Security

The real solution to malware

The solution to malware is closer, and easier, than you probably realize.

I've already pointed out that there is no legal solution to malware. The social problems of a solution predicated upon the idea that we can hunt down and kill enough malware writers to cause the remaining few to give up the pursuit entirely, out of fear for their lives, are effectively insurmountable -- at least within an even nominally free society. That's not to say we shouldn't try to identify malware writers and take legal action to protect others from them, but simply that legal measures are fundamentally incapable of providing an acceptable, comprehensive solution.

The technical solution is, really, the most effective solution. If malware never achieves any success at all, nobody will ever bother writing any. The way to defeat malware writers, and to get them to stop doing what they do, is to take steps to eliminate our vulnerability to their malware. Part of a technical solution to malware is actually a social solution, too, but it's a social solution that involves the would-be victims rather than the perpetrators. We must engage the "good guys" in taking an interest in a technical defense of their rights, rather than simply taking an interest in "punishing" the bad guys.

One of the social problems that must be overcome is that of the user that thinks he or she shouldn't ever have to think about security, and thus refuses to think about it at all. It's true that, in a perfect world, security would be something we'd never have to think about, but we live in the real world. Here, inattentiveness to security leaves one unsecured. Failing to defend oneself effectively doesn't mean one deserves to be assaulted, but it does mean that one is more likely to suffer assault. Taking the hands-off attitude that one doesn't ever have to think about security -- not just that one shouldn't have to think about security, but that one shouldn't think about it at all -- is a losing strategy, and if we want to solve the malware problem we need to solve this problem first.

The solution is, in concept, incredibly simple. Operating systems and applications that accept infected files without question, that try to do too much for the user and as a result end up making disastrous decisions that leave us vulnerable; users who are trained by security nagware to just click "OK" or "Yes" all the time without thinking about it; systems that impose no effective privilege speparation: these are all part of the problem that could very easily be swept away, if we but had the will and determination to do so. Users who insist on using such software are part of the problem, whether they mean to be or not. If users on the whole could be elevated above such thoughtless acceptance of poor security practices, we would have taken significant steps toward solving the malware problem. Add to this a culture of secure software development, where software vendors no longer pushed such security opiates, and the malware problem would all but disappear.

Instead, we are plagued by "convenient" software development, by people who have never encountered secure development techniques, giving us "security" by constantly nagging us with unnecessary questions that ultimately train us to just approve everything, and by operating systems that allow applications to access pretty much whatever the heck they want to. It's really easy to solve the problem of vulnerability to malware, if we but make the effort, if we only care enough to bother. There is software in the world that is significantly hardened against such threats, even without being inconvenient to use, but we must choose to use it.

The major problem may be how software vendors define "convenience". Convenience is not malware infection, but much of what major software vendors call "convenience" is a substantial part of the reason malware is so prevalent and damaging in this world. Software is meant to remove drudgery from our lives, by automating tasks that humans don't like to do. The tasks we automate should not be core decision-making tasks. Don't let the software make your decisions for you; instead, let it help simplify the decisions. Autorun for CDs is a travesty of security practice, as is application selection by the software when you double-click a file. So too is a system that just automatically downloads and installs software updates without even asking.

Don't let your computer do your thinking for you. Let it do the scut-work. Otherwise, the computer will become the pointy-haired boss you so loathe at work, who tells you what to do, and makes decisions that make your life more difficult in the long run, despite relieving you of the responsibility to make your own decisions. The difference is that, with software, we call this "convenience", no matter how inconvenient the consequences.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

89 comments
Deadly Ernest
Deadly Ernest

refuse to buy or support any operating system that does NOT have good tight code with strong security measures in it to protect the system. And implement laws to heavily fine any company that writes an OS that doesn't comply or buys an OS that doesn't comply. BTW Chad, We need a technology answer that is NOT in line with the Wintel Palladium idea of hardware / software lockdown and lock in. We need one that allows the users freedom to go and do what they want.

howiem
howiem

I recall in earlier days that all the pundits were saying that educating users was impossible. As the SeaBees say, the impossible just takes a little bit longer. It is good to see that user education still has a voice.

mikifinaz1
mikifinaz1

I have known a couple of these morons. They get the same evil satisfaction as those that spray paint their crap on walls. Unfortunately, software in general and the Internet in particular are so full of holes that these idiots will have the opportunity for long into the future to do this crap.

hlhowell
hlhowell

Human nature is human nature. You will never eliminate malware, because no matter how complex the lock, someone will discover a pick for it. Part of it is the natureal curiosity, what is behind that door. Part is the nature of the mechanical mind, how does it work. Part is the teen age urge to go somewhere forbidden, after forbidden fruit tastes sweetest, especially if some effort was expended to get it. It is just nature, evolution in the microcircuit cosmos. Windows is the ultimate frog, millions of tadpoles, a few are sure to suvive any onslaught. Other approaches are turtle like (think AV software), or preventive (think hardcoded systems), but survival demands some means to ensure the evolving computer survives. Regards, Les H

jevans4949
jevans4949

One thing which too few people seem to question is the widespread use of automatic updates. Back in the 70's when I worked for a major UK bank, any software (or hardware) change to the mainframe had to be cleared by a committee chaired by the deputy head of IT. Nowadays it's difficult to stop. Windows, Firefox, Itunes (to name a few) - how do I know they haven't been taken over by Al Qaeda? And how is the "average Joe" supposed to spot this?

