Opinion: Office virus points toward a bigger hole
The software business is integrating and automating on sand, folks...
The software business was due a wake-up call, but it came from an unexpected direction. The Melissa virus might look like it was all Microsoft's fault, but although Redmond's obsession with integration, automation and Web-enablement was primarily responsible for the speed at which Melissa spread, Microsoft is by no means alone in its ambitions. On the contrary - everybody wants to make it easy for you, and hang the consequences. The way Melissa works is simplicity itself. You open a file you were emailed, a Microsoft Office macro runs, and the email you got is sent on to 50 people in your contact book. So Microsoft's macro security is clearly grossly inadequate, and Microsoft Visual Basic for Applications, which can be used to perpetrate such deeds, seems pretty easy to turn into a runaway train the user has no way to control. Consider the sort of things a virus like this could do and you start to think about Melissa as being pretty cuddly. And the more bits of your data and personal and financial information that get integrated and automated, the more nasty things a virus could do. Sure, it could trash your hard disk, but how about it buying a new car with your credit card and shipping it to Omsk? Maybe your credit card information isn't built into your machine, but on the other hand maybe that just means "secure electronic commerce" hasn't been integrated into your machine yet. The reason we find ourselves standing on the edge of this particular precipice today is because software developers (and as I say, not just Microsoft software developers) think certain features are cool, and that they should try to make things easier for the user. Making it easier generally means progressively reducing the number of decisions the user has to make, and deciding for the user what is best for the user. So you're being dumbed down. But the security holes this process creates can be used by all sorts of different characters, not just those nice people who sold you the software. In the near future, the software industry in general confidently expects, your software will just kind of update itself whenever it needs to and/or there's a new bug-fix or update out. You won't need to know about it, it'll just receive an alert, and next time you look it'll all be much more efficient and snappier (or more likely, puzzlingly fatter and slower). Do we trust the software industry to make this kind of process rock-solid secure? Or more immediately, there are things like these little nagware browser windows that pop up every now and again encouraging you to upgrade to IE 5, Navigator 4.51 or whatever. Click yes to these and you'll go through to the vendor's site and start on a process where something out there helpfully installs files on your machine, optimises your settings and cleans up afterwards. But a growing receptiveness on the part of users to trust whatever it is out there that's monkeying with their machines isn't necessarily constructive; Particularly as the checks and authorisations haven't been keeping pace with the process and are in any event not defences whose security you'd like to stake your life on. And then there's the whole privacy issue, which shows how much the software business' thirst to connect things for a greater good has got out of sync with the rules of the game in the real world. They put in features because they're cool, because they're useful to the vendor, even (stretching it a bit) because they're good for the user, who doesn't want to be bothered with the details anyway. So stuff gets sucked of the machine and sent off somewhere - but where? It's obviously going to get worse, and although with every fresh exposure the software developers will issue fresh patches and promise to upgrade security, there's no obvious way to make the whole shooting match secure in the first place. Stopping doing things in your application development that with hindsight turn out to be dumb is one thing, but the Web itself is quite another. As the years roll by we'll all be downloading and running lots more stuff from the Web, and we're going to know about less and less of it as we do so. So how much longer are the platforms we're using going to be able to cut it? ®
Sponsored: Global DDoS threat landscape report