Dumb users spread viruses

The 'nothing to do with me' mob are the major offenders, making up 90 per
cent of the 1,000 UK employees surveyed. This vast majority believe that
they have no part to play in preventing the spread of viruses, and that
it is the responsibility of the IT department, Microsoft or the government.

almost two thirds (60 per cent) aren't aware of even the most basic
virus-protection methods and one third claims to be too busy to bother -
even if they knew how.

http://www.silicon.com/software/security/0,39024655,39118228,00.htm

Date: Sun, 8 Feb 2004 15:41:53 -0500 (EST)
From: Sean Donelan

http://www.silicon.com/software/security/0,39024655,39118228,00.htm

Not surprising. In our experience, "I'm not concerned about
security, because I don't have anything really important on the
computer" is all too common of an attiude.

Most of our users are reasonable, however. With a little
explanation about the harm an insecure computer can cause, they
understand and accept the fact that they're not islands.

Of course, many still get infected with spyware and viruses. At
least they're willing to have their computers repaired... better
than nothing, but still not as good as being proactive. :-/

Eddy

http://www.silicon.com/software/security/0,39024655,39118228,00.htm

The puzzling thing about this is the basic assumption (by the author of
the article) that computers are fragile and infection-prone and that users
who don't know how to protect them are somehow part of the problem.

At the moment I'm on a moderate rampage against anti-virus companies, for
four reasons:

1. "free" anti-virus software that comes with new computers these days is
usually time-locked such that after N days of service, the user has to pay.

2. anti-virus software makes booting, rebooting, logging in, logging out,
and sometimes just general operations, amazingly much slower.

3. since they're pattern matchers, it's almost always nec'y to update the
virus definitions AFTER a new virus is in the field, to get any "protection."

4. the mail-server versions of these packages inevitably send e-mail to the
supposed sender, even though they know this address is inevitably forged.

In this past year's tour of my friends and family, I've taken to removing
their antivirus software at the same time I remove their spyware, and I've
taken to installing Mozilla (with its IMAP client) as a way to keep the
machine from having any dependency on anti-virus software. IT managers are
encouraged to consider a similar move next time they're asked to approve
the renewal costs of a campus-wide anti-virus license.

There is nothing wrong with a user who thinks they should not have to know
how to protect their computer from virus infections. If we (the community
who provides them service and software) can't make it safe-by-default, then
the problem rests with us, not with the end users.

There is nothing wrong with a user who thinks they should not have to know
how to protect their computer from virus infections.

Thank you, you made my day! Now I know that my judgement isn't clouded by
the severe chest cold I am suffering from.

Adi

In this past year's tour of my friends and family, I've taken to
removing their antivirus software at the same time I remove their
spyware, and I've taken to installing Mozilla (with its IMAP client) as
a way to keep the machine from having any dependency on anti-virus
software. IT managers are encouraged to consider a similar move next
time they're asked to approve the renewal costs of a campus-wide
anti-virus license.

There is nothing wrong with a user who thinks they should not have to know
how to protect their computer from virus infections. If we (the community
who provides them service and software) can't make it safe-by-default, then
the problem rests with us, not with the end users.

And tomorrow's worm will instead send itself to Mozilla addressbook
instead of Outlook addressbook, and users will keep clicking on "Open"
when they see an attachment "DANCING BEARS - OPEN ME.SCR" or "Mozilla
Internet Patch.exe".

(I agree with spyware aspect though)

-alex

There is nothing wrong with a user who thinks they should
not have to know how to protect their computer from virus
infections. If we (the community who provides them service
and software) can't make it safe-by-default, then the
problem rests with us, not with the end users.

This is somewhat of a surprising position. What is considered "safe"?
How do you make a computer safe from the most irresponsible of users,
who will run any executable without thinking twice, other than maybe
locking down their access rights to an extent that 1) is probably
impractical, and 2) would cause an uproar?

