Re: Future Impact of Viruses on Internet

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

Curmudgeon mode on:

I'd like to point out that the majority of the problems we have had
have two things in common.  In fact, I would say that these are two
necessary conditions for every mail-based worm we have seen in the
past couple of years, and at least one of the two is necessary for
all the others:

1)  They include an executable for Windows
2) They are based on an executable encoded using MIME in email

Those of us on machines running Solaris, HP/UX, MacOS, BSD, Linux,
etc have simply had to deal with all the extra email fallout, but the
malware has not established itself on our machines.

There are fundamental architectural problems in Windows that makes
these kind of things work so well (from the attackers' point of
view).  I don't believe they are being addressed as part of the MS
security push, either.   So, one way to protect yourself from these
attacks is to consider a switch to another OS, at least for machines
that handle email.

That's not to say that other operating systems  aren't susceptible to
viruses -- they are.  However, those other systems don't allow
general user accounts such unfettered access to structures and
resources that make worms so easy to establish, insert deeply into
the system, and propagate so quickly.  (Well, don't allow -- yet.   I
fear that the security lessons learned over the last 40 years are not
being heeded, and Linux in 10 years will be in a similar state.   But
that is a different rant.)

As to the second point, if we simply start blocking any executable
content attachments, we will do a lot to stop these kinds of things
(not to mention recover disk space and bandwidth, cut down on
trojans, and reduce the number of pranks users play play on each
other).  I block  .(com|cmd|exe|pif|scr|bat) files on general
principle.  I also bounce .doc files, and I am now bouncing .zip
archives.   This has never caused me any real difficulty in
collaboration with others.     If anything, it has cut down on the
junk people simply mail because it is easy.   Sending around 50K
files for a 3 line memo is a waste of resources.

ANY executable type routinely sent via email is going to result in a danger.

Our community has established that we can't train our users to avoid
clicking on attachments.   It is also clear that the anti-virus
programs, as a rule, don't catch all the new malware.  So, let's be
proactive and simply shut down the vector -- stop allowing users to
send executables in email.

I've expressed this before on this list and been mildly flamed for
suggesting that people stop exchanging dangerous file types.
However, I'm sure that most (if not all) of those who were so quick
to criticize my advice have also had to clean up multiple instances
of malware since.     To me, it's like walking in a 1970s restaurant
and suggesting that people stop smoking because it is harmful to
everyone there.    After being booed out, I've been enjoying the
fresh air and watching all the smokers cough and succumb to repeated
lung diseases.    The addicts are so far gone they can't envision
what it is like to be free of the addiction so they argue with anyone
who suggests they can.

I average over 200 email messages a day (NOT counting spam).  In 25
years online, I have never had a computer virus or worm on my
personal machines, with the exception of the Morris Worm in 1988.   I
do not have any anti-virus software scanning my email, either.
It's not rocket science:  I use a Mac, and I don't open or accept
executable attachments unless I have prearranged for them and know
what they are.  I use a mailer that doesn't auto-open attachments.  I
don't use Word.

So long as people want to put patches on fundamentally unsound
software and procedures, problems will continue.   If we want to
really make a change, it requires actually *changing* things rather
than putting new patches in place.

Happy worm hunting.

--spaf

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.