[conspire] About conditioned helplessness
rick at linuxmafia.com
Wed Aug 31 20:06:08 PDT 2011
> You know what really offends me as an open-source person? Conditioned
I've been trying to help a friend of mine in Nashville who's now
become basically afraid of computers, period, on account of malware.
She is (of course) a Windows user, and I normally cannot be bothered to
to help Windows people deal with their security problems, but she's a
longtime friend, and thus an exception.
I had just gotten through sending her this summary of
A major security company (RSA Data Security) had some of its crown-jewel
corporate secrets stolen recently. How? One of its engineers was
reading e-mail, and had Adobe Flash _including_ the ActiveX Flash
plugin for MSIE installed. He encountered a mail with an Excel
spreadsheet attached. He clicked the spreadsheet, which opened Excel,
which decided to open the ActiveX-enabled Flash interpreter to run a
Flash animation inside the spreadsheet. Because ActiveX is horribly
overpowered and dangerous, _and_ because he was logged in with local
Administrator privilege, malware and a backdoor got installed and run by
Flash, which then stole corporate information and sent it to criminals.
Not quite getting my point about fatal and elementary security errors on
the RSA-employee user end, my friend asked me if I'd download a PDF for
her and make sure it doesn't have malware before she 'opened' it.
So, I analysed that situation for her and helped her out, and _then_
sent a wide-view post. And I offer the principles for what they're
worth, because they're applicable regardless of operating system.
Post to my friend follows:
Let's back up, and start at the beginning with the key principles.
I've said these before, and I really did mean them. (No offence
intended or taken!)
Files aren't dangerous. Programs (by and large) don't run themselves.
Malware you do not execute is harmless, so avoiding malware entails, in
short, not running it.
Not running malware _mostly_ (exception noted below, separately)
involves being careful about what applications and utilities you use to
handle public data. By 'public data', I mean stuff arriving at you off
the Internet or other exposed networks, i.e., the ongoing datastream of
data and files arriving at your Web browser and at your e-mail program.
This includes external programs invoked by either your Web browser or
e-mail program to handle particular types of files or data. Such
external programs include handling programs (viewers, readers) for PDF
files, Flash animations, various types of image or video or sound files,
doc/docx, xls/xlsx, and anything else your Web browser or e-mail program
is configured to hand off to an external program.
Some applications for MS-Windows relevant to public data have a
miserable, dismal security history, usually because they are
overfeatured and badly written. Those include
Microsoft Internet Explorer (partly on account of ActiveX)
Microsoft Outlook Express
support, can be disabled via a Preferences checkbox
Adobe Flash interpreter, and _expecially_ the MSIE variant of the
Adobe Flash interpreter (because of ActiveX)
Microsoft Window Live (MSN) Messenger
Don't run those. Just don't. They're bad code. As to everything else
that your Web browser uses to run as external programs to handle public
data: Go through them. If you aren't sure they should handle a
particular type of public data, disable or remove the handler.
That's real work. I'm sorry. You're trying to have real security on
Microsoft Windows, and that is simply made difficult by the oblivious
user culture and widespread acceptance of bad code and bad
Here's an old essay by an acquaintance of mine, but it's still true:
So... there's an attack against Adobe Flash's ActiveX plugin for MSIE
involving Excel spreadsheets with embedded Flash animations that do
nothing but install malware and a backdoor? Simple: Don't have the
Adobe Flash MSIE plugin on your system. Done.
The 'attack file' isn't dangerous. It's the really incredibly bad Adobe
software that creates that danger.
Most people never grapple with the fundamental issue, the 'Don't run bad
code' one. So, they fall back on ridiculous, expense, and _ineffective_
fallbacks like antimalware scanners and being members of the Cult of the
Exception to the 'avoid malware by just not running it' general rule:
A small percentage of threats attack the core of your system directly if
_it_ is vulnerable. That's why you _download and store onto a CDR_ the
latest critical fixes (Service Pack 3 for XP and whatever) recommended
by Microsoft Corporation. You do _not_ install the OS and let it fetch
security updates across the Internet. Why? Because that means
connecting a vulnerable machine to the Internet, which is an Obviously
Very Bad Idea the likes of which only Microsoft could love.
Also, never run any program with more security privilege than it
absolutely needs. This is why you do _not_ put Local Administrator
rights onto your regular login. If you ever need to run a particular
application with Administrator privilege, use the right-click context
menu to do Run As.
More information about the conspire