Chapter 6. Evil Automatons: Malware, Trojans, Viruses, and Worms

VIRUSES, WORMS, AND MALWARE

Gentle Reader:

Virus, worm, and malware problems are one of the areas in which I cannot disguise my disgust for the way that some people think about computing security. The individuals who write various bits of malware are only a minor part of the problem. No amount of effort applied to stopping them will be sufficient to prevent people from writing and releasing software such as computer viruses, and regardless of what effort is expended, such software will continue to be created and will continue to be a threat to undefended systems.

Those who write and sell software that is designed to facilitate the action and propagation of such malware are the real problem, and should be the focus of everyone's efforts on changing computing culture. Effective and damaging malware should require the discovery of software bugs or faults in communication-system designs. Unfortunately, today it does not, because there are major software vendors out there who are willing to sell you software that has features (not bugs, but intentionally designed-in features!) designed specifically to allow the action of software such as viruses. Certain vendors, for example, sell email clients that come preconfigured to execute arbitrary software that is sent over the Internet, without informing the user or requesting permission to execute the code. They do this because it makes some features they'd like to sell you ever so slightly more convenient to implement, and they think that you're gullible enough to buy the software and take their assurances of its safety as valid. They know full well that it's not safe, because they're not actually stupid enough to have missed the lessons of 14 or more years of hard-won network security battles . However, they think that you are, and because those features also enable some " conveniences " that their competitors don't have, that you'll buy their software and not think about the consequences of the convenience you've bought.

So far, they're right. By far the majority of networked users seem to have been taken in by this ploy, and it's biting them every day. The software writers, however, don't care. Rather than fix the problem, they release patch after patch after ineffective patch. And if your machine has been "owned" by some 13-year-old kid who's wiped out your financial records and the patches don't fix it, well, hand over your credit card, because the next yearly update certainly will solve the problem.

This must change, and the only way it's going to change is if you, the consumers of computing software, speak out. So long as you, your coworkers, and your friends choose software that favors convenience over security, some software vendors will be happy to sell it to you. So long as you grudgingly use software that you know is a problem because "everybody uses it, so I am obliged to as well," (nearly) everybody will indeed be using it.