It seems there has to be at least some level of basic clue on the user
side of things for there to be any hope of this problem going away. As
the Internet becomes a commodity, it doesn't seem unreasonable to me to
insist that those who use it be versed in the basics of protecting
themselves against common threats. No one is asking for expertise --
just the basics would be a big help, wouldn't it? If we accept that
there's no such thing as "perfect security" or "completely safe", how do
we protect users who assume this isn't the case simply because it's a
more convenient assumption for them to make?

OpenBSD is reasonably safe by default. But as functionality &
user-friendliness reach levels that non-technical users require/demand,
I'm not seeing how we make systems safe without user cooperation; i.e.,
basic clue on their part. The "Someone else should be completely &
totally responsible" stuff exhibited in the article just doesn't seem
reasonable here. Society as a whole could benefit from people taking
more responsibility for themselves -- the Internet doesn't seem any
different in this regard.

-Terry

In article <000001c3eea4$2c9cd9f0$0200000a@pleth0ra>, Terry Baranski <tbaranski@mail.com> writes

Society as a whole could benefit from people taking more responsibility for themselves -- the Internet doesn't seem any different in this regard.

Which is fine (some would argue) as long as their irresponsibility affects only them, and not the rest of society.

As for this business of "opening" (aka executing etc) files which users have been sent. One useful first line of defence would be for client software to insist that the name of the sender be typed into a box, as some kind of confirmation that the sender was known to the user.

Date: 08 Feb 2004 22:46:17 +0000
From: Paul Vixie

There is nothing wrong with a user who thinks they should not
have to know how to protect their computer from virus
infections. If we (the community who provides them service
and software) can't make it safe-by-default, then the problem
rests with us, not with the end users.

Cool. I guess I'll quit locking doors, leave valuable items
unsecured and unattended in plain sight, and generally rely on
law enforcement to keep everything safe. It'll be more
convenient and less effort for me.

No? Perhaps all parties should do as much as is reasonable.[*]
ISPs cannot block 100% of Internet nastiness. By no stretch of
the imagination does this mean ISPs shouldn't try, but users need
to take on some responsibility, too.

[*] Fuzzy grey ideology. Yes, I know.

Eddy

Unfortunately, I have to differ here. A more proper analogy would be
that "running A/V software on the standard Microsoft configuration is
like putting security cameras around a building that's lacking locks
on the doors".

The puzzling thing about this is the basic assumption (by the author of
the article) that computers are fragile and infection-prone and that users
who don't know how to protect them are somehow part of the problem.

The way corporations "solve" the problem is take away all privileges
from end-users. End-users can't install software, can't make changes to
the system configuration, can't connect to unapproved systems. IT support
in most corporations cost more per seat than the average home user pays
for Internet access.

In 1998, the concept of Web Appliances was the rage. Most users of
the Internet use e-mail and the web. Web appliances eliminated 90% of
the bloat of Windows, and only provided the few functions most people
use. They didn't even have anti-virus, because they didn't need it.

The market decided secure (limited) web appliances weren't desired by
the purchasers of computers.

In this past year's tour of my friends and family, I've taken to removing
their antivirus software at the same time I remove their spyware, and I've
taken to installing Mozilla (with its IMAP client) as a way to keep the
machine from having any dependency on anti-virus software. IT managers are
encouraged to consider a similar move next time they're asked to approve
the renewal costs of a campus-wide anti-virus license.

Next year, whe you tour your family and friends, how many will have
re-installed programs which included spyware as well as saving and running
viruses delivered through the e-mail.

There is nothing wrong with a user who thinks they should not have to know
how to protect their computer from virus infections. If we (the community
who provides them service and software) can't make it safe-by-default, then
the problem rests with us, not with the end users.

Every computer sold in the US is safe by default. It is powered off,
disconnected, in a factory sealed box :slight_smile:

The problem is only partially technical. I used to do public access
kiosks and never had virus problems with millions of users every year.
But you couldn't save, alter or run any unauthorized programs on any
of the public access kiosks either. No Microsoft Word, no KaZaA, no
Instant Messenger, no Gator, no Weatherbug, no Real Player, etc.

