Common sense, as applied to document exchange

It is well-known that certain types of file are capable of including code which a computer may blindly execute, which can be used to spread virii, and may cause significant loss of data or even send private data by email to a third party.

Furthermore, if a company becomes infected by a virus which then resends itself to all of that company's customers, it can be extremely bad for customer (and public) relations.

To protect your company's data and privacy, and also the company's image, it is extremely important to ensure that you are not vulnerable to such attacks.

The only safe way of ensuring this is to apply some common sense to the exchange of data and other files, especially in email. We're citing email here because it's the most common form of data exchange these days, but files on a floppy disc or CD-ROM, or indeed any other medium, should be treated identically, using the guidelines set out below.

Files which are currently considered to be 'dangerous' include:

        *.EXE   - Windows Executable
        *.COM   - DOS Executable
        *.BAT   - DOS Batch file
        *.DOC   - Microsoft Word document, which may include macro virii
        *.LNK   - Windows Link files
        *.SCR   - Windows Executable (screensaver)
        *.XLS   - Microsoft Excel document, likewise
        *.VBS   - Visual Basic Script
        *.VBE   - Encoded Visual Basic
        *.WSF   - Windows Scripting File
        *.WSH   - Windows Scripting Host Settings file
        *.WSC   - Windows Script Component
        *.JSE   - JavaScript

There used to be a more complete list on Microsoft's web site at http://officeupdate.microsoft.com/2000/articles/out2ksecFileTypes.htm, but that page no longer appears to exist.

The general rule is: You should NEVER accept or send documents of these types.

If you accept such a document, and it turns out to have a virus, then you may be personally responsible for the deletion or publication of the whole of the contents of the company's network. This is a BadThing(tm).

If you send such a document to a customer, you may only be responsible for the destruction or publication of all of their data - which is less catastrophic, but still not particularly good for your company's image (or your sales to the happy recipient of your document.)

There may be exceptions to this rule, but they are few and far between. The only two filetypes whose presence in the above list is likely to upset you frequently are Word and Excel documents. However, almost all the time when you may previously have blithely sent a Word or Excel document, you'll find that you could easily have saved it in another form first.

Note that you should also ensure that you use a format which the recipient will be able to read without trouble. Using proprietary formats such as Microsoft Word or Applix for sending documents to anyone who hasn't previously agreed to accept them in that format is impolite.

As a guideline, here are some of the alternatives:

For a word processor document:
1. If it doesn't contain any important formatting, then then send it as plain text. It's far easier for people to deal with it like this.
2. If it contains some formatting, but isn't particularly complex, then send it as Rich Text Format (RTF), which is a safe, but quite simple, standard format.
  You can check the suitability of RTF by saving as RTF and then re-loading the document yourself.
3. If the formatting is complex and important (contains many tables etc.), and if the recipient does not need to edit the document, then you could print it to a PostScript or PDF file and send it like that.
4. If the formatting must be preserved AND the recipient must be able to edit the document, then PERHAPS you have a case for sending it in the native format. Before doing so, you must:
  - find someone near you in posession of a clue, and get them to confirm that there is no viable alternative
  - obtain confirmation from the recipient that they are happy to accept it in such a format. They may be able to suggest an alternative format
For a spreadsheet:
1. If it contains only data, and no formulae, then you can save it as Comma Separated Values (CSV). If the recipient is not going to be editing the data, then even if the sheet contains formulae then this will be OK, because the CSV file will contain the last calculated value of the formula in each cell.
  As with RTF above, you should save your file as CSV and then import it again to check that it is OK.
2. If you must regularly exchange data which are to be edited, and need to keep the formulae intact, then you should set up a template for the sheet, with all the formulae present, into which only the numbers need to be imported. Then exchange this template once only, and subsequently exchange only CSV files with only the changed data.
3. For one-off transfers of complete spreadsheets, the rules are the same as with exchanging word processed documents:
  - get someone with a clue to confirm your assessment
  - obtain confirmation from the recipient that they are happy to accept it the native format of the spreadsheet program you are using. They may be able to suggest an alternative format

When you receive documents by email or other means, you should also use these guidelines. If the document has been sent in an unsafe format, then you should only accept it under the following conditions:

You know exactly what the nature of the document is and you were expecting it to arrive.
It is absolutely necessary (according to the above guidelines) that the document be exchanged in an unsafe format, rather than one of the many alternatives.
AND
You know and trust the sender - not only that they are not malicious, but you know that they operate a responsible policy with regard to exchange of documents and that they are entirely safe from virii and could not be accidentally sending an infected file.
(N.B. This is almost never the case, but may be true for exchanging documents with another site of your company, if that site is also following these guidelines to the letter)

If any one of these three conditions is not met, then you must first ask the sender to resend the document in an appropriate form if possible, or if it was absolutely necessary to send the document in a dangerous form, then you should consult a system administrator who will verify the safety of the document in a safe environment before allowing you to use it.

I'm aware that these rules can sometimes be a pain, but they're absolutely necessary to protect the integrity of your company's data. Virii carried in the form of executable content in data files are becoming increasingly common, and it is negligent to continue to exchange such files as if there were no threat.

Most exchange of such documents is the result of either ignorance or laziness on the part of both the sender and the recipient. The ILoveYou virus has rendered the ignorance excuse invalid - everyone is now aware of the potential for disaster.

That only leaves "laziness". If you are prone to laziness, it may help if you bear in mind that this could be considered to be wilful negligence. If you have signed an NDA undertaking to protect certain data, and you accept such a document without good reason, resulting in the publication of that data, then you could be held personally liable for any damage caused. Likewise, if you send infected documents to a customer, causing loss of face for the company, you could be dismissed and pursued for damages.

It's not that difficult to use a sensible format for exchanging data. Please - do us all a favour and get a clue.

David Woodhouse

Last modified: Sun Feb 18 19:27:45 GMT 2001