Phillip Torrone of Engadget gets two things wrong in a post this morning, and because Boing Boing picked up his post, the misinformation is going to get amplified mightily. How-To Tuesday: Disable AutoRun on Windows! He says:
Yes, this is a bit of a report from our post Monday, but we feel disabling Autorun is extremely important. By default Windows will automatically look for a file called Autorun.inf on any CD you pop in to your system, we’ve always known this is a big security issue as there are a lot of spyware and viruses distributed on CDs, you read about this every week. In fact, Microsoft is even disabling this in their next security focused service pack.
This is then followed by detailed instructions on how to edit the Registry to disable AutoRun.
Where to begin…?
First, name a single virus in the past five years that has been distributed via CD. I vaguely recall some Microsoft CDs issued to the press in 1997-98 that contained Word documents that had been infected with Melissa or some such. Nothing at all since that time, and I pay close attention to that stuff. So the idea that we should all be petrified over the prospect of a CD transmitting a virus is … let’s call it silly. And as for spyware — typically it gets installed when you visit a Web site or when you install a program. If you voluntarily install a program that you receive on CD, it could install spyware. Disabling AutoRun won’t stop that in any way.
Second, AutoRun on CD hasn’t been disabled in the latest security pack. You do get a security dialog box, but that’s it.
Ah, if you read further into the article you see what this is about. Not viruses or Trojan horses, but copy protection. Seems that a new RCA CD is using a copy-protection scheme called MediaMax, which relies on Windows AutoRun. As Phillip points out in his story, however, you can disable AutoRun on any CD, any time you want, by just holding down the Shift key as you insert it.
Finally, he says, “Please, tell everyone to disable autorun, use our email option, IM your pals, whatever it takes.”
Please don’t.
Ed Bott 
good points, we don’t need to agree on everything.
there have been viri on cds…some in the usa, a lot more from around the world where people distribute software via cdrs. here are a couple from a little while ago….
“virus warning: “pc gamer” infected cd”
http://www.stiller.com/pcgamer.htm
“virus found on developer magazine cd rom”
http://www.sophos.com/virusinfo/articles/devreview.html
but yah- there aren’t many viruses on cdroms- the fact is there has been and will be. i’ve never had my car broken in to, should i never lock my doors? maybe.
the point is, popping in any disc on many computers means things can be installed without your knowledge or even understanding what it is.
software that stops users from making mp3s of cds they buy, to me, seems malicious. it’s not clear what the software does and according to the docs, if it messes up your computer, it’s not their problem. these are not criminals, they’re customers, they bought the cd.
autorun -is- about to be disabled by default on the new versions of windows, at least that is what the folks who i’ve spoke with at microsoft have indicated and in the longhorn preview i’ve used. if it’s a security box in the end, great, obviously this is an issue.
the article -is- about viruses, trojan horses and copy protection. the point is autorun can do things you might not know, install things that do things you don’t want and autorun periodically pings the cd or dvd taking up resources. all things folks don’t usually like.
mac users don’t need to deal with this, why should windows users be punished?
Please do!
Have you played a “copy protected” music CD on your computer lately?
Take a look at the controversy surrounding the latest release from Beastie Boys, then examine the installs, etc., associated with the various protection schemes being touted by the industry.
Disabling autorun is the ONLY way to prevent this stuff being loaded.
OK, Phillip’s links prove my point. One is from 1998, the other from 1999. In other words, 5-6 years ago. Both were Word macro viruses, which are simply impossible to spread using modern software.
The Trojan horse programs being discussed are not being installed automatically. They are being installed with the cooperation of the user. Longhorn does not diable AutoRun, it simply makes it more difficult for a user to choose to install a piece of software.
This is not about AutoRun, this is about user education.
ed-
i never disagreed with your point about the number of viri, worms and trojan horses on cdroms. in the usa, it’s not a huge issue, but it could be. microsoft -is- updating their os to be more secure which includes killing off autorun (again, the preview of longhorn i’ve used had it disabled). we all know mac os killed off autorun as well, the only major mac virus was from an autorun/autostart type issue.
it -is- about user education. no one knows what these “autorun” apps do exactly and the companies that make them say “if it breaks, not our prob”. we need to get folks educated about what their putting on their computers, part of that is disabling a feature that targets windows users only.
cheers,
pt