Unfortunately, people want to install arbitrary software on their
computers and are willing to bypass every control to do it.

In this past year's tour of my friends and family, I've taken to removing
their antivirus software at the same time I remove their spyware, and I've
taken to installing Mozilla (with its IMAP client) as a way to keep the
machine from having any dependency on anti-virus software. IT managers are
encouraged to consider a similar move next time they're asked to approve
the renewal costs of a campus-wide anti-virus license.

  when my mother wanted to use the web, i gave her a laptop with ROM-boot
  linux (Mozilla runs on top of it). so far i saw no problem, she's okay
  with using linux. ROM-boot linux was from www.cramworks.com.
  (she is using cellphone for emails)

itojun
PS: i have no relationship with cramworks.com

Which is rather interesting... As probably every person on this mailing
list does regularly, I end up sitting at a computer for some period of
time when visiting any relative's home. I don't even run Windows myself,
but have still had to become familiar with "AdAware" and all the other
"cleaning tools". It's truly amazing the amount of software people will
install in the course of a few months. And almost all of it is the kind
of junk that wants to throw ads in the user's face during the normal
course of use.

You can even ask the owner of the PC "what software should I put on here?
what do you *need* to do on this PC?" and they'll give you a list, and you
seek out more "friendly" applications for weather reporting, browser bar
"helpers", etc. The machine is "clean" and there is no nagware/adware.
Come back months later and WeatherBug is there, 5 different IE toolbars
that can't be turned off, etc. Stunning, really.

The thing that really burns me is that my own "shiny pretty happy box" is
a Mac. I tend to install gadgets for weather, stock trackers, you name
it. For whatever reason, I'm more likely to find truly free applications
that have no ill side-effects to do the same things that the PC crowd
wants. I mean, I have to *work hard* to find adware for the Mac.

Why is that? I understand why that's so on *BSD/Linux, but the Mac really
does out-of-the-box work like a PC running Windows as far as functionality
is concerned, unlike *BSD/Linux. So why the apparent lack of junkware?

Charles

In article <20040208212114.X8374@shell.inch.com>, Charles Sprickman <spork@inch.com> writes
>So why the apparent lack of junkware? [on the Mac]

I presume this is because the marketers believe in the 80:20 rule, and the Mac is well inside the 20.

: > http://www.silicon.com/software/security/0,39024655,39118228,00.htm
:
: The puzzling thing about this is the basic assumption (by the author of
: the article) that computers are fragile and infection-prone and that users
: who don't know how to protect them are somehow part of the problem.

Replace "computers are" with "Windows is" in that statement and it becomes
very much true. There's a direct link between the Windows*uneducated-user
tuple and distribution levels of malware.

: 2. anti-virus software makes booting, rebooting, logging in, logging out,
: and sometimes just general operations, amazingly much slower.

That's the cost of having an amazingly insecure OS, used by an average
computer user, wrappered by a condom. If the user is not smart enough to
inspect everything downloaded to the computer (and preferably with a
trojan-virus scan run by hand), then the user is not smart enough to be
trusted not to use antivirus software.

Uneducated users should live with the slowness. It's protecting the rest of
the world from their blissful ignorance.

: 4. the mail-server versions of these packages inevitably send e-mail to the
: supposed sender, even though they know this address is inevitably forged.

Unrelated to the end user bit, but this is definitely an annoyance.

: In this past year's tour of my friends and family, I've taken to removing
: their antivirus software at the same time I remove their spyware,

Gee, I hope these folks are more computer literate than my family. My
mother-in-law reinstalled Win2k, and even Mozilla for mail and browsing, and
she still got hold of a malware trojan and ran it. Didn't help one bit.

The average Windows user CANNOT BE TRUSTED TO DO THE RIGHT THING because
they are blindly trusting the (1) operating system's security, and (2)
non-malicious intent of the things they view or download.

This is established fact, with oodles of hard-earned stats to back it up.

