Creepy crawly 'lectric critters
Or, looked at from another point of view, more things to be paranoid about.
The New York Times is reporting on another nasty little packet of evil making its way around the ‘net (though not as explosively as Netsky or MyDoom or other “name” nasties.) And Wired News is echoing my point about commercial anti-spam solutions, except they’re—correctly, in my opinion—applying the same argument to anti-virus vendors.
The argument, briefly, is, what motivation to anti-virus companies have for really stopping all the viruses, worms, etc. when those same bits of malicious mobile code create demand for annual virus-signature-file subscriptions?
None, of course.
Although we, at work, do employ a commercial anti-virus solution (and, even if we used one of the wonderful free ones, as a commercial user we’d still need to license it,) the single best barrier we have to email-borne nastiness is a copy of the Sanitizer on our email gateway. It doesn’t rely on signatures—it relies on the basic logic of, “Why the %@#^ would you be e-mailing us an .exe or a .pif in the first place?” We’ve got an FTP server for legitimate file transfer; I’ve yet to hear a soundly-reasoned explanation of why we should be accepting .exe files through email.
Now, Bluerabbit disagrees with me that this kind of thing should be a concern of the average internet user, and SANS (or, at least, Alan Paller,) agrees by quoting Walter Mossberg and the WSJ (excerpt at the SANS link) in saying, “stop blaming the victims” and instead call on the big vendors, Microsoft etc., to create systems which are (more) secure out of the box.
Sorry, hollow laugh. Microsoft represents the vast majority of (vulnerable) systems on the ‘net, and a big reason for that is that Windows is (relatively) inexpensive. (That’s an oversimplification; Windows runs on inexpensive hardware, and Microsoft keeps the cost low as a leader for Office sales, which is where they make serious money.) Making Windows more secure means making Windows more expensive; Microsoft has basically admitted that, and they’ve admitted that making the next Windows more secure has pushed back its release date by a year or two.
Give the “average internet user” the choice between two systems. One is, say, $2,000. The other is $1,800, but the user is cautioned that it is significantly less secure. Nineteen out of twenty will buy the cheaper system, because they (still!) don’t really see worms and viruses as much more than a pretext for selling them up with anti-virus software (like rust-proofing on a new car). (“You want Norton with that?”)
We’re drowning in the collective choices we made. Sure, Microsoft should take a hefty chunk of the blame, and so should the AV industry. But secure choices have been out there for years, more come up every year, and we’re not choosing them. (The same thing’s happening on the highway: there are “safe” small cars out there, but they’re not as safe anymore because so many people want “safe” SUVs that would decapitate my little Honda like a gingerbread man.)
Securing Windows would be a big help, but it’s not happening for years (and that’s not counting how long it will take legacy systems to go off-line.) The average user needs to do something now, and saying, “It’s not my fault” is not what they need to do. Fine, it’s not your fault, but it’s in your lap now either way.
Paller does make a very good point about forcing better security from software vendors:
The National Strategy To Secure Cyberspace, unveiled by President Bush more than a year ago, clearly outlined the best approach to accelerating security improvements in products: using federal procurement power. However, behind closed doors, the software vendors’ highly-paid lobbyists in Washington have bottled up nearly every initiative that would have allowed the government to use its procurement power to require significant security improvements.
There’s something twisted in the whole situation.
Update: Ars Technica weighs in, linking to the same Wired News article, but doesn’t offer much new other than some statistics about those using AV software and getting infected anyway. Ars also doesn’t seem to think there’s anything which can be done, so I guess they haven’t found the Sanitizer.