect you XYplorer insists you turn your computer off and go outside."

Excellent. I like this.