Back

Viruses and the Future of Computing

by Gregg Berkholtz
PANUG President

Nearly 80% of the computer systems in the US and 70% of European and Asian systems were affected recently by the ILOVEYOU virus. This is a significant increase from the 20% affected by the Melissa virus not that long ago. Are the bad guys (and girls) getting better at penetrating our systems?

The answer is twofold. First, our systems are designed so that they are increasingly becoming susceptible to attack. It's getting easier to break into systems - not harder as you might expect. Secondly, the people who use and manage computer systems are not learning how to defend their systems from attack in spite of the fact that they have had recent experience recovering from an attack.

Up Time

The ILOVEYOU virus caused many companies to shutdown their systems to deflect the sheer number of virus-infected emails. What happened to the 99.9% uptime & availability target you were promised?

Are you willing to accept system outages because some college student spent four hours writing a small program? There are lots of college students out there and an increasing number (many in other countries) are getting Internet access. There's no reason to expect that new viruses will decline over time and this has been implied recently by the FBI.

Government Sites

The ILOVEYOU virus managed to infect at least four top secret government systems the trade press reported. If this is true, exactly why is our government connecting critical systems to the Internet? Worse, why is our government using software products known to be targets of attack? If we can't trust our government to act responsibly, what hope is there for the millions of clueless computer users?

The Worst Is Yet To Come

The seriousness of email-based viruses has escalated rapidly since Melissa and the stakes are higher. What if the next attack is from a well organized and well funded terrorist group or hostile government?

You know that most of your users aren't equipped with the information or skills to ward off even the most simple attack. Melissa and ILOVEYOU proved that. No, the solutions have to come from the people who manage the computer systems for the users and these people need the support of company management.

Open Source Resistant To Attack

One of the many reasons that Open Source software is becoming so popular is that systems that use it are resistant to attack. This is because most of this software is designed by people who understand the security risks of implementing ill-conceived "user friendly" features. They're constantly reminded by Internet standards, documentation, mailing lists and newsgroups where security is always in the forefront.

An open source programmer does not design in obvious security holes and still have the respect of his or her peers. Respect is cherished in the open source world. The anonymous programmers who work for the commercial software giants do not have this concern.

What Do You Do About This?

There's so much you can do:

  1. Make the people in your company understand that the ability of an email message to launch a program is *a bad thing*.
  2. Since users clearly cannot be relied on to defend against attack, you must deploy systems that enforce your policies. Email content filtering can be achieved at reasonably low cost and work with your existing systems.
  3. Start replacing the systems that have a long history of security problems with systems that have a long history of stability and robustness.
  4. Consider the advice of those who are desperately trying to help you. You know, these are the people that some of the world calls "Microsoft bashers". Many of these people have a solid understanding of the problems and the solutions. They are on your side. By dismissing their warnings and advice you doom your company to further attack and higher costs of doing business.

Just Say No

There is now a virus out there that can be spread by simply opening the email - no attachments - just an email message. This is due to the user friendly features (security holes) in Outlook, Office 2000, and IE5. No other system allows this. Only the systems from Microsoft.

Not only are many of the features of Microsoft's "integrated" applications not benefiting most of us, they are now costing us lots of money. How many trillions of dollars must be wasted before something is done?