Fog Creek Software
Discussion Board




Thanks for the spam

http://www.theregister.co.uk/2004/06/04/trojan_spam_study/

Like no one suspected.  I really wish someone would write something that would flash the bios or wipe the hard drives of the machines mentioned in the article.

Batterup
Tuesday, June 08, 2004

Enough is enough.

Microsoft should take some of the rap for the current spam problems. Were it not for all the swiss-cheese security holes in Outlook (LookOut?) and NT/2000/XP the problem wouldn't be anywhere near as pademic as it is.

Anon
Wednesday, June 09, 2004

If you left your front door open and a big ass dog ran in and grabbed you by the balls who would be at fault, you, who left the door open, or the guy who owned the dog?

Jack of all
Wednesday, June 09, 2004

It would be the same if the masses used Linux or Mac. The problem is that they don't know how to patch their machine.

Matthew Lock
Wednesday, June 09, 2004

"If you left your front door open and a big ass dog ran in and grabbed you by the balls who would be at fault, you, who left the door open, or the guy who owned the dog?"

Terrible analogy.

Mike
Wednesday, June 09, 2004

Just clicked on the "Terrible analogy" checkbox*


*Meaning I second that.

TJ Haeser
Wednesday, June 09, 2004

The problem is that people aren't installing their Windows Updates. And I think this is because prior to Windows XP it took too many clicks to actually start installing updates. You had to:

- find the Windows Update Icon
- click on it
- wait for the page to load
- click on the "scan for updates" button
- accept the signed activex package from Microsoft
- wait while your computer was scanned
- then you were presented with a page where you had to decide which updates to install. If you managed to realise that  you needed the critical updates you had to remove the critical updates that needed to be installed separately like, service packs and internet explorer,
- click the install button
- click the agree button
- wait for hours if you were on a modem
- repeat above until there were no critical updates left
- configure the machine to notify you of future updates

Windows XP has gone some way to making this easy, but it still automatically hides the icon with that "hidden icons" thing. I think MS should build windows update into a permanent flashing icon next to the clock that keeps flashing and popping up messages until all the updates are installed.

Matthew Lock
Wednesday, June 09, 2004

"Were it not for all the swiss-cheese security holes in Outlook (LookOut?) and NT/2000/XP the problem wouldn't be anywhere near as pademic as it is. "

I fully agree. In fact they could remove 99,9999999% of all those security vulnerabilities by just removing one feature: the bloody moron holding the mouse.

Just me (Sir to you)
Wednesday, June 09, 2004

There should be  a fine for redistributing a virus (or allowing your hardware to be used for redistribution).

End users would get smart real quickly, and then put some real pressure on MS.
I think both the OS and the users are to blame.

Eric Debois
Wednesday, June 09, 2004

Yeah right, that's putting the stress on the right people, huh?

Torsten Laube
Wednesday, June 09, 2004

>>"Microsoft should take some of the rap for the current spam problems. Were it not for all the swiss-cheese security holes in Outlook (LookOut?) and NT/2000/XP the problem wouldn't be anywhere near as pademic as it is."

Really?  Then why is it that I've been running Windows since the early days of Windows 3.x and the number of trojan/worm/virus infections on all of my computers for the past 12 years has been exactly ZERO.

The *REAL* problems are:

1.  User stupidity.  People have been told a gazillion time not to do certain things, but continue to do them anyway.

2.  User stupidity.  Millions of people who know virtually nothing about how computers or software work.  Who have absolutely no  understanding of simple, fundamental concepts.
(Batch file?  what's that?  Executable file?  What's that?)

3.  User stupdity.  The security holes in IE and Outlook express (and yes there are many) are no excuse.  There are several alternatives to  Internet Explorer and Outlook Express.  In many cases they are superior products and FREE.  And even if they aren't free, they're worth it.  But people are too lazy and stupid to even investigate the possibility of using something else.

4.  The dumbing down of software.  "Windows XP is the easist Windows ever!!!"  The idea that computers should be just another appliance, and "easy enough for grandma to use" is the root of the problem.

5.  ISP greed.  A recent study says that 80% of all spam is coming from "Zombie" computers.  Home PC's,  with a broadband connection, infected with various worms/vruses.  Cable/DSL companies should disconnect anyone sending out e-mail through their own SMTP connection (in most cases it's a violation of their TOS to run a mail server anyway) but they won't because it would cut into profits.

Rammalamma Dingdong
Wednesday, June 09, 2004

>>"Windows XP has gone some way to making this easy, but it still automatically hides the icon with that "hidden icons" thing."

HUH??  Have you ever even used Windows XP?

Start -->  All Programs

At right there at the very top of the list is "Windows Update".

Rammalamma Dingdong
Wednesday, June 09, 2004

As a software professional, let me assure the grandmas reading that most of us distance ourselves from Rammalamma's highly polarized, anti-noob view of computers. Most of us believe that it is a failure of the software world that we can't provide an environment where you can browse the internet, read emails, and run flash attachments with no worries about adversely affecting your machine or the machines of others. There is no reason, technically or usably, that we can't achieve this.

Dennis Forbes
Wednesday, June 09, 2004

"HUH??  Have you ever even used Windows XP?"

I think he's referring to the update icon that appears in the system tray.

