rifleman said:
[snip] |
You forget that the VAST MAJORITY of computer users today know
absolutely NOTHING about viruses, firewalls, AV programs or any sort of
internet and email security. This is not their fault - I have long
advocated that any new purchaser should be given a short lesson on this
by their vendor before they take their machine away.
Well you're partly right. I actually haven't forgotten that the vast
majority of computer users don't know anything about self protection. When
I develop software intended for consumers, I develop with the capabilities
of someone, who is lucky if he can figure out how to turn on a computer, in
mind (and the feedback I get from both power users and naive users has been
positive). I'd also agree with you that vendors should verify that their
customers know at least the basics, and if not teach them.
But, on some fonts, this is changing. My ISP recently decided to provide
their own virus software (probably licensed from a company specializing in
security related software) to ALL of their clients free of charge, strongly
encouraging them to install and use it. I don't because I am already using
another product, but still that is an excellent development. AND, they are
providing a free, server side, antispam service. Unfortunately, the average
user doesn't kow about this service and, at the same time, it is of by
default and the user has to go to the mail server and manually enable and
configure it. Now, if only they provided a few webpages teaching users who
know nothing about cyber-security how to reconfigure their installation of
Windows to be more secure ... There'd be far fewer vulnerable machines for
script kiddies to attack.
At the same time, what I was talking about revolves around the fact that it
isn't difficult to design software in such a way that the default
configuration is safe, but it remains easily reconfigured by those of us who
do know what we're doing. In the past, MS Windows' default configuration
seems to have verything turned on, and thus is very insecure. OpenBSD, in
the default install, has just about everything turned off (at least those
capabilities that could represent a security risk), and you can't get these
features turned on until you have studied it well enough to know what you're
doing. In this particular instance, in an attempt to fix a problem they'd
created, they decided to impose their "solution" on everyone, regardless of
whether or not the user knows what he's doing. I design and implement
software myself, so I know it isn't all that difficult to design software
that caters to the needs of naive users while at the same time being easy
for "power users" to reconfigure to suit themselves. And, even for this, it
is easy for a determined cyber criminal to beat. All he has to do, in this
case, is remove the extension (which is all that MS' option looks at in this
case), and tell his target to just add the extension and open. And there
are plenty of people naive enough to do so without questioning the source.
When my colleague and I first encountered this problem, before I learned
about the solution involving editting the registry, this is exactly what we
did. What MS should have done is a) make allowing or denying attachments of
various kinds easily user configurable, on a page in the options dialog, and
b) add to Outlook and Outlook Express a scanner (perhaps delegated to the
user's antivirus software if present) that can scan the attachments for
virses and trojans regardless of whether they are binary attachments or
implemented using VBA.
Cheers,
Ted
