[conspire] About conditioned helplessness

Rick Moen rick at linuxmafia.com
Wed Aug 31 20:06:08 PDT 2011 

I wrote:

> You know what really offends me as an open-source person?  Conditioned
> helplessness.  

I've been trying to help a friend of mine in Nashville who's now
become basically afraid of computers, period, on account of malware.
She is (of course) a Windows user, and I normally cannot be bothered to
to help Windows people deal with their security problems, but she's a
longtime friend, and thus an exception.

I had just gotten through sending her this summary of
http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/ :

  A major security company (RSA Data Security) had some of its crown-jewel
  corporate secrets stolen recently.  How?  One of its engineers was
  reading e-mail, and had Adobe Flash _including_ the ActiveX Flash
  plugin for MSIE installed.  He encountered a mail with an Excel
  spreadsheet attached.  He clicked the spreadsheet, which opened Excel,
  which decided to open the ActiveX-enabled Flash interpreter to run a
  Flash animation inside the spreadsheet.  Because ActiveX is horribly
  overpowered and dangerous, _and_ because he was logged in with local
  Administrator privilege, malware and a backdoor got installed and run by
  Flash, which then stole corporate information and sent it to criminals.

Not quite getting my point about fatal and elementary security errors on
the RSA-employee user end, my friend asked me if I'd download a PDF for
her and make sure it doesn't have malware before she 'opened' it.

So, I analysed that situation for her and helped her out, and _then_ 
sent a wide-view post.  And I offer the principles for what they're
worth, because they're applicable regardless of operating system.
Post to my friend follows:



Let's back up, and start at the beginning with the key principles.
I've said these before, and I really did mean them.  (No offence
intended or taken!)


Files aren't dangerous.  Programs (by and large) don't run themselves.
Malware you do not execute is harmless, so avoiding malware entails, in
short, not running it.

Not running malware _mostly_ (exception noted below, separately)
involves being careful about what applications and utilities you use to
handle public data.  By 'public data', I mean stuff arriving at you off
the Internet or other exposed networks, i.e., the ongoing datastream of 
data and files arriving at your Web browser and at your e-mail program.
This includes external programs invoked by either your Web browser or
e-mail program to handle particular types of files or data.  Such
external programs include handling programs (viewers, readers) for PDF
files, Flash animations, various types of image or video or sound files,
doc/docx, xls/xlsx, and anything else your Web browser or e-mail program
is configured to hand off to an external program.

Some applications for MS-Windows relevant to public data have a
miserable, dismal security history, usually because they are
overfeatured and badly written.  Those include

Microsoft Internet Explorer (partly on account of ActiveX)
Microsoft Outlook
Microsoft Outlook Express
Adobe Acrobat Reader, though its worst feature, internal Javascript
   support, can be disabled via a Preferences checkbox
Adobe Flash interpreter, and _expecially_ the MSIE variant of the 
   Adobe Flash interpreter (because of ActiveX)
Apple QuickTime
Yahoo Messenger
Microsoft Window Live (MSN) Messenger

Don't run those.  Just don't.  They're bad code.  As to everything else
that your Web browser uses to run as external programs to handle public
data:  Go through them.  If you aren't sure they should handle a
particular type of public data, disable or remove the handler.

That's real work.  I'm sorry.  You're trying to have real security on
Microsoft Windows, and that is simply made difficult by the oblivious
user culture and widespread acceptance of bad code and bad
configurations.



Here's an old essay by an acquaintance of mine, but it's still true:
http://www.dwheeler.com/essays/securing-windows.html



So... there's an attack against Adobe Flash's ActiveX plugin for MSIE
involving Excel spreadsheets with embedded Flash animations that do
nothing but install malware and a backdoor?  Simple:  Don't have the
Adobe Flash MSIE plugin on your system.  Done.

The 'attack file' isn't dangerous.  It's the really incredibly bad Adobe
software that creates that danger.

Most people never grapple with the fundamental issue, the 'Don't run bad
code' one.  So, they fall back on ridiculous, expense, and _ineffective_
fallbacks like antimalware scanners and being members of the Cult of the
Holy Firewall.


Exception to the 'avoid malware by just not running it' general rule:
A small percentage of threats attack the core of your system directly if
_it_ is vulnerable.  That's why you _download and store onto a CDR_ the
latest critical fixes (Service Pack 3 for XP and whatever) recommended
by Microsoft Corporation.  You do _not_ install the OS and let it fetch
security updates across the Internet.  Why?  Because that means
connecting a vulnerable machine to the Internet, which is an Obviously
Very Bad Idea the likes of which only Microsoft could love.


Also, never run any program with more security privilege than it
absolutely needs.  This is why you do _not_ put Local Administrator
rights onto your regular login.  If you ever need to run a particular
application with Administrator privilege, use the right-click context
menu to do Run As.

More information about the conspire mailing list