There is nothing wrong with a user who thinks they should not have to know how to protect their computer from virus infections.

Thank you, you made my day! Now I know that my judgement isn't clouded by the severe chest cold I am suffering from. Adi

There is nothing wrong with a user who thinks they should not have to know how to protect their computer from virus infections. If we (the community who provides them service and software) can't make it safe-by-default, then the problem rests with us, not with the end users.

This is somewhat of a surprising position. What is considered "safe"? How do you make a computer safe from the most irresponsible of users, who will run any executable without thinking twice, other than maybe locking down their access rights to an extent that 1) is probably impractical, and 2) would cause an uproar? It seems there has to be at least some level of basic clue on the user side of things for there to be any hope of this problem going away. As the Internet becomes a commodity, it doesn't seem unreasonable to me to insist that those who use it be versed in the basics of protecting themselves against common threats. No one is asking for expertise -- just the basics would be a big help, wouldn't it? If we accept that there's no such thing as "perfect security" or "completely safe", how do we protect users who assume this isn't the case simply because it's a more convenient assumption for them to make? OpenBSD is reasonably safe by default. But as functionality & user-friendliness reach levels that non-technical users require/demand, I'm not seeing how we make systems safe without user cooperation; i.e., basic clue on their part. The "Someone else should be completely & totally responsible" stuff exhibited in the article just doesn't seem reasonable here. Society as a whole could benefit from people taking more responsibility for themselves -- the Internet doesn't seem any different in this regard. -Terry

Roland Perry wrote:

As for this business of "opening" (aka executing etc) files which users have been sent. One useful first line of defence would be for client software to insist that the name of the sender be typed into a box, as some kind of confirmation that the sender was known to the user.

The users that are the problem anyway will vote for convinience with their wallets. If they wouldn´t, they would not be buying the systems that conviniently allow them to execute and install code in the first place. It would be financially suicidal to make a piece of software to bother the user. Pete

Roland Perry wrote:

It doesn't cost the user any extra to include such a feature in the next version of Windows, and in all the Critical Updates downloaded starting tomorrow. [Obviously it costs MS something to do the software development.]

It does if you provide free support. You get millions of people calling asking how to disable the annoying feature that they got when they updated the computer. In addition they will tell other people not to upgrade because it gets more annoying to use email and the earlier way was more convinient. You missed my point earlier. Pete

PV> Date: 08 Feb 2004 22:46:17 +0000 PV> From: Paul Vixie PV> There is nothing wrong with a user who thinks they should not PV> have to know how to protect their computer from virus PV> infections. If we (the community who provides them service PV> and software) can't make it safe-by-default, then the problem PV> rests with us, not with the end users. Cool. I guess I'll quit locking doors, leave valuable items unsecured and unattended in plain sight, and generally rely on law enforcement to keep everything safe. It'll be more convenient and less effort for me. No? Perhaps all parties should do as much as is reasonable.[*] ISPs cannot block 100% of Internet nastiness. By no stretch of the imagination does this mean ISPs shouldn't try, but users need to take on some responsibility, too. [*] Fuzzy grey ideology. Yes, I know. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.

On Sun, 8 Feb 2004, Paul Vixie wrote:

The puzzling thing about this is the basic assumption (by the author of the article) that computers are fragile and infection-prone and that users who don't know how to protect them are somehow part of the problem.

The way corporations "solve" the problem is take away all privileges from end-users. End-users can't install software, can't make changes to the system configuration, can't connect to unapproved systems. IT support in most corporations cost more per seat than the average home user pays for Internet access. In 1998, the concept of Web Appliances was the rage. Most users of the Internet use e-mail and the web. Web appliances eliminated 90% of the bloat of Windows, and only provided the few functions most people use. They didn't even have anti-virus, because they didn't need it. The market decided secure (limited) web appliances weren't desired by the purchasers of computers.