dareeves
dareeves

Well as far as I'm conserned, software creators make it bloody harder to stop this shit. Even Windows itself likes to take control and rebuilt itself, so I'd like to let M$ know I want control back and let me handle this. I admit, I'm a control freak and have used a systematic approach to Viruses, Malware, Hackers, and so on for 20+ years and I've seen some bangers in that time. Yet here I am in a world where it gets harder to tell the OS (firstly) and the software what to do and when. In all this time I've only ever had to reinstall from scratch three, yes that's 3 time due to a Trojan, then Malware, and another Trojan. Thing I find the biggest security risk on my PC is software always trying to use security features and connect to the internet to make it more secure. Like Windows it tries to do it behind you back and like your kid brother, your swimming in a river without a barwire canoe before you can say shit.

sboverie
sboverie

Users are just part of the problem; they are the biggest part of the reason why spyware, malware and other security breaches happen. The users should learn how to protect their computers from attack; although this is a challenge to the tech savvy as well. Another part of the problem is the design of the internet protocols. If a solution to preserve headers so that the senders can be identified 100% of the time, then we can identify the bot nets and the people who control them. The internet has too much trust built into it; it needs to have some way to provide a check against abuse of trust. It also would be good to be able to create an email rule that will catch deliborate mispelling in subject line and quarantee those messages with creative spelling. Most of the people I get email from are smart enough to use good spelling in text and subject.

MichP
MichP

I've been wondering lately, why did Adobe Reader start allowing JavaScript in a document? That opened a few holes. Microsoft's original Office plan that allowed all kinds of macros and script to run amongst all its programs, leaving the doors open to everyone else, didn't work out the way they planned, either. And I may be wrong, but it seems like when Java first appeared, it purposely did NOT include any functions that could access anything on your machine. But somebody, somewhere decided it would be SO COOL if we could just...

stevenjs
stevenjs

Right on. SlovenlyWares, a subsidiary of Capitalism, Inc.

apotheon
apotheon

The solution to malware is simple: 1. Write software that doesn't treat security as an inconvenience. 2. Get people to use it. 3. Convince everyone that they should learn to think for themselves from time to time, especially where security is concerned. Simple . . . but not easy.

deepsand
deepsand

The analogy strongly holds here.

rkuhn040172
rkuhn040172

Oh please! Getting government involved would only make the situation worse. I for one don't want my politicians who have proven for 30+ years that they can't manage anything right involved in defining what is good, bad, right, wrong, good code, bad code, etc. I want less government not more.

robo_dev
robo_dev

I'm sorry, but we need a law governing acceptable analogies. My OS is a cute squirming tadpole, yet I spilled forbidden-fruit juice all over my #$#$# keyboard when trying to buy a new set of lock-picks on eBay....... Unfortunately my AV-Software / turtle just barfed out some trojan virus and I fear he can no longer protect the frog....

robo_dev
robo_dev

then things would get broken, while other things are fixed.... (hmmm, XP SP3) and....our productivity would be sapped trying to fix all sorts of printing problems (hmmmmm....Adobe Acrobat) OMG...the software companies are all run by terrorists...somebody quick call Fox news!!!!

Ocie3
Ocie3

Note: the users are not the people who created the software that has weaknesses which malware can be designed to exploit. If a car has a defective component in the braking system, then it is not the driver's fault when the brakes fail to work, but it will be the driver and passengers, as well as others, who will suffer the consequences of the failure.

chris
chris

Think about how many documents you open that give you a "macro" warning. How many basic users even know what that is? If the machine would maybe analyze the macro and give you its purpose, you could make an informed decision. Saying enable macros blindly is all we're left with (unless Vista has something I haven't seen. I use XP)

dtroyerSMU
dtroyerSMU

Unfortunate myriads users of computers each day get these things on there computers without them doing a thing. No, they did not click ok, or even visit a questionable site, they just browsed. This symptom is the reality of the Internet, a world within a world with all the diseases and plagues that come with it. Most computer users are just ordinary people, living their lives day to day embracing technology as they must. No one tells them that a computer has a certain amount of knowledge required before using. No one tells them that to operate one, they need to learn the in's and out's of software and the operating system that runs them. Just the basics, mind you, not the technical side I see every day. From what I have seen in the 9+ years as a technical student and technician, people or students do not know about their computers are capable of, just the fact they can get on the Internet, access email, download music, movies, or any other entertainment they are prone to. A good portion of the students, staff and faculty do not even know what a virus program is let alone its total requirement in operating one. I believe the whole malware problem stems down to one reason, education of the user. Computers should either require the user when turned on to go through a short introductory course on using one. Oh, would this mean less sales that knowing that the person has to take a course to use a computer? Well at least inform the potential user of the ups and downs of Internet usage and what is required to use it. Oh, does this mean exposing them to the ugly world of the Internet as well as the good side? We all know in truth you cannot know the difference of the ugly vs. good unless you know about both. Knowledge, it will set us free of many things and the more people know how the Internet can be both ugly and good will further the reduction of malware invading unsuspecting users computers. Client Technologies Technician Integrated Technology Services Saint Martin's University

Ocie3
Ocie3

Java, the programming language, was developed and promoted by Sun (which is now being bought by Oracle), and Sun is wholly responsible for its features and how they are implemented. According to Wikipedia, JavaScript originate with Netscape Communications (the Mozilla Foundation is the heir apparent), and it is a separate entity from Sun Java, although they are more-or-less related and have common origins: http://en.wikipedia.org/wiki/Javascript_(programming_language) When we allow websites to run JavaScript on our computers, then they gain access to just about every piece of information that they could want about the browser, the operating system and the hardware that is running them. In the wrong hands, that data can be used to craft malware that targets one or more specific computer(s), exploiting whatever weakness may be revealed in that data.

