I’ve already pointed out that there is no legal solution to malware. The social problems of a solution predicated upon the idea that we can hunt down and kill enough malware writers to cause the remaining few to give up the pursuit entirely, out of fear for their lives, are effectively insurmountable — at least within an even nominally free society. That’s not to say we shouldn’t try to identify malware writers and take legal action to protect others from them, but simply that legal measures are fundamentally incapable of providing an acceptable, comprehensive solution.
The technical solution is, really, the most effective solution. If malware never achieves any success at all, nobody will ever bother writing any. The way to defeat malware writers, and to get them to stop doing what they do, is to take steps to eliminate our vulnerability to their malware. Part of a technical solution to malware is actually a social solution, too, but it’s a social solution that involves the would-be victims rather than the perpetrators. We must engage the “good guys” in taking an interest in a technical defense of their rights, rather than simply taking an interest in “punishing” the bad guys.
One of the social problems that must be overcome is that of the user that thinks he or she shouldn’t ever have to think about security, and thus refuses to think about it at all. It’s true that, in a perfect world, security would be something we’d never have to think about, but we live in the real world. Here, inattentiveness to security leaves one unsecured. Failing to defend oneself effectively doesn’t mean one deserves to be assaulted, but it does mean that one is more likely to suffer assault. Taking the hands-off attitude that one doesn’t ever have to think about security — not just that one shouldn’t have to think about security, but that one shouldn’t think about it at all — is a losing strategy, and if we want to solve the malware problem we need to solve this problem first.
The solution is, in concept, incredibly simple. Operating systems and applications that accept infected files without question, that try to do too much for the user and as a result end up making disastrous decisions that leave us vulnerable; users who are trained by security nagware to just click “OK” or “Yes” all the time without thinking about it; systems that impose no effective privilege speparation: these are all part of the problem that could very easily be swept away, if we but had the will and determination to do so. Users who insist on using such software are part of the problem, whether they mean to be or not. If users on the whole could be elevated above such thoughtless acceptance of poor security practices, we would have taken significant steps toward solving the malware problem. Add to this a culture of secure software development, where software vendors no longer pushed such security opiates, and the malware problem would all but disappear.
Instead, we are plagued by “convenient” software development, by people who have never encountered secure development techniques, giving us “security” by constantly nagging us with unnecessary questions that ultimately train us to just approve everything, and by operating systems that allow applications to access pretty much whatever the heck they want to. It’s really easy to solve the problem of vulnerability to malware, if we but make the effort, if we only care enough to bother. There is software in the world that is significantly hardened against such threats, even without being inconvenient to use, but we must choose to use it.
The major problem may be how software vendors define “convenience”. Convenience is not malware infection, but much of what major software vendors call “convenience” is a substantial part of the reason malware is so prevalent and damaging in this world. Software is meant to remove drudgery from our lives, by automating tasks that humans don’t like to do. The tasks we automate should not be core decision-making tasks. Don’t let the software make your decisions for you; instead, let it help simplify the decisions. Autorun for CDs is a travesty of security practice, as is application selection by the software when you double-click a file. So too is a system that just automatically downloads and installs software updates without even asking.
Don’t let your computer do your thinking for you. Let it do the scut-work. Otherwise, the computer will become the pointy-haired boss you so loathe at work, who tells you what to do, and makes decisions that make your life more difficult in the long run, despite relieving you of the responsibility to make your own decisions. The difference is that, with software, we call this “convenience”, no matter how inconvenient the consequences.