Fog Creek Software
g
Discussion Board

Mydoom a taste of viruses to come?


http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89827,00.html?SKC=security-89827

This quote caught my eye:

"I've lost my faith in education. It never helps; people will never learn. ... They will click on everything," he said.

I don't think it's going to be as bad as this guy claims, but I do think that users will become more sophisticated over the years. Maybe not much, but some at least...

"We really have to take security to a higher level and take the responsibility away from the users. ... [People] have to be automatically secured by someone else," Hypponen said. "

Yeah, that's pretty convenient strategy coming from a security consulting company.

Mark Hoffman
Thursday, February 5, 2004

Mark,

As long as there are people who still can't get rid of the blinking '12:00' on their VCRs, there will always be people who open every email attachment they get.

Anonymous Developer
Thursday, February 5, 2004

I think it's a taste of yesterday's viruses - in the sense that the attachment thing can be engineered out of email (no executable attachments) or the people

I dread to think what tomorrow's viruses will be, but they won't be like Mydoom.

S.Tanna
Thursday, February 5, 2004

can you force people not to open email? can you force people not to do harm for themselves?

in europe they wan't to put a "max-speed with gps" thingy in every new car to make less accidents because people driving with 120 km/h. again.

it's more like philosophy. force security even if someone don't like, but at least the community (internet) will survive

na/na
Thursday, February 5, 2004

My VCR is blinking and I don't open attachments. Go figure!

coresi
Thursday, February 5, 2004

"can you force people not to open email? can you force people not to do harm for themselves?"

no, but I can lock down a person's box, making it difficult for them to harm others by propagating a virus.  There's no need for Average Joe to have Administrator rights on his pc.

Steve H
Thursday, February 5, 2004

An interesting quirk to the case at hand is, let's take people who don't program their VCR's.  It's not that they just don't get around to it, it's more often that they just don't care or want to take the time to learn how.  They won't take responsibility for their own education.  They will buy a new VCR that sets itself first.  It's a terrible school of thought these days that is only growing.

The same thing happens in the computing world.  They could install patches and antivirus software, but they're too dang lazy to learn how.

What's most funny is, they don't blame Panasonic because their VCR won't record the Super Bowl halftime show and they missed Janet's moment of fame, but they do blame the software makers because they get hacked and download viruses.

Walt
Thursday, February 5, 2004

"I don't think it's going to be as bad as this guy claims, but I do think that users will become more sophisticated over the years. Maybe not much, but some at least..."

Not even a little.

Mike
Thursday, February 5, 2004

"no, but I can lock down a person's box, making it difficult for them to harm others by propagating a virus.  There's no need for Average Joe to have Administrator rights on his pc."

Not having Adminstrator rights would do nothing to solve the problem.  Most e-mail worm do not require Administrator rights to spread.

Myron A. Semack
Thursday, February 5, 2004

Maybe we could pass a law to require virus writers to obey administrative rights.

Do you know there are people who drive cars and don't change their oil every 3000-3500 miles? It is a fact that people often do not maintain what they have. That includes knowing best practices and keeping security and virus software up to date.

m
Thursday, February 5, 2004

I don't set the time on my VCR. It's a waste of time to do so since it'll just come undone the next time there is a 5 second outage. The problem is usability. VCRs should either set themselves by using the signal that comes on the PBS stations, or should havea lithium battery backup.

I've never gotten a virus but I can see why it happens. Bad usability. You open your mail and you get a virus. There should be no connection between opening mail and getting a virus. Again, poor usability is to blame.

Dennis Atkins
Thursday, February 5, 2004

I wonder what would happen if you emailed a VIRUS.EXE attachment and the mail text said,

BEGIN---
This is a virus.  If you run this attachment, there is a 50% chance you will be infected and it will email itself to every address it can find on your computer.

There is a 10% chance it will delete all the files on  your computer.

The remaining 40% of the time, it will install a virus shield that protects you from this and other viruses.
--END

Richard P
Thursday, February 5, 2004

The analogy of setting the VCR clock is correct it's focusing on the wrong point. Setting the time became such a problem that a 'blinking 12:00' became a common joke. Castigating users didn't work so eventually manufacturers started making the VCR's set the time themselves.

Email programs are at that point where getting a virus is so common it's becoming a joke. The writers of these applications need to alter it to work in the current environment. I can think of some ways to stop this propagation of viruses:

- Pop up a notification window warning the user to be sure what's in the attachment.
- Create a sandbox for attachments to be loaded in so they don't have access to the full system.
- Require (or build in) an antivirus tool to be hooked into the mail program.

Email users just want to read their mail not have to worry about how to handle attachments, being affected by viruses, just like VCR users just want to tape something not learn how to set its clock.

Miles Barr
Friday, February 6, 2004

- Pop up a notification window warning the user to be sure what's in the attachment.

Mindlessly clicks "Ignore"

- Create a sandbox for attachments to be loaded in so they don't have access to the full system.

"To view the boobies, save the file to the desktop"

- Require (or build in) an antivirus tool to be hooked into the mail program.

"But I want to use another one, and don't you dare charge me. You don't, well that just means you are adding in the cost behind the scenes, and I am still paying for it"

Just me (Sir to you)
Friday, February 6, 2004

*  Recent Topics

*  Fog Creek Home