by Carla Schroder
Managing Editor
Jim Sansing wrote an excellent rebuttal to Mikko Hypponen’s
article
Growth in Internet crime calls for growth in punishment,
Punishment
vs. Prevention. Mr. Sansing’s article has several ideas that
are considerably more sensible than Mr. Hypponen’s:“The truth is, much of the problem is
technological.”Then he makes several good suggestions on preventive
technological measures, such as establishing a certification
program for secure programming, and strong security in common
Internet protocols. To me they make more sense than the usual
tired, useless advice emitted by the security industry, which in
all these years of “fighting” malware has not advanced beyond
“Don’t open suspicious attachments and be careful which Web sites
you visit, oh and buy our products.” They do not address prevention
at all; they’re still stuck at locking the barn door after the
horse has been stolen. Competing products war with each other and
suck up system resources like drunks on benders. Windows users
might as well just connect all their computers to each other and
let them duke it out on their own.Have any of them– has one single vendor, whether it’s Symantec
or Trend or McAfee or F-Secure or anyone– ever said “Quit throwing
your money down a rathole– stop using Windows, or at least don’t
put it on the Internet”? Wouldn’t that little tidbit of honesty be
refreshing? But no, they’ll never do that. If the same conditions
existed in, say, the small home appliances industry people would be
getting electrocuted by their toasters and hair dryers every day,
and the manufacturers would advise them to learn correct handling
of live wires, and a thriving industry of insulated safety garments
would prey on the survivors. If they made safety gear for swimmers
it would be so bulky and uncomfortable they either wouldn’t use it,
or they would drown under the weight of it.Following current trends, anyone who criticized them would be
persecuted under the DMCA.Feh on the Security Industry
I’ve been unimpressed by the computer security industry for many
years. They’re reactive, marginally effective, have an unