June 2, 2003

Idiocy Imperils the Web

 
You people are such idiots!

Not you, of course. I mean those other people, the ones who make it so easy for every simple, standard virus to propagate across the Web. Twice in the last few weeks, I've had the same experience. I receive a security notice on a new virus, first Fizzer and then Palyh. I then find out that they infect Windows-based systems when a user opens an attachment from an unsolicited e-mail message. I then think to myself, "This won't be big; everyone knows you don't open attachments in unexpected e-mails." Then the virus spreads across tens of thousands of systems.

What's up with these people? Over the last few years, there have been hundreds of new viruses that spread in this manner. Most people figure out that if they keep grabbing the electric fence, they'll get a shock every time. So why do they continue to stupidly open attachments they aren't expecting?

To some degree, the fault for this lies with the technology press. We tend to take each new virus too seriously while not taking the time to shame the morons who are making it possible for the viruses to succeed.

Imagine if there were a rash of car thefts where thieves stole a bunch of cars that were left running with the doors open. Reporters wouldn't focus on the cleverness of the car thieves; they would point out the stupidity of the car owners. Or imagine thousands of cases of food poisoning from people eating completely raw chicken. I'm sure we would be reading plenty about the cluelessness of the "victims."

It's time for us to stop admiring virus writers and start dishing out heaping spoonfuls of shame to stupid users.

Instead of a headline like "Dangerous Fizzer Worm Attacks the Internet," how about "Thousands of Morons Open Obviously Virus-Laden E-mail Attachments"? I kind of like it. It has a light, comedic feel similar to headlines found at The Onion. But as Homer Simpson would say, it's funny because it's true. Stories like that should embolden smart users so that, instead of accepting their co-workers' incompetence, they will feel free to mock and ridicule these Typhoid Marys of the computer world.

The shaming wouldn't have to stop there. IT staff could put up posters identifying the stupidest virus-spreaders in the company. Rank-and-file employees could videotape their co-workers opening attachments with obvious virus subjects such as "Cool screensaver." We could have a new TV show, "America's Most Idiotic E-mail Users!" Webcams could be set up peering over the shoulders of those most likely to open an attachment. Watching a virus spread in real time could become a spectator sport.

But seriously, folks. It's very easy to teach even a kid how to avoid infecting most systems with viruses in e-mail attachments. So why isn't this message getting out? Because getting hit with a virus is considered acceptable. Too many people have taken the attitude that viruses are going to happen, and there's nothing you can do to stop them. This isn't true, but many people use it as a convenient excuse for their mistakes.

Obviously, we need to do a better job educating users, but we also need to remove the mystique that surrounds viruses. Virus victims need to realize that many viruses wouldn't exist without them and their careless use of their e-mail accounts.

It doesn't take a whole lot of effort to change. First, users need to be suspicious of the e-mail they receive. If you don't know who it's from and the subject is generic, delete it. If there are multiple versions of the same e-mail, it's most likely a virus or spam. And never, ever, open attachments that you weren't expecting. If you think it's something important, double-check with the sender.

When coupled with a good virus scanner, these simple efforts can keep most users from becoming victims of viruses that are doing little more than taking advantage of their stupidity. I follow these basic procedures, and I haven't had an e-mail-born virus infect one of my systems in more than five years.

So let's change our attitudes and our tactics. Let's get out the word that most of the time, when people get viruses, it's their own fault. Stupidity is nothing to be proud of.


Readers Respond: Idiocy Imperils the Web

Mr. Rapoza,

Thank you for writing this article (Idiocy Imperils the Web). You managed to sum up 5 years of frustration into a light, one page read. I'm tempted to hang the article in my cubicle, but I doubt the suits would appreciate it. I guess it will have to be just "our little secret". But, really, thanks... it's good to know I'm not alone.

Thanks!
Rob Carroll


Jim:

I'm writing to comment on your commentary on the idiocy of opening virus-laden attachments. I agree with what you say, but I also think that we'll never be able to get rid of idiots. Because of this, we have a very simple policy here that's more effective than anything else at preventing infections. We never are infected with e-mail-borne viruses. How? We simply quarantine all attachments that are executable files. The users still receive the e-mails, but they don't get the attachments. If the user knows that the attachment is safe, we can pull it out of the quarantine, but this almost never happens. How often does the typical user need to receive an executable file as an attachment? Even if it doesn't contain a virus, it's probably something that the IT department would prefer not be installed on the user's computers. Just to be safe, we also have a strong anti-virus program running as both an Internet gateway, and on the user's workstations. But, because of our "no executable attachments" policy, it has little to do. Even though we do get a ton of attachments every day, we have no need for executable attachments. I imagine that most companies are the same, and am surprised that this isn't suggested more often as good policy.

Dave Taliaferro


Jim:

Wasn't it P. T. Barnum who said something like, "You can never go wrong underestimating the stupidity of the American public."

Later on in your column you said "Imagine if there were a rash of car thefts where thieves stole a bunch of cars that were left running with the doors open. "

Now what would the reaction be if car maker's gave us cars with no locks and ignition systems that were so easy to defeat that even a ten-year-old could steal a car? I bet there would be a hue and cry in the press and lots of other car makers would run adds saying how safe their cards are.

Do you spot any resemblance to Outlook and the cars mentioned in the previous paragraph?

I've been writing software for a living for over 20 years now. It's my position that any thing like Outlook that makes it easy to hijack a users system is irresponsible. (Course it's nice when you have a virtual monopoly.)

So which is easier?
1) Making a fundamental change in the human condition (banishing stupidity)
2) Changing a small body of software to make it harder for virus writers to spread their little toys over the net


Jim:

Finally someone has the nerve to put in writing what we've all been thinking! Thank You. I am sending links to the article to everyone I know. I can't tell you how many hours and thousands of dollars we have spent trying to keep these attatchments out because people are too stupid not to open them. Although I think most of them must be AOL users as well.

Great article!

Dan Van Hout


Jim:

I hope this short opinion article, "Idiocy Imperils the Web," gets the attention it deserves! You hit the nail on the head, putting into words something those of us who have to clean up mail servers and listen to the complaints of idiot e-mail users have thought for years. It's to the point that e-mail users should be required to prove basic reasoning skills and pass a test before they can have an account. Of course, these are the same people who respond to spam offers for free pasta pots, digital cameras, and manhood increasing pills, further propogating the use of spam. I guess if it wasn't for the idiots, we wouldn't realize how smart we must be!

Gary Varnum


Jim:

While I think the focus of your article is clever, I also think that you stopped short in blaming only the end user, the individual who opened that unsolicited message with a virus attachment.

I've been using computers for over 30 years. I can remember when the only thing that you could do with e-mail was send text. What about pointing the finger at the software vendors who have made it easy for viruses to spread? The ones who supply browsers and messaging systems that automatically open attachments for you? [Ok, it's an option, but the default is typically on!] The ones that follow links to Web pages, and execute code that isn't yours, if you want them to or not? [Again, an option, but if you disable it, you suffer significant losses in "functionality" e.g.. there are legitimate Web pages that stop working!]

It used to require a recognizable system flaw for a virus/worm to enter a system, gain control and then spread. That is no longer the case. Most 'out of the box' systems will have enough configuration flaws that leave them vulnerable unless an experienced system admin has 'fixed' the problems. Given the number of 'novice' administrators in the world, there is no question that viruses/worms will spread until vendors start selling software that is designed, engineered, and tested to prevent their spread. Since that goes against the trend of ever increasing features and expanded functionality, don't hold your breath!

Frank Pirz