"gurus" complaining about neophytes to the NY TIMES

[stargazer]

Oh brother, I'm not going to bother naming the reporter, they have to
make a living too. But the article I read today was prety lame.

Tech "gurus" (probably only one genius) are complaining about
neophytes and computer security. That the spread of virus's is all
their fault. Why did you click on the attachment that you didn't know
what it was?

Well, number 1, most people trust their anti-virus software, which is
of course approaching the cost of the operating system itself (over 4
years, mine will far exceed what I paid for the OS itself!).

So much for being a neophyte. And why pray tell do you even need to
use the address book if that is the favorite target of virus writers?
Is it that hard to paste your addresses from a separate file? Or is
it too complicated for those "tech gurus" to import their address
books only when they need them?

How many people really need to send emails to clusters of people? I
doubt very many or very often. And lets not forget about blaster.
That didn't need anybody's action or email program.

Anyway, some people have the bright idea that I should get a license
to operate a PC because they use their address book? Oh brother.
Grow up.

Yes, neophytes have access to powerful machines. And so do the
"gurus". Most virus's in emails get caught transparently, so I don't
who this this "guru" is that influenced a Times reporter, but then
again, it doesn't matter.

Virus writers will fade away one day. In the mean time, put a fraud
alert in your credit file. If enough people do that, maybe the credit
companies won't be so eager to help someone that steals your identity
and tries to refinance your mortgage while they are in Hawaii spending
your money?

Makes sense to me. When enough lenders can't get business because
millions have put fraud alerts in their credit files to prevent future
problems, then perhaps the Credit Companies will start hiring new
people? There, I just created some jobs for the economy!

What doesn't make sense is trying to attack a Microsoft server that
can handle several terrabytes of data. What a waste of time. And
quit whining about neophytes, you were one too at one time (whoever
you are).

If counterfeiting is a crime worthy of the Secret Service, then
stealing an identity should be as well (isn't that counterfeiting?)?

Tell it to Congress.

By the way, if Congress is going to borrow money, who do they borrow
it from? Do we end up paying for two space programs, ours, and a
foreign country's?

Sounds like a question for Clark Kent.

 

[Guest]

Babble (verb): talk foolishly or too much.

 

[cquirke (MVP Win9x)]

On 5 Feb 2004 09:36:52 -0800, (e-mail address removed) (stargazer)

This goes into territory I thought about a LOT...

Tech "gurus" (probably only one genius) are complaining about
neophytes and computer security. That the spread of virus's is all
their fault. Why did you click on the attachment that you didn't know
what it was?

Well, number 1, most people trust their anti-virus software

How many people really need to send emails to clusters of people? I
doubt very many or very often. And lets not forget about blaster.
That didn't need anybody's action or email program.

Hold both of those thoughts.

Yes, neophytes have access to powerful machines.

It's not system power, it's broadband bandwidth that is the problem.

Virus writers will fade away one day.

Nope. It's more likely they will be signed up and paid by the
commercial malware vendors and spammers. When was the last
gratuitously destructive outbreak, a la CIH or Magistr? How many of
today's malware include email harvesting, smtp forwarding and RAT
functionalities? How has the price for "a million email addresses for
only..." CD-ROMs been holding up? Join the dots yourself...


The problems are, in this order:

1) Badly-designed software
2) Badly-coded software
3) Dumb users


On (1): By design, MSware is terminally stupid...
- autoruns macros within data "documents"
- autoruns scripts within unsolicited email "message text"
- allows scripts within cookies
- hides risk info from users
- provides "remote admin" functionalities on a plate

MS aren't alone here. Netscape also autoruns JavaScript in
unsolicited email messages, and the software industry as a whole has
taken the decision to confer programming rights to web sites; only the
details (Java vs. Javascript vs. ActiveX) vary.


On (2): Coding defects are famous for attack opportunities that bypass
the user's ability to say No; Lovesan/Blaster, MIME-spoofed
attachments and so on. Yet nearly always, these code defects are
within ill-advised functionalities to begin with, e.g. RPC exposure to
the Internet and HTML email "text" respectively.

That's why I rate the issue of bad code - and with it, the whole "code
of the day" patching process - as second to (1).


On (3): It's hard to blame the user when the user was robbed of the
chance to say No (by design or defects that autorun stuff), and/or
when the user is denied the information needed to assess risk. The
only bad decision left to blame the user for, is the choice to use the
only OS that supports most of the software they'd want to use.

Having said that, Novarg.A/MyDoom.A depends entirely on user STUPIDITY
to spread. It uses no autorunning tricks, and the message text it
sends itself with is so OBVIOUSLY generic and untrustworthy, that
you'd have to be a bloody fool to fall for it. This is probably
design, to select only those systems that are unlikely to be cleaned.


The fact Novarg.A/MyDoom.A has spread as fast or faster than malware
which leveraged holes and stealth to spread (e.g. BadTrans.B, Lovesan)
implies that even if we fix (1) and (2), (3) remains a problem.

---------- ----- ---- --- -- - - - -

Consumer Asks: "What are you?"
Market Research: ' What would you like us to be? '