RipVan
RipVan

Hardly. Quite the opposite in fact. But so many people these days are big fans of totalitarianism. Gotta push the boogeyman. So does this mean that we are past the other big push by the totalitarian mind controllers of today: "capitalism can't work in a world economy." I can't keep up. I was much happier when Big Brother handed out simple mottos instead. I was a big fan of "mean spirited" and knew immediately that "gravitas" would never make it with the masses.

Marty R. Milette
Marty R. Milette

... by making it impossible for malware writers (and spammers) to cash out. Considering that a major motivation is money -- just follow the money and cut it off at the source. Unfortunately, the source doesn't WANT to cut it off. Google makes billions on malware that fires up AdSense-based popups. Credit cards and banks make billions on transaction fees and charges. How hard would it be to have an organization whose job it was to order stuff from SPAM and pop-ups with a special credit card -- which, when used would trip off an alert. Just follow the money and shut down the merchant account and block the associated bank accounts. Problem solved. (If anyone actually WANTED to solve the problem..)

hauskins
hauskins

like driving a car. We can have all the laws and policies you want but in the end it is the driver that has full responsibility. To some degree I think this is the same concept that we need to drive home to computer users. They are the driver and need to know the rules of internet highway and be prepared for the unknown by exercising safety and forethought.

rkuhn040172
rkuhn040172

Why is application selection so bad? Perhaps I'm misunderstanding you. Do you really want me to have to select MS Word every time I click on a .doc? I agree mostly with this article...well written. However, in the real world a certain level of convenience is demanded from the end user whether it's good for them or not.

robo_dev
robo_dev

Imagine if you could buy a car that was put together like Windows OS. It would come with no brakes, no airbags, no seatbelts, and features like door locks and headlights would be options. And half of the cars would come with 'trial versions' of airbags and brakes that stopped working after six months. Those who purchased the 'security suite' of airbags/brakes/door locks from one vendor would be often faced with a car that was so slow it could not go faster than 30 mph. And then the user would have to spend much time researching the best type of airbags to get, the best seatbelts, and the best door locks. Of course the thrifty car buyers would make their own seatbelts or airbags, or just not bother to install things like brakes. And then there would be discussion sites where pointy-headed 'experts' patiently explain to new-bie car owners why brakes are important, or why homemade airbags are a bad idea.

Jaqui
Jaqui

2. Get people to use it. you funny. :D people? use software that doesn't treat security as an inconvenience? riiiight. in this age of promotion of stupidity [ twitter, youtube, iphone, blackberry, gphone ... ] do you REALLY expect people to do something SMART and use something where they have to [i]GASP[/i] [b]THINK?!?!?!?![/b] and thanks, I needed the chuckle. :)

Deadly Ernest
Deadly Ernest

I'd like to see the laws on that changed so the fine is the entire revenue the company made the year they were in violation - it may make them think twice about violations; it would also help balance the government budget.

apotheon
apotheon

I have to agree with you (for a change). Getting government involved in regulating code quality is a terrible idea.

apotheon
apotheon

If you know of a car model whose brakes are famous for failing all the time, you'd be stupid to buy one. Why doesn't the same standard apply to operating systems and other software notorious for its vulnerability to the dangers that plague computer users? edit: pronoun agreement

dogknees
dogknees

As a user of a car, if you attempt to brake quickly on a wet road, the brakes aren't as effective as usual. The user has a responsibility to learn how to use the car/pc's capabilities in a way that is safe both for the users/driver and others that might be affected by their actions(like passengers or pedestrians). This might also include making sure you maintain your brakes in good order and take into account the load you have in the truck and the fact that you haven't replaced the tyres in 5 years. This isn't the responsibility of the manufacturer of the car, or whoever sold it to you. It's up to the driver/users to learn how to use their machines.

eric
eric

Right. Complaining about human stupidity is . . . (wait for it) . . . stupid. As well complain that all software isn't perfect, and then expect your complaint to be acted on instantly and appropriately by everyone. Perhaps if malware were truly deadly to machine and data, and zapped whoever was in front of the keyboard, THEN . . . no, wait. Please, I didn't mean it, really. Too many people are making too much money by having things remain exactly as they are. So they won't get fixed. =Eric

misceng
misceng

While I agree that users are a major part of the problem with malware and viruses, the techies have to take a fair bit of the blame because the information the ordinary user gets is so brief and jargon filled that it makes no sense to them. As a result they do not know what to do and decide arbitrarily. It takes little effort on the part of the malware producer to add to this confusion and get the user to do the wrong thing.

chris
chris

how who gets paid.

apotheon
apotheon

Normally, I find the ubiquitous car analogies people love to use so much in discussions related to information technology matters, but in this case I think your choice of a car analogy is particularly apt.