In this past year's tour of my friends and family, I've taken to removing their antivirus software at the same time I remove their spyware, and I've taken to installing Mozilla (with its IMAP client) as a way to keep the machine from having any dependency on anti-virus software. IT managers are encouraged to consider a similar move next time they're asked to approve the renewal costs of a campus-wide anti-virus license.

Next year, whe you tour your family and friends, how many will have re-installed programs which included spyware as well as saving and running viruses delivered through the e-mail.

There is nothing wrong with a user who thinks they should not have to know how to protect their computer from virus infections. If we (the community who provides them service and software) can't make it safe-by-default, then the problem rests with us, not with the end users.

Every computer sold in the US is safe by default. It is powered off, disconnected, in a factory sealed box :-) The problem is only partially technical. I used to do public access kiosks and never had virus problems with millions of users every year. But you couldn't save, alter or run any unauthorized programs on any of the public access kiosks either. No Microsoft Word, no KaZaA, no Instant Messenger, no Gator, no Weatherbug, no Real Player, etc. Unfortunately, people want to install arbitrary software on their computers and are willing to bypass every control to do it.

In article <20040208212114.X8374@shell.inch.com>, Charles Sprickman <spork@inch.com> writes

So why the apparent lack of junkware? [on the Mac]

I presume this is because the marketers believe in the 80:20 rule, and the Mac is well inside the 20. -- Roland Perry

On Sun, 8 Feb 2004, Paul Vixie wrote: : > http://www.silicon.com/software/security/0,39024655,39118228,00.htm : : The puzzling thing about this is the basic assumption (by the author of : the article) that computers are fragile and infection-prone and that users : who don't know how to protect them are somehow part of the problem. Replace "computers are" with "Windows is" in that statement and it becomes very much true. There's a direct link between the Windows*uneducated-user tuple and distribution levels of malware. : 2. anti-virus software makes booting, rebooting, logging in, logging out, : and sometimes just general operations, amazingly much slower. That's the cost of having an amazingly insecure OS, used by an average computer user, wrappered by a condom. If the user is not smart enough to inspect everything downloaded to the computer (and preferably with a trojan-virus scan run by hand), then the user is not smart enough to be trusted not to use antivirus software. Uneducated users should live with the slowness. It's protecting the rest of the world from their blissful ignorance. : 4. the mail-server versions of these packages inevitably send e-mail to the : supposed sender, even though they know this address is inevitably forged. Unrelated to the end user bit, but this is definitely an annoyance. : In this past year's tour of my friends and family, I've taken to removing : their antivirus software at the same time I remove their spyware, Gee, I hope these folks are more computer literate than my family. My mother-in-law reinstalled Win2k, and even Mozilla for mail and browsing, and she still got hold of a malware trojan and ran it. Didn't help one bit. The average Windows user CANNOT BE TRUSTED TO DO THE RIGHT THING because they are blindly trusting the (1) operating system's security, and (2) non-malicious intent of the things they view or download. This is established fact, with oodles of hard-earned stats to back it up. : and I've taken to installing Mozilla (with its IMAP client) as a way to : keep the machine from having any dependency on anti-virus software. Did you also do everything in your power to prevent users from running IE or its shdocvw.dll embedded component? (Hint: That's not possible as of Win2k.) Or running OE or Windows Media Player? (Same deal.) The problem lies not in the e-mail program. Several of the recent worms were NOT spread by e-mail. Viruses still lurk in IE-trojan web sites. : IT managers are encouraged to consider a similar move next time they're : asked to approve the renewal costs of a campus-wide anti-virus license. Uh, you're kidding, right? Large internal networks are breeding grounds for viruses and trojans, and can be trusted even less than Aunt Millie. : There is nothing wrong with a user who thinks they should not have to know : how to protect their computer from virus infections. Exactly. So just run the software, live with the slowdown while it does its work, and you get to play in the sandbox. Don't run the software, and get infected and shut off from the rest of the world. Now, I may know your operating system software preferences a little better than most here. But it can't be so difficult to see that the average user's ignorance of technology, coupled with the rapid proliferation of security holes in their chosen OS, is a recipe for disaster. Antivirus software is not the best solution, to be sure. However, until a certain Redmond entity slows down its "pervasive" embedding of a very broken and bug-riddled Web browser rendering core into all corners of their OS, antivirus software is the *only* solution. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>

