Security

Paranoia pays off for the patch-weary

If you followed John McCormick's advice, a new security hole wouldn't be an issue. As it stands, several applications might "clip" your wings if you don't patch them soon.


Like an old tire, another common application has sprung another leak in need of a quick patch.

Just a little security conscious
I live in a rural area, operating the kind of electronic cottage many other 60s ex-hippies only dream about. My back-to-the-land organic ranch is supported by my high-tech business, and sprouts video cameras, intercoms, radio links, satellite dishes, and sensors that would make many medium-security prison wardens envious. I even have guard dogs, although my "Loose Bull on Property" sign is far more effective than any "Beware of Dog" signs ever were.
Nevertheless, sometimes I feel like my grandfather must have felt driving a Model T around the back roads in this area. Just like him, I keep encountering leaks that need to be patched. Every sharp rock on the information superhighway seems to stress my software in some new way and reveals some new bug.


The latest entry in the "I never thought that could be a problem" security contest is the recent news that clip art can cause buffer overruns. If you have MS Office 2000, Works 2000, Picture It! 2000, Publisher 99—any fairly recent Microsoft application that uses clip art—you need to start patching all copies.

For more information from the source and links to the patch, see Microsoft Security Bulletin (MS00-015). It turns out that clip art files you download from Web sites or those that come attached to e-mails, can carry malicious code.

This doesn't really affect me directly in my office, because I never download clip art and never open or download e-mail attachments. However, I do need to alert clients. And once again, I suggest they adopt my stringent security rules even when they can't see the reason for them.

This latest security flaw won't bother those of my clients who subscribe to my paranoia, because they're well aware that they should:
  • Never accept attachments from untrusted sources.
  • Never download DOC files to a PC that contains any confidential or important data.
  • Never download DOC files to any networked PC.

Now, I'm not claiming any special insight into Microsoft software flaws. I certainly didn't foresee this latest security problem. Nevertheless, when it was announced, I was already completely protected, and I always had been.

Why? Because my liberal education keeps reminding me that, as the philosopher George Santayana once wrote, "Those who cannot remember the past are condemned to repeat it."

History, in this case, teaches me that nothing good can come from downloading anything from an untrusted source, at least nothing good enough to justify the risks. Some people complain they lose much functionality from the latest software suites and applications if they follow my very strict rules. I counter this with the argument that businesses have been highly profitable for centuries without these meaningless enhancements. Most of those "must have" features are only there because word processor software reached its peak a decade ago, and to keep selling new products, companies must entice people by making them believe they actually need these features.

Except for the occasional presentation slides, do you really need to have so many fonts? Does clip art really add anything to most documents? Are macros really needed in 99 percent of your documents?

I'm no Luddite
Any visitor to my office knows I'm very high tech. My business has expanded and become more efficient with the growth of the Internet. Even my ranch takes advantage of the Internet. It uses the latest electronics with links to real-time Doppler radar (not just the stuff you see on the evening news but detailed reports of the kind most people first saw in the movie Twister), 12-month weather forecasts, grain, cattle, and even hay pricing from Web auction sites, and more.

But radar images don't pose the level of threat that the simplest DOC file does. Government intelligence agencies (been there, done that) have followed rules similar to mine for years, and if you didn't notice, we won the Cold War. So despite jokes to the contrary, we know that the rules work.

I know you can live within my security rules and still take advantage of the Internet, e-commerce, e-mail, and all the important business advances computers have brought us without compromising the most important security rule: If you don't understand how something works, don’t use it!

If you don't understand much about software and the Internet, then you should use only the parts you do understand. If you need the parts you don’t understand, hire someone with that expertise.

Nobody told me the computer revolution would be easy. I mention that because many people seem to have gotten the idea it was supposed to be easy. The Industrial Revolution wasn't easy for most people, so why should the Information Revolution be any different?

But it doesn't have to be impossibly hard. Just remember that it's not about the technology; it's about your business!

This is the first of a two-part rant; check my column next week for the rest.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.


Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.

 

Editor's Picks

Free Newsletters, In your Inbox