Ocie3
Ocie3

(comment withdrawn)

apotheon
apotheon

A file labeled foo.doc in your file manager window may very well be something other than a Microsoft Word DOC file. If you double-click on it, the thing might execute in some other way than by opening MS Word. Then, you have something on your computer doing something you don't want it to do. I agree mostly with this article...well written. Thanks. However, in the real world a certain level of convenience is demanded from the end user whether it's good for them or not. That's kinda the point. I'm peeved about the fact that people "demand" things that are just going to end up screwing them, then they complain about security issues that are (to some extent) essentially their own faults, since they demanded the very cause of those issues. Once they've gotten infected by some spambot software, they start sending emails to me, and others, and we all end up with an Internet getting saturated with spam and infected files, and so on. I don't find that very convenient at all. Think about what you said for a moment -- that people demand "a certain level of convenience", "whether it's good for them or not". That is the pet peeve in the list, in a nutshell -- not just because it isn't good for them, but because they affect other people with these terrible decision making skills of theirs. As they say, if you aren't part of the solution. . . . Of course, part of the problem is the experts, too. When a user says "I want this convenience," the expert should say "That's a really bad idea, and this is why." The expert sure as heck shouldn't say "Well, okay, we'll give that to you," and never even mention that it may increase vulnerability. Producing software that services these poorly conceived demands to which you refer without even informing users that such features are really bad ideas from a security standpoint is irresponsible in the extreme.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

But since you opened the can... Cars have been in development for over 100 years. Air bags were introduced in what the 1980's or 1990's? When where seat belts introduced and required? Cars are really meant to do a very limited number of tasks as apposed to a computer which is meant to be able to do almost any task. That flexibility makes them vulnerable. If you don't like that get a web TV. Bill

apotheon
apotheon

Why so much responsibility on the user? That's easy. It's because the user is the one who (at least tacitly) chose the operating system! If users moved security further up the scale of priorities, eventually Microsoft Windows would either improve dramatically or drop off the face of the market. Microsoft is giving its users exactly what they'll accept. As long as you keep accepting it, Microsoft will keep giving it to you. So far, while Microsoft has tried to remove other options from the market, it has not managed to succeed in doing so across the board, and what successes it has had have been entirely because people went along with it, accepting whatever Microsoft has deigned to give them. If the user can't take responsibility for making decisions, someone else will do it for the user. More often than not, that person will not make decisions in the user's best interest, because the kind of people who like pushing decisions down others' throats are generally the kind of people who don't really do things in those others' best interests. In fact, often enough, they don't even do things in their own best interests -- even when they think they are serving their own interests.

tjbud
tjbud

You're not allowed to drive a car before showing a certain amount of knowledge and skill at doing so - so why shouldn't users be educated. But now onto the Windows analogy... I'm tired of hearing that Microsoft doesn't do this or that with the OS. Many times when they do try including extra functionality, somebody complains about their being a monopoly, blah, blah, blah. But when Apple does it, its the greatest thing that ever happened. What's up with that??

aharris02
aharris02

Isn't my smart phone supposed to handle all the "smart" I need?

apotheon
apotheon

I'm glad I was able to provide some entertainment value, at least. I was fully aware of the humor in point 2 when I wrote it, and I'm glad the first person to comment picked up on it.

apotheon
apotheon

That's more stuff on which we agree.

rkuhn040172
rkuhn040172

Oh please. 1) At least in the good ole US, our budget is never balanced. Even when they have additional revenue, they just spend it too. 2) The only thing worse than a corrupt and greedy corporation is a corrupt and greedy politican.

apotheon
apotheon

I prefer distilled water over beer -- at least, most of the time.

rkuhn040172
rkuhn040172

We can agree on lots of things. Like beer is better than water.

Deadly Ernest
Deadly Ernest

exist now, the big companies just ignore them.

apotheon
apotheon

I may have to actually take a whack at producing such a satirical list at some point.

apotheon
apotheon

That's an excellent point, gbentley. Thanks.

dogknees
dogknees

>>If it's okay for them it must be okay for us.? Newspapers, magazines and the Internet provide too much information and it often conflicts because it's provided by people like you and me who have their own axes to grind. What you're talking about isn't "information", it's opinion. It's still every individuals personal responsibility to learn how to use the things they choose to but in a safe and responsible manner. If you find you aren't able to do so, don't buy it.

apotheon
apotheon

However, I resent being told that I peddle misinformation. Maybe you aren't peddling. Maybe you're just a victim of it. The result is that these unwitting victims are universally offered machines that have Microsoft Windows pre-installed because that's the only thing these stores sell. Tell my clients they have a choice! The choice is there, whether they know it or not. We should be in the business of helping them recognize their choices, and make decisions in an informed, thoughful manner. Why should I tell you clients they have a choice? They're your clients. You're the one that should be telling them that they have choices. If they don't know about these choices, it's because someone failed them -- not because the choices don't exist.