At 02:46 PM 2/8/2004, Paul Vixie wrote:

In this past year's tour of my friends and family, I've taken to removing their antivirus software at the same time I remove their spyware, and I've taken to installing Mozilla (with its IMAP client) as a way to keep the machine from having any dependency on anti-virus software. IT managers are encouraged to consider a similar move next time they're asked to approve the renewal costs of a campus-wide anti-virus license.

Do you honestly think that any IT manager is going to be successful getting an entire company to dump Outlook/Exchange and stop using anti-virus software? Do you have an example (within the North American area of interest to NANOG members) where this has actually happened? IMHO, if you can convince an Outlook/Exchange using company to dump MS for email, you can convince them to dump MS/Windoze OSs entirely, which is a much more complete way to solve this problem. jc p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.

At 12:24 PM 2/9/2004, you wrote: Do you honestly think that any IT manager is going to be successful getting an entire company to dump Outlook/Exchange and stop using anti-virus software? Do you have an example (within the North American area of interest to NANOG members) where this has actually happened?

IMHO, if you can convince an Outlook/Exchange using company to dump MS for email, you can convince them to dump MS/Windoze OSs entirely, which is a much more complete way to solve this problem.

I have been using Eudora for Windows since v1.3. I am now using 6.011. It works flawlessly and I have all my email for the past 10 years (3+GB in 100s of mailboxes). This is our corporate standard for email. We turn off inline images, MS's HTML viewer and we don't allow automatic html downloads and we don't allow executable HTML content. We strip all useless executables on the mail server (com,exe,vbs,scr,shs,js, etc.) and all other attachments are renamed so they must be renamed THEN opened. We have mail server AV (AVAST - no bogus infected message replies) and desktop/server AV (Norton AV Corp Ed) on all workstations. We have never had a single virus or worm infection since 1995. I banned Outlook years ago. However, as we grow and as Outlook adds more and more features, I am getting lots of pressure to allow it. I allowed a few people to use it for calendaring and task management (One-note) and they LOVE it and want to use it for everything. I am VERY hesitant to allow this. I have been focused on security for 10+ years. I am an engineer and I am also CEO of the company and even I am wondering if it might make sense to allow use of Outlook for email at this point. Microsoft has made a lot of progress with Office XP and most features which caused problems in the past are off by default - until the next exploit of course. :( Oulook simply has the features and the usability that people want. As much as you may hate Microsoft for making security an afterthought, their software is powerful, feature-rich and VERY intuitive for people to use. So I guess my point is that after years of resistance to Outlook, even I am reconsidering due to high user demand and a void in the market for a robust group calendaring and task management application. Does anyone have any pointers for me. Something that fills the organizations needs and that will work with Eudora? Please help me resist the siren song of Outlook 2003. -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey

On 2/8/2004 4:46 PM, Paul Vixie wrote:

In this past year's tour of my friends and family, I've taken to removing their antivirus software at the same time I remove their spyware, and I've taken to installing Mozilla (with its IMAP client) as a way to keep the machine from having any dependency on anti-virus software.

I switched to Communicator (and then Mozilla) a long time ago, and I also use older versions of Word or alternative products that are less prone to worms/viruses. I also run anti-virus scans on my mail server. But I still use virus checkers locally and I don't think it's a good idea for folks to be discounting their usefulness. There are too many other paths for infection -- web downloads, infected CD-ROMs (yes this still happens), and so forth. If performance is a problem then scan writes only, instead of writes+reads (you won't get infected if you scan every write to disk, while scanning reads is only going to produce a hit if you are already infected). -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/