Rob VH
Wednesday, June 09, 2004

> HUH??  Have you ever even used Windows XP?
> Start -->  All Programs
> At right there at the very top of the list is "Windows
> Update".

Exactly my point, *you* have to go looking for it and decide to check out what Windows Update does.  That rules out 99% of users straight away.

Instead Windows should keep popping up windows and dialogs reminding you that you need to install updates to keep Windows upto date. I know that XP does this to an extent but so many of my clients have ignored that little icon and status bar and after a while Windows XP just hides it.

Actually maybe the entire desktop theme should change to red when there are critical updates ready ;)

Matthew Lock
Wednesday, June 09, 2004

The problem is not Outlook.  These popular e-mail viruses do not rely on a security vulnerability in the software.  The problem is that users ACTIVELY CHOOSE to run the attachment, usually because the text of the message says something like "run this attachment for free porn".

Case and point:  One of the latest e-mail spamming viruses sent it's payload in a password-protected zip file.  Users had to unzip the file, enter a password, and run the contents of the archive to get infected.

It's a social engineering issue, not a software bug.  I suppose banning e-mail attachments allthogether would stop it.

Myron A. Semack
Wednesday, June 09, 2004

"The idea that computers should be just another appliance, and "easy enough for grandma to use" is the root of the problem."

Please name the convicted monopolist that expouses this misinformation.

obvious
Wednesday, June 09, 2004

> There should be  a fine for redistributing a virus (or
> allowing your hardware to be used for redistribution).

I'm not 100% sure, but believe it is a federal crime here in the states to create a virus and release it into the wild.

> Instead Windows should keep popping up windows and
> dialogs reminding you that you need to install updates to
> keep Windows upto date.

I agree that the taskbar balloon notifications aren't very helpful.  They also pop up all sorts of irritating things like "Your desktop is dirty, can I clean it?"  No wonder users ignore them ;)

However, I also don't want to be annoyed with the equivilant of a MS-Windows-Update pop-up ad every 3 days either.  I think the best option would be for WinUpdate to automatically download and apply updates by default, and simply tell the user when it needs to reboot (giving them the option to cancel and reboot later, of course).

There is a setting that's close to this behavior in the Auto Updates config, but it's not the default.  Actually it lets you auto install at a scheduled time, which is less than ideal since if you never have your computer on at the default 3AM, you'll never get updates installed...

Joe
Wednesday, June 09, 2004

> There should be  a fine for redistributing a virus (or
> allowing your hardware to be used for redistribution).

>I'm not 100% sure, but believe it is a federal crime here in >the states to create a virus and release it into the wild.

Joe,

  I think the first part was talking about people who get infected machines and don't bother cleaning them up, so others get the infection... Not the guys who actually created the virus.  I can see the point, as much as people think of viruses as "comming out of the eather" onto their machine, every virus that makes it to MY computer had to go through a bunch of routers (and probably a 3rd party server), not straight from the creator.

Steamrolla
Wednesday, June 09, 2004

Anyone making a claim "bad analogy" really ought to put some effort into explaining what's bad about it if they care to be taken seriously.

What does this look like, Slashdot?

Goob
Wednesday, June 09, 2004

Thanks steamrolla, but I intentionally ignored that part as I find it silly :)  First, it'd be absolutely impossible to enforce.  And second, it's not fair to hold end users ultimately accountable for security holes in vendor-purchased software.  Of course, there's plenty of viruses that don't spread that way, but the statement didn't differentiate.

A better argument might be that MS should be held legally accountable for the SQL Slammer worm that took down half the 'net.  At the moment, EULA's pretty much release the vendor of any and all liability.  Situations like this could, however, be treated in a similar manner to safety defects in consumer vehicles (where people injured in car accidents sue the maker for damages directly incurred as a result of the defect).

Joe
Wednesday, June 09, 2004

"A better argument might be that MS should be held legally accountable for the SQL Slammer worm that took down half the 'net. "

On the basis of what? How can they be held responsible for their customers not patching their systems? We know that around 60-70% of users do not patch their systems pro-actively, and that about 10-20% of systems don't get patched at all, never, and these numbers are irrespective of platform or user type. Now you want to put an additional charge on all software for the stupidity of these people?

Just me (Sir to you)
Thursday, June 10, 2004

"On the basis of what? How can they be held responsible for their customers not patching their systems?"

On the basis of shipping vulnerable software. No end user has ever introduced a bug or vulnerability in MS software, only MS can be repsonsible for that.

However, since MS might not be aware of who is actually using their software can not be made responsible for keeping each and every system running their sofotware up-to-date. Gi9ven the way MS pushes a lot of responsibility towards OEMs the situation gets even more confusing. As an end user I have to contect the OEm who sold me my copy of Windows. They have to work out something with MS.

There is no quick-n-easy fix for the mess we're in right now, but just blaming end-users for not patching is just not fair, IMHO.

Say cheese
Thursday, June 10, 2004

"On the basis of shipping vulnerable software."

All software is vulnerable. So do you want to put an extra charge on software to cover for the insurance? I'm sure insurance companies would love this.

Just me (Sir to you)
Thursday, June 10, 2004

*  Recent Topics

*  Fog Creek Home