grax
grax

"please stop blaming computer users when they have little real choice." "Ooh, look -- some misinformation! There's plenty of "real choice"." Like you, I try to be honest in my comments and the advise that I offer clients. Some might dispute the detail but I broadly agree with and support your stance. However, I resent being told that I peddle misinformation. My clients, presently, are older individuals, many of whom have only recently begun using computers. They come from half a dozen countries on the western edge of the European Union. In the past five years I have dealt with hundreds of machines in six different languages. With one exception (see below) all were running Microsoft Windows in one form or another. These people buy their shiny new laptops from their local computer shop or some big chain. Few have the confidence or the knowledge to buy on-line. They take the advise of the sales people because they don't know where else to ask. All their friends and acquaintances have the same sort of stuff. ?If it's okay for them it must be okay for us.? Newspapers, magazines and the Internet provide too much information and it often conflicts because it's provided by people like you and me who have their own axes to grind. The result is that these unwitting victims are universally offered machines that have Microsoft Windows pre-installed because that's the only thing these stores sell. Tell my clients they have a choice! I have seen one netbook in the hands of a novice recently that wasn't running Windows. He had been told it was an Apple computer! (It was running a version of Linpuss.) When I explained this to him he threatened to return the machine because it had been sold under false pretences! It took me an hour and a full scale demonstration to persuade him that he's actually got exactly what he needs. Your client?le will undoubtedly be different but mine are simply trying to deal with a technology that they find confusing and intimidating. In the ?real? world in which they live, I stand by my original comment: ?....they have little real choice.? P.S. Why do interesting and important discussions, particularly on security issues, get curtailed so soon whilst flaming disputes seem to be allowed to go on ad-nauseam?

apotheon
apotheon

If we really want to solve the problem in any meaningful way we must address [poorly developed software]. Of course we do -- and many of us are addressing it. We must also address the problem of ill-informed users, though, because if we don't the users will just keep using poorly developed software. That's sorta my point, in many cases; there's a lot of good software in the world but, in many cases, users obstinately refuse to allow themselves to discover that it exists. In fact, when informed of the existence of better software, they often go out of their way to find and believe people who tell them they shouldn't change their software choices, usually for the very flimsiest of reasons. In short, the core of the problem of ill-informed users is misinformed and willfully ignorant users. Much of what I say is meant to combat the misinformation that plagues users. While there isn't much I can do about willful ignorance, raising others' awareness of it might also produce some beneficial effect (I hope). I certainly don't intend to stick my head in the sand about it and choose to believe that "if you build it, they will come" is the sum total of advocacy for better security practice that is necessary to make the world a bright and shiny place. That's the basic problem with proprietary software. It's written and marketed for profit. That's not a problem at all. The real problem is that many vendors of software written for profit are: 1. willing to behave unethically in pursuit of profit 2. devoted to the myth that "success" for one person must mean "failure" for another Yes, I know Microsoft used to promote itself as a champion of innovation and choice. The truth is that they've never been prominent in either. Don't look to them to resolve the problems users experience. This is exactly why some approach other than "build it and they will come" is needed: Microsoft is the 900 pound gorilla in its market niche, and does everything in its power to crush competition, rather than to merely compete with it. The biggest threat to competitors, with Microsoft standing astride the industry swatting down any mention of better options that it can find, either with misinformation or tactics meant to drown out the voice of the competitor with its own tremendous marketing noise, is ignorance. There's no profit in it. There's plenty of profit in offering choice. There just isn't any industry domination in it. please stop blaming computer users when they have little real choice. Ooh, look -- some misinformation! There's plenty of "real choice".

grax
grax

Although I dislike analogy it does have its uses. The car comparison has been hammered so often that it's positively hackneyed (pun intended). To condense the discussion; there are two basic problems with the issue of defence against malware. 1.Poorly developed software. 2.Ill-informed users. To castigate users is counter-productive. It isn't their fault! By my writing and hands-on I've spent much of the past twenty years trying to show people better practices when using computers. My success has been limited, perhaps because of my own failings, but I keep trying. As one contributor pointed out some make their living from it so, by all means let us carry on. Chad, of course, makes a good case but he is preaching largely to the converted. If we really want to solve the problem in any meaningful way we must address item 1. Like cars and almost anything else, software is, at best, ?A Work in Progress?. There will always be unseen difficulties. Nobody really thinks a car that explodes because of a badly positioned fuel tank when it receives a light shunt from the rear was intentionally designed. It was a mistake based on a need to make the vehicle cost effective. That's the basic problem with proprietary software. It's written and marketed for profit. If it has errors (inevitable because time and cost constraints make it impossible to test adequately), too bad. They may get sorted out down the line. Alternatively, others might profit from creating workarounds. The likes of Norton do very well in this area but don't let's go there. Recalling the seat belt saga I remember a time before Synchromesh gear boxes. One had to double de-clutch to change gear. In America such things were rare because manual gear change on the large engines then fitted in cars was considered to be beyond the abilities of drivers to manage. (User error isn't new.) So, you all got Automatic shift. In Europe we had a choice. Therein lies the solution. Neither Microsoft, Intel or the US Government will benefit from offering choice. Yes, I know Microsoft used to promote itself as a champion of innovation and choice. The truth is that they've never been prominent in either. Don't look to them to resolve the problems users experience. There's no profit in it. What people need is a secure, stable and easy to use operating system that cannot be corrupted by third parties. I'll leave you to figure out where this might be going, but please stop blaming computer users when they have little real choice.

