Original URL: https://www.theregister.com/2004/02/03/the_clueless_users_who_refuse/

‘The clueless users who refuse to upgrade’

Faith no more

By Tim Mullen

Posted in Security, 3rd February 2004 11:45 GMT

Opinion Microsoft can end the scourge of e-mail viruses by ending its support for old software, and the clueless users who refuse to upgrade, writes SecurityFocus columnist Tim Mullen.

Well here we go again.

We are suffering through yet another email-borne virus (this one called Novarg) whose infection has reportedly trumped out all others in the infamous history of malicious computer code.

Was the vector some l337 0-day 'sploit? Nope. Was it a complex multi-layer program leveraging several unpatched vulnerabilities? Nope. It was -- wait for it -- an executable attachment in an email. What genius! The author of Novarg (or MyDoom, or whatever you want to call it) really put his noodle to the test when he cooked this one up, huh?

I would like to think that in this day and age people would know better than to open executables in an e-mail. I'd also like to be able to flap my arms and fly to the moon. Opening attachments in e-mail is one par with group needle-sharing after having unprotected sex in a Third World orgy. Yet, with an estimated 30 per cent [peak] of world-wide e-mail traffic being Novarg, it is clear that millions are willing to blindly point-and-click their way into infection while a tempest of white noise rages in the part of their brain where conscious thought should be.

When events like this occur, it really makes me question my faith in education as a means of mitigating security issues. As much as I want to believe that we can teach people about computer security, it looks as though it may be a pipe dream after all. A mere month after my "Resolutions" column called for patience and understanding in user training, I'm ready to throw in the towel. Looks like I was wrong.

Many will be quick to point out that it is Microsoft's "crappy code" that allows people to open attachments in the first place, but let's take a look at that: all "recent" Microsoft software does not, in fact, allow one to do so-- not easily, anyway. Outlook 2000's "e-mail security patch" was released almost four years ago. And though still officially supported, that product is three major versions in the past. Security years are like dog years, so this is like using a product made back in 1976.

The only thing in my house that was around in '76 is me, and possibly that pink fuzzy thing in my refrigerator.

So what is the solution when you have stupid people using old software? We can't really get rid of the stupid people, so I think it is time that the old software gets the boot. The problem is that Microsoft is still supporting these legacy clients.

Bill and Steve, I have utmost respect for you and your business knowledge, but it is time you kicked these people through the goal posts of life and score some points for your "real" costumers-- us.

All of the good light Microsoft is shining on security gets totally overcast when virus/worm outbreaks like this happen. And the people like me who faithfully spend time and money to follow in the upgrade path still suffer from the inaction of those who choose to stay behind.

Microsoft is making great strides toward product security, and I'm proud to be part of the movement. But now it is time to fully commit to security by stopping support for products that can't be secured. If clients are still using Windows 9x along with the associated legacy support software, it should be a pretty good indication that they are not really interested in paying for decent software security.

So stop being a co-dependant in their addiction to cheapness. Stop dating these people if you're not getting a kiss on the doorstep. Stop letting them use the bathroom in the same place where the rest of us have to eat.

Product support and security is not Social Security. The money I spend today should not be used to help those of the generation before when they don't want help or don't know they need it. I know that the repercussions of this would be far reaching, and I am not ignorant of the enormous undertaking it would be to pull it off, but I think the numbers speak for themselves.

"When" is now, and it is time we said it.

Copyright © 2004, 0

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.