In the midst of a new deluge of virii for Windows (are they really "for Windows" or more appropriately "for compulsive attachment openers"?) it is time to stop and think a little more. After the inevitable realisation that anti-virus software just does not work should come the illumination that perhaps it is not quite normal for software to joyfully open anything without question.
My mother recently followed the example set by her younger sister and bought herself a laptop with Windows XP to be able to send and receive e-mail. I would have preferred a Mac but it cost too much in comparison to this ultra-cheap AMD laptop deal. It was delivered with the "standard stuff", i.e. Outlook Express, IE6 and Norton anti-virus.
She diligently updates the anti-virus each and every time it askes her to, she even runs the occasional Windows Update which I recommended doing as often as possible despite her slow dial-up line. The outcome of all this is that I get continuously asked: "why do I have to do it?".
That is actually a very good question, why exactly is the default configuration not good enough? Why is it so that her Outlook Express as delivered will happily execute any possible rubbish entering her inbox? Not only, why is it that after numerous runs of the update facility it still executes any possible rubbish? Did nobody take notice of the somewhat recurring viral techniques regarding attachments?
This could well become a long rant against Microsoft but this behaviour is not limited to Windows, far from it: I will never forget the maintenance nightmare of RedHat 5 "default installs" which people all over Imperial College were installing on their PCs when Linux was becoming fashionable. These installations had everything possible running, there were more DNS servers within Imperial College than you can imagine, Samba servers listening to anyone willing to talk not to mention Apache servers offering the standard RedHat index page and the full man pages of the system. Do you know of many stand-alone workstations requiring a DNS service running on the host? Or indeed a Samba server?
Just recently I allowed myself to be pulled into a discussion with someone trying to convince me that OpenBSD is "secure by default" only because it runs no services by default otherwise it would be as insecure as Windows (yes, a somewhat inflammatory remark). As I listened to his arguments I was thinking that perhaps he had never noticed that the average user does not actually need to run Apache, DNS and sendmail. There was no way to explain to him that by forcing people to turn on services rather than turning them off was a rather good idea. Even the analogy of allowing people to decide whether or not Outlook should execute attachments was lost on him, it was all a matter of "freedom of choice". Apparently the "choice" to have your system turned into a lump of useless plastic and metal is an important one.
So, have users forsaken security for a badly "freedom of choice"? Or have they been led to believe that allowing a computer to do all the "thinking" is the equivalent of "freedom"?
Posted by arrigo at February 19, 2004 09:10 AM