dtroyerSMU
dtroyerSMU

Of course, without users, i would be out of a job. Its the way people become users that i see as part of the solution. I explain to all types of computer users in laymen terms how their machine has been infected by spyware and viruses. Its pretty much like in the world we live in. You dont or most do not trust everything we see, hear, and read. The same goes for things from the Internet. Investigating the product before using usually is the best way to buy, but due to our fast and want-it-now mentality, that usually goes to the wayside. Moral of the story, dont trust all you hear, see, or read. All users should use this philosophy, including myself. Be skeptical. DT

rkuhn040172
rkuhn040172

Yes, users are probably the biggest part of the problem, however, if there were no users we'd all be out of our jobs.

Marty R. Milette
Marty R. Milette

Back when AdWords and AdSense were first starting, I had some beer making web sites and Google refused to allow me to use either program for my 'evil' sites. About a year later, they changed policy and started to allow beer and wine. About another year later and they started allowing hard alcohol. Now, well, there aren't too many keywords of any type that you can't find ads for. Google is the same as any other corportation -- when billions of dollars in revenue meet dozens of lawyers -- the halo starts to slip over the definition of what is 'evil' vs. what is just 'good business'. In any case, tricking the googlebots isn't difficult. A couple of lines of ASP or PHP code detecting the user agent or IP can present google whatever it 'wants' to see in the pop-ups fired off by the malware while presenting the victim with clickable (and chargable) advertising. Considering that even the cheapest possible keywords can generage $.50 to $1. per click and some of the more interesting keywords/ads can generate $30 to $50 PER CLICK -- the incentive is definitely there.

apotheon
apotheon

I've seen many, many people getting their AdSense accounts shut down for violating policy -- which doesn't allow for pages whose primary content is advertising, and would cover advertising pop-ups. Spammer forums are full of people who complain about Google AdSense, calling Google all kinds of unwholesome names, for "discriminating" against them.

Marty R. Milette
Marty R. Milette

... any scenario where money is exchanged, it should be possible to track and catch the culprits. Money doesn't move anywhere without leaving a trail -- except in the form of cash.

Marty R. Milette
Marty R. Milette

The POP UP that is fired off CONTAINS the AdSense ads. Nothing to do with Google's site. The pop-up is treated (by Google) as an AdSense affiliate site. In theory, Google should be able to detect that the ads are appearing in a pop-up and not on a real web site -- but either the malware writers have a workaround (such as launching the pop-up FROM a spiderd AdSense site), or Google simply doesn't care.

robo_dev
robo_dev

Malware is the head of a very slimy snake. Malware has grown up from pimply-faced teens doing vandalism to millions of cybercriminals whose sole source of income is related to malware. In addition to the issues stated in the prior post, let us not forget: Ransomware: encrypt your data, pay to get it back Extortion: plant illegal images on your PC, threaten to notify your superiors. Fake Anti-spyware: When googling to find help, users end up buying fake software, which gives away their credit card numbers. Bots-for-hire: Cybercriminals install remotely-controlled rootkits so they can marshall the use of thousands of PCs for DDOS attacks. They rent the use of these bots to others.

apotheon
apotheon

I actually use Google AdSense on some Websites, and I watch the ad content that appears on those sites with interest. I have yet to see any ad content even remotely similar to the kind of problem advertising you claim Google is peddling.

Marty R. Milette
Marty R. Milette

1. Pay-Per-Click -- a malware writer infects your machine to fire off pop-ups containing pay-per-click ads. (Such as Google AdSense -- which is easily tricked.) 2. Pop-ups that are the same crap sold by SPAM -- viagra or whatever. People buy it with their credit cards -- the malware writes either get a commission (affiliate fee) or just sell the junk themselves, or just pretend to sell the stuff, process the order and vanish. In ALL of these cases, you have 'willing partners' (Google, Visa, Mastercard, etc.) who turn a blind eye to the source of these mysterious revenues -- or claim that it is 'not their job' to be policing these kind of things. These days, there are literally THOUSANDS of systems offering 'pay-per-click' for traffic you send them. With these, the infected user doesn't have to buy anything - if they simply click a fake checkbox to close the window, it can redirect them to the vendor site and the malware writer earns money for the traffic. Commission sales again -- there are tens of thousands of affiliate programs. While the victim still has to buy something in order for the malware writer to get paid -- enough people DO to make it worthwhile. These things are EASY to stop. What is more difficult is where malware harvests data from the user's system, captures keystrokes etc. This data takes some work to translate into cash -- but considering the price of stolen IDs these days, it isn't hard to justify doing it. Again, the credit card companies don't care. If someone clones your credit card and makes a bunch of purchases -- when you report it the charges are reversed and the VENDOR loses the money. Seldom, if ever, do the credit card companies ever try to catch the OFFENDER. They don't care -- the merchant is the one who ends up out of pocket. In one case, someone cloned my credit card and bought a one-year health club membership. (Plus several thousand of other charges.) I asked why they just didn't send someone over or have the health club call them when the idiot to showed up to use the membership -- they said they couldn't be bothered, not their problem, and that it happens all the time. Last but not least is malware that sends SPAM. Companies marketing crap will pay a lot to have SPAM blasted to millions of addresses. Distributed SPAM relays are also much more difficult to block or blacklist than fixed open relays.

