REPOST: Six Dumbest Ideas (part 2)


Repost from my dead blog, 2006-04-15

As I said in the last post, they were completely off the mark on some. And I won’t go in the order I had originally decided - I kept making references to Anna Kournikova and Phishing, so I’d better explain what that was about.

One of the “dumb” ideas is User Education. The idea is that we should make systems secure so that user’s don’t have to be responsible for managing their own security.

I do agree partially - we expect our automobiles to have security features built in (like you can’t take the key out unless the car is in park) so that we don’t shoot ourselves in the foot. Hooray for us writing secure code!

But the example they give of things that DON’T work are the Anna Kournikova virus. The Anna Kournikova virus was one of the first (and easily the most wide-spread) of the “VBS with some other extension” type of viruses. When Windows Script Host became popular (read - was installed and turned on by default on most Windows machines), attackers started sending viruses in attachments with names like “annakournikova.jpg.vbs” or even “annakournikova.jpg .vbs” where they were counting on your system not showing filename extensions (so you’d only ever see “annakournikova.jpg”).

Well, the antivirus companies were a little slow (like the author of the post said - people are more than happy to click a link of a naked almost-celebrity) to get a definition out, and IT professionals were even slower to get the definitions installed.

And this isn’t unusual. And ultimately, this virus is fixed by the same practice as stopping phishing. If users are educated not to click links (including attachments) in emails, the outbreak wouldn’t have been nearly so bad. The reason it was so bad is because nobody has EVER started a wide-spread recommendation that people never open an attachment unless they first know who it’s from and what it is. And another bit of security would have helped this - using S/MIME or (preferably) PGP - if I know that you always PGP sign your messages before you send them, and I know you take care of your private key, I can trust that if I receive a message from you that is properly signed, that any attachments you sent, you intended to make it to me.

Saying we shouldn’t educate users to protect themselves is like saying we should make cars have foam bumpers so that our kids don’t have to look both ways before crossing the street. It’s like saying we should make knives that aren’t sharp so that we can’t cut ourselves. It’s like saying we should make cigarettes that don’t cause cancer instead of telling people that smoking causes cancer - the whole benefit of the thing we’re trying to make safe is also the inherent danger.

I’m not making my argument very clear, but their premise is that we shouldn’t allow attachments in the first place, thereby removing the problem of viruses. I agree to a point, but they contradict themselves because viruses are only part of the problem - phishing doesn’t have to do with attachments, it has to do with the fact that we don’t train users to never trust an email at all. Phishing is becoming more and more sophisticated - a little breach of security can allow a malicious user to enumerate email addresses of real customers, and then the phishing becomes targetted.

The same sort of rules apply to instant messaging, and the oh-so-Web-2.0 practice of reading blogs (have you followed a link off of any of my posts yet?)