Feeds

‘The clueless users who refuse to upgrade’

Faith no more

  • alert
  • submit to reddit

High performance access to file storage

Opinion Microsoft can end the scourge of e-mail viruses by ending its support for old software, and the clueless users who refuse to upgrade, writes SecurityFocus columnist Tim Mullen.

Well here we go again.

We are suffering through yet another email-borne virus (this one called Novarg) whose infection has reportedly trumped out all others in the infamous history of malicious computer code.

Was the vector some l337 0-day 'sploit? Nope. Was it a complex multi-layer program leveraging several unpatched vulnerabilities? Nope. It was -- wait for it -- an executable attachment in an email. What genius! The author of Novarg (or MyDoom, or whatever you want to call it) really put his noodle to the test when he cooked this one up, huh?

I would like to think that in this day and age people would know better than to open executables in an e-mail. I'd also like to be able to flap my arms and fly to the moon. Opening attachments in e-mail is one par with group needle-sharing after having unprotected sex in a Third World orgy. Yet, with an estimated 30 per cent [peak] of world-wide e-mail traffic being Novarg, it is clear that millions are willing to blindly point-and-click their way into infection while a tempest of white noise rages in the part of their brain where conscious thought should be.

When events like this occur, it really makes me question my faith in education as a means of mitigating security issues. As much as I want to believe that we can teach people about computer security, it looks as though it may be a pipe dream after all. A mere month after my "Resolutions" column called for patience and understanding in user training, I'm ready to throw in the towel. Looks like I was wrong.

Many will be quick to point out that it is Microsoft's "crappy code" that allows people to open attachments in the first place, but let's take a look at that: all "recent" Microsoft software does not, in fact, allow one to do so-- not easily, anyway. Outlook 2000's "e-mail security patch" was released almost four years ago. And though still officially supported, that product is three major versions in the past. Security years are like dog years, so this is like using a product made back in 1976.

The only thing in my house that was around in '76 is me, and possibly that pink fuzzy thing in my refrigerator.

So what is the solution when you have stupid people using old software? We can't really get rid of the stupid people, so I think it is time that the old software gets the boot. The problem is that Microsoft is still supporting these legacy clients.

Bill and Steve, I have utmost respect for you and your business knowledge, but it is time you kicked these people through the goal posts of life and score some points for your "real" costumers-- us.

All of the good light Microsoft is shining on security gets totally overcast when virus/worm outbreaks like this happen. And the people like me who faithfully spend time and money to follow in the upgrade path still suffer from the inaction of those who choose to stay behind.

Microsoft is making great strides toward product security, and I'm proud to be part of the movement. But now it is time to fully commit to security by stopping support for products that can't be secured. If clients are still using Windows 9x along with the associated legacy support software, it should be a pretty good indication that they are not really interested in paying for decent software security.

So stop being a co-dependant in their addiction to cheapness. Stop dating these people if you're not getting a kiss on the doorstep. Stop letting them use the bathroom in the same place where the rest of us have to eat.

Product support and security is not Social Security. The money I spend today should not be used to help those of the generation before when they don't want help or don't know they need it. I know that the repercussions of this would be far reaching, and I am not ignorant of the enormous undertaking it would be to pull it off, but I think the numbers speak for themselves.

"When" is now, and it is time we said it.

Copyright © 2004, 0

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.