NickNielsen
NickNielsen

Even the worst nanny knows it's important not just to forbid or prescribe certain actions, but to educate her charge on the reasons for those actions. She also understands that at some point she must move on and her charge must be left to fend for itself. The government nanny does not educate, nor does she let go...

apotheon
apotheon

What those kids need is a parent, at least until they learn they can't trust everybody on the Internet.

robo_dev
robo_dev

There's a reason my 6.5HP chipper-shredder has a warning label that says not to use it indoors. But seriously, kids ARE the ones who need nannies, and they are computer users too. I've seen several young-uns click on those 'your computer is infected' fake pop-up ads. And I have the blessing of helping to support a couple of elderly computer users who would be likely to wash their computer with Lysol spray if it got infected. It doesn't take all kinds, we just got all kinds....

apotheon
apotheon

Actually, the mandatory seatbelt laws are nanny state laws -- not welfare state laws. I don't think that legislating the design of a car, or of an operating system, is the right way to handle things. Instead, user education is the key. If people know that seatbelts and privilege separation are important, they'll be more likely to buy cars with seatbelts and use operating systems with real privilege separation. Remember -- there is no legal solution to malware.

Ocie3
Ocie3

Consider seat belts on automobiles. When I learned to drive at the age of 14, I had never ridden in a car that had seat belts installed, and I did not either drive or ride in one that had seat belts for at least another five years. Seat belts (which originally did not include a strap across the shoulder and body to the waist) were available as an option, but they had to be installed at the factory (so you would have to wait as long as six months before your new car arrived at the dealer). The automakers said that there was no demand for seat belts. The vast majority of adults did not care whether they were installed, said that they would probably never use them if they were installed, and didn't want seat belts if they would significantly increase the price of a new car. Some people claimed that seat belts would make riding in an automobile LESS safe, and the reactionary blowhards of the day opined that Congress requiring seat belts in passenger automobiles was just another example of the "welfare state", in which the government presumed to know what was best for us. Be that as it was, there was a long and sustained campaign by those who cared (supported by the medical profession and by the auto insurance companies), until Congress was finally convinced to require seat belts in all passenger automobiles, because the Senators and Representatives could _factually_ defend their support for the legislation. Of course, once seat belts were installed, there had to be a long and enduring campaign to persuade the public to actually USE them. Now, nearly forty years later, seat belts are generally accepted and almost always used as a matter of course. We also have stiff legal penalties (fines, primarily) for those who just don't get a clue any other way. Now, apply that history to changing any insecure aspect of the way that we use computers today, and you'll begin to see that computer and network security is not an issue that will be solved overnight.

apotheon
apotheon

It never occurred to me that swine flu was a "social disease."

robo_dev
robo_dev

sorry, that was too easy....

apotheon
apotheon

What might really be happening is that the sales and marketing people are selling and promoting things faster than the developers can create secure applications and write good code. That's certainly part of the problem, but so too is the fact that, even after Microsoft creates an entire industry of poor security, people keep buying it. In short, part of the reason that sales and marketing people are allowed to set the direction of development, at the expense of security, reliability, and usability, is that vendors who allow sales and marketing people to do that are rewarded for that behavior. I reject the argument that you cannot design and deploy an OS that is both user-friendly and secure. (Insert Mac OS and Linux argument here) Good! (Insert mention of additional OSes here, such as FreeBSD.) My argument is that the whole Windows OS security model is fatally flawed. To have to depend upon a slew of Anti-virus, anti-spyware, anti-rootkit, anti- who-knows-what is completely the wrong approach to security. If you install anti-virus software on a pig, it's still a pig.... I absolutely agree. . . . and if you keep choosing the pig over the lovely girl, you're going to keep ending up ballroom dancing with the pig. Eventually, the lovely girl may even just go away, and more pigs might show up hoping you'll pick them instead.

robo_dev
robo_dev

People did not demand that ActiveX could allow any script kiddie to own your PC, they just wanted pretty web pages. What might really be happening is that the sales and marketing people are selling and promoting things faster than the developers can create secure applications and write good code. I reject the argument that you cannot design and deploy an OS that is both user-friendly and secure. (Insert Mac OS and Linux argument here) My argument is that the whole Windows OS security model is fatally flawed. To have to depend upon a slew of Anti-virus, anti-spyware, anti-rootkit, anti- who-knows-what is completely the wrong approach to security. If you install anti-virus software on a pig, it's still a pig....

apotheon
apotheon

I get what you're saying. I'm not entirely convinced we can't fix the problem to a significant degree, given time and effort and luck, but I totally understand the impulse to believe it's unsolvable given the proclivities of people in large groups.

rkuhn040172
rkuhn040172

I completely agree and if I had a magical wand I'd make it happen. However, that's just not reality. Many things in life have flaws by design in order for convenience. It's our jobs in the IT profession to make the most of the real world. That's all.

apotheon
apotheon

I find your reasoning difficult to dispute at this time.