: and I've taken to installing Mozilla (with its IMAP client) as a way to
: keep the machine from having any dependency on anti-virus software.

Did you also do everything in your power to prevent users from running IE or
its shdocvw.dll embedded component? (Hint: That's not possible as of
Win2k.) Or running OE or Windows Media Player? (Same deal.)

The problem lies not in the e-mail program. Several of the recent worms
were NOT spread by e-mail. Viruses still lurk in IE-trojan web sites.

: IT managers are encouraged to consider a similar move next time they're
: asked to approve the renewal costs of a campus-wide anti-virus license.

Uh, you're kidding, right? Large internal networks are breeding grounds for
viruses and trojans, and can be trusted even less than Aunt Millie.

: There is nothing wrong with a user who thinks they should not have to know
: how to protect their computer from virus infections.

Exactly. So just run the software, live with the slowdown while it does its
work, and you get to play in the sandbox. Don't run the software, and get
infected and shut off from the rest of the world.

Now, I may know your operating system software preferences a little better
than most here. But it can't be so difficult to see that the average user's
ignorance of technology, coupled with the rapid proliferation of security
holes in their chosen OS, is a recipe for disaster.

Antivirus software is not the best solution, to be sure. However, until a
certain Redmond entity slows down its "pervasive" embedding of a very broken
and bug-riddled Web browser rendering core into all corners of their OS,
antivirus software is the *only* solution.

Roland Perry wrote:

As for this business of "opening" (aka executing etc) files which users have been sent. One useful first line of defence would be for client software to insist that the name of the sender be typed into a box, as some kind of confirmation that the sender was known to the user.

The users that are the problem anyway will vote for convinience with their wallets. If they wouldn�t, they would not be buying the systems that conviniently allow them to execute and install code in the first place. It would be financially suicidal to make a piece of software to bother the user.

Pete

In article <4027384E.4050203@he.iki.fi>, Petri Helenius <pete@he.iki.fi> writes

The users that are the problem anyway will vote for convinience with their wallets. If they wouldn�t, they would not be buying the systems that conviniently allow them to execute and install code in the first place. It would be financially suicidal to make a piece of software to bother the user.

It doesn't cost the user any extra to include such a feature in the next version of Windows, and in all the Critical Updates downloaded starting tomorrow. [Obviously it costs MS something to do the software development.]

However, someone attending NANOG should at least have cleaned up slammer before connecting to the wireless...

Roland Perry wrote:

It doesn't cost the user any extra to include such a feature in the next version of Windows, and in all the Critical Updates downloaded starting tomorrow. [Obviously it costs MS something to do the software development.]

It does if you provide free support. You get millions of people calling asking how to disable the annoying feature that they got when they updated the computer. In addition they will tell other people not to upgrade because it gets more annoying to use email and the earlier way was more convinient.

You missed my point earlier.

Pete

In article <4027A8DE.5030306@he.iki.fi>, Petri Helenius <pete@he.iki.fi> writes

You get millions of people calling asking how to disable the annoying feature that they got when they updated the computer. In addition they will tell other people not to upgrade because it gets more annoying to use email and the earlier way was more convinient.

That's a user interface design issue. People seem happy enough with popups from virus checkers saying "suchandsuch a file is infected - what do you want to do about it", all I'm proposing is something similar for "potentially harmful files".

You already get something similar for (eg) driver files not signed as XP-compatible. Does that put people [support desks, users, potential upgraders] off XP?

I agree there may be a scaling issue, although I see fewer wanted-executables annually than I have non-XP drivers installed, which is also pretty much an annual exercise.

Of course, if it did gain acceptance maybe the black hats would simply deliver their infections differently.

Do you honestly think that any IT manager is going to be successful getting an entire company to dump Outlook/Exchange and stop using anti-virus software? Do you have an example (within the North American area of interest to NANOG members) where this has actually happened?

IMHO, if you can convince an Outlook/Exchange using company to dump MS for email, you can convince them to dump MS/Windoze OSs entirely, which is a much more complete way to solve this problem.

jc

p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.