Slashdot Mirror
Britney is #1 Virus Celebrity
No France writes "The two ways for an email virus to spread is to use an exploit, or entice the user to click the link/executable. Of course the latter is the easiest, and is the most effective when used in conjunction with a celebrity's name.
Despite the recent Jackson suicide emails, Britney Spears is the one to recently edge out Bill Gates as the top virus celebrity. The top 10 (in descending order): Britney Spears, Bill Gates, Jennifer Lopez, Shakira, Osama Bin Laden, Michael Jackson, Bill Clinton, Anna Kournikova, Paris Hilton, and Pamela Anderson."
I've said this many times before, but my idea is to stage virus drills. Every week or so, the IT department should send fake viruses to a random population of the corporate environment. It will have an attachment that will only report to the IT department who opened it. Once a user opens the fake virus attachment, they must watch a 2-hour video on their own time on the subject of "safe email habits".
Pretty soon, they'll be too paranoid to open any attachment.
I'm a big tall mofo.
Yeah, but I had some users who would purposely click on everything just to cause their work system to get a virus. Since it was not their home system, they didn't care and thought it was funny. What needs to be done is to have some sort of consequence for their action if it can be proven that they were not being ignorant, but just stupid. They thought it was humerous until I told them I had to take their system off line for hours until I could get to it and they can go explain why they can't get any work done to management.
There are no loopholes. It's either legal or it's not.
Your points are well taken, but I do take issue with a few of them, and feel it important to respond as follows.
"You're talking about educating human nature out of people."
- If this was the implication derived, I spoke too strongly. I am not implying an absolute solution here, but I am implying we spend far more effort making bullet-proof software then slowing the sale of as many of the armor-piercing bullets as possible.
"The lesson of stories like this one are not that we need to somehow engineer smarter users -- it's that modern information systems are not designed around users to begin with."
- Antivirus software, malware removers, spam-reducing solutions.... these are not designed around users? These systems were designed explicitly to deal with the consequences users encountered. They were not designed in a vaccuum: that is to say, it wasn't reduced to "what are the specs?". It was a bunch of companies capitalizing on the suffering USER base.
"But who would expect opening an e-mail to be a risky proposition?"
- A person who has any idea that a computer is a general purpose machine. That is the point of its design. It can do MANY THINGS. Why should anyone be surprised when it does something new or malicious? IT IS COMPLETELY MALLEABLE! A user that does not know this was never given a proper foundation for operating the machine in the first place. The computer does not equal the toaster oven.
"Having to train users to do alien things should be taken as a sign that your system may not be so well-designed, not as a sign that we need to get cracking on Human Being 2.0."
- Considering how at least a third of the world's adult population can't read in DEVELOPED nations, to say software that some users don't immediately understand and make the stretch to say the software sucks is quite a stretch to make. Why can't we assail all sides of these issues? Why must the responsibility be placed solely on the software developer, and the user be indemnified of all wrong-doing? You can't plan for every possible contigency as to why the problems of the IT world happen, but ruling out one possible angle that you can't disprove and blaming a group of people who, by and large, strive to produce workable solutions is an insult to the good work many among us have done.
The Crimson Dragon
There is a simple solution when dealing with this.
Don't try to educate the users, for that is futile and will fail.
Instead, all the users to educate themselves, by presenting them with the bill for the costs of thier stupidity.
They will learn very quickly...
So rise up, all ye lost ones, as one, we'll claw the clouds.
Sneakiest one I ever saw tried to infect my computer by searching through the currently infected computer's sent messages in outlook express looking for ones with attachments. It took the subject line of the original, changed it to "Re: [original subject line]", and set the body of the message to be something along the lines of:
I hope you didn't open that last attachment I sent you. Turns out it was actually infected with a virus. I've attached a cleanup tool that ought to remove the virus for you. I'm really sorry about that!
Fortunately for me, the last attachment he had sent was a jpeg. So I let him know he was infected with a rather clever virus...
But I rather imagine that that virus didn't spread well for all its cleverness. Relying on the contents of someone's sent folder has got to drastically reduce the number of people for the virus to spread to.
Yes, they did. Back in "the day" viruses were often written in hand-coded assembly. That was craftsmanship, that was /misty eyes. Seriously, visual basic is used mainly for two reasons. Firstly, most virus writers are fairly immature (except those trying to get botnets for money) and visual basic is often the first language they learn. Secondly, visual basic scripts include their source, thus if you want to base your virus on an existing one, it's a lot easier to do with a visual basic one than decompiling a virus and trying to make sense of it. Any other dynamic language would work for this, but windows ships with visual basic interpreter wheras it doesn't include one for perl, python etc. (and dos scripting is too useless)
I am trolling