Feeds

‘The clueless users who refuse to upgrade’

Faith no more

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Opinion Microsoft can end the scourge of e-mail viruses by ending its support for old software, and the clueless users who refuse to upgrade, writes SecurityFocus columnist Tim Mullen.

Well here we go again.

We are suffering through yet another email-borne virus (this one called Novarg) whose infection has reportedly trumped out all others in the infamous history of malicious computer code.

Was the vector some l337 0-day 'sploit? Nope. Was it a complex multi-layer program leveraging several unpatched vulnerabilities? Nope. It was -- wait for it -- an executable attachment in an email. What genius! The author of Novarg (or MyDoom, or whatever you want to call it) really put his noodle to the test when he cooked this one up, huh?

I would like to think that in this day and age people would know better than to open executables in an e-mail. I'd also like to be able to flap my arms and fly to the moon. Opening attachments in e-mail is one par with group needle-sharing after having unprotected sex in a Third World orgy. Yet, with an estimated 30 per cent [peak] of world-wide e-mail traffic being Novarg, it is clear that millions are willing to blindly point-and-click their way into infection while a tempest of white noise rages in the part of their brain where conscious thought should be.

When events like this occur, it really makes me question my faith in education as a means of mitigating security issues. As much as I want to believe that we can teach people about computer security, it looks as though it may be a pipe dream after all. A mere month after my "Resolutions" column called for patience and understanding in user training, I'm ready to throw in the towel. Looks like I was wrong.

Many will be quick to point out that it is Microsoft's "crappy code" that allows people to open attachments in the first place, but let's take a look at that: all "recent" Microsoft software does not, in fact, allow one to do so-- not easily, anyway. Outlook 2000's "e-mail security patch" was released almost four years ago. And though still officially supported, that product is three major versions in the past. Security years are like dog years, so this is like using a product made back in 1976.

The only thing in my house that was around in '76 is me, and possibly that pink fuzzy thing in my refrigerator.

So what is the solution when you have stupid people using old software? We can't really get rid of the stupid people, so I think it is time that the old software gets the boot. The problem is that Microsoft is still supporting these legacy clients.

Bill and Steve, I have utmost respect for you and your business knowledge, but it is time you kicked these people through the goal posts of life and score some points for your "real" costumers-- us.

All of the good light Microsoft is shining on security gets totally overcast when virus/worm outbreaks like this happen. And the people like me who faithfully spend time and money to follow in the upgrade path still suffer from the inaction of those who choose to stay behind.

Microsoft is making great strides toward product security, and I'm proud to be part of the movement. But now it is time to fully commit to security by stopping support for products that can't be secured. If clients are still using Windows 9x along with the associated legacy support software, it should be a pretty good indication that they are not really interested in paying for decent software security.

So stop being a co-dependant in their addiction to cheapness. Stop dating these people if you're not getting a kiss on the doorstep. Stop letting them use the bathroom in the same place where the rest of us have to eat.

Product support and security is not Social Security. The money I spend today should not be used to help those of the generation before when they don't want help or don't know they need it. I know that the repercussions of this would be far reaching, and I am not ignorant of the enormous undertaking it would be to pull it off, but I think the numbers speak for themselves.

"When" is now, and it is time we said it.

Copyright © 2004, 0

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.