paladin2
paladin2

MS bought GIANT Antispy, which was a good program in it's day. They turned it into Defender, which places next to last in the 'free' category of antispy applications. Any OS is so complicated it's like learning to fly in a Learjet. A lot harder than in a Cessna 150. So much harder that it's not surprising there's so many wrecks when ordinary people take a modern OS out for a spin. But since no one on the ground gets toasted when you crash there's no greater 'public good' in trying to force a company to make good products. People talking with their wallets is the only option available and will probably (and hopefully) remain that way. Imagine the government getting into software development? The thought's terrifying.

apotheon
apotheon

That's a great plan. Now we just need to get Microsoft, and the smart people at the target acquisitions, to go along with it.

robo_dev
robo_dev

I did not mean that MSFT would just bundle AV software with their OS; but rather that the smart people at these companies would sit down and explain to the OS developers why it's bad idea to let untrusted processes write to the registry, why core executables of the OS need to be protected better, etc, etc. A reading from the book of 'the truth about viruses': "Antivirus software is basically just a dirty hack used to fill a gap in your system?s defenses left by the negligence of software vendors who are unwilling to invest the resources to correct certain classes of security vulnerabilities." Amen

apotheon
apotheon

Tomorrow Microsoft could buy a company like Kaspersky, Trend, or Webroot...and build that functionality into the OS, where it should have been from day one. That doesn't solve the problem. It just slaps a band-aid on a sucking chest wound. Consider the truth about viruses as an example of what really needs to be done to deal with virus issues, for instance -- the kind of solution that would make current antivirus software's functionality effectively obsolete.

robo_dev
robo_dev

that you have to buy additional products to make the product even remotely secure. The point is, would it make sense if all the basic safety features of cars were not included? Hence you would have to take your shiny new buick down the street to get one brand of airbags, then to another shop to get the anti-lock brakes installed? From a technology perspective, Microsoft could make their OS so that users do not have to spend extra time/money buying/installing/maintaining additional software. Why don't they do this? They don't do this because it would put at least ten other software companies out of business. Tomorrow Microsoft could buy a company like Kaspersky, Trend, or Webroot...and build that functionality into the OS, where it should have been from day one. I'll mention Mac OS, not to bash Windows, but as an example that it can be done. Similarly, Linux or UNIX boxes do not require additional software to make them secure.

chris
chris

The government mandates them. but, that has to do with the public paying the price for your (whoever's) stupidity. If my computer gets AntiVirus 2009, it doesn't cost the tax payers anything really.

howiem
howiem

If you can get your kids to use a sandbox to run their programs, that will protect the OS and the other data files.

Dumphrey
Dumphrey

is a type of user with limited install rights but not full control over the system directories. Or, tech them to run as a non-admin user. I do admit some software is poorly written and requires admin access. Try to replace this asap. Supporting bad design and implementation only hurts us all in the long run.

apotheon
apotheon

What is "almost completely right"?

chris
chris

I just wish winders would allow better options than a. User b. Administrator -------------- For my kids to do anything decent, I gotta make them admins!!! Why not have something in place that lets the user only corrupt their profile/area? that would be nice.

apotheon
apotheon

You're not allowed to drive a car before showing a certain amount of knowledge and skill at doing so - so why shouldn't users be educated. Considering your later statement about how MS is so unfairly put-upon -- thus seeming to indicate that you hold MS Windows in reasonably high regard -- I find this statement kind of ironic. After all, if only people who were fairly knowledgeable about computers were allowed to use computers, MS Windows would probably become a far less commonly used OS. Oh, yeah . . . and people can drive cars without taking a license test. The driver's license is only necessary for driving on public roads. On private property, you can drive without knowing a thing about the car if you want to. I'm tired of hearing that Microsoft doesn't do this or that with the OS. Many times when they do try including extra functionality, somebody complains about their being a monopoly, blah, blah, blah. But when Apple does it, its the greatest thing that ever happened. What's up with that?? I don't think I've ever heard anyone blame any innovative new OS capabilities on MS anticompetitive motives. Mostly, people (rightly) seem to blame MS anticompetitive practices on those motives -- practices like preventing others from developing and marketing innovative capabilities.

deepsand
deepsand

without first passing a proficiency test. Computers are appliances, as are a myriad other electrical, electronic, mechanical, and electro-mechanical devises. The use of automotive devices is regulated owing to such possessing the capability of causing immediate, and frequently irreparable, harm to both people and property. Computers do not present such a clear and present danger.

deepsand
deepsand

And, faster than you can do them yourself. :O

Jaqui
Jaqui

a short article that is so accurate the only way to comment is to laugh at the humor built into it. :) It's either laugh, or cry at point 2. Unfortunately, that is the one point that really is a killer for security. Ease of use take precedence with the vast majority of users. They don't care about the risks and won't accept any inconvenience. Though an associate was just telling me about a network he had to set up this evening, to work on a custom database app for the business. The company demanded that it be as secure as he could configure it to be. The company required that the Database server system be completely isolated from the Internet, no going online with it, [b]ever[/b]. This is a medical clinic, dealing exclusively with Methadone patients. Health records, and completely locked down to protect them from exposure. It does give some hope for future security in general that paranoia has made it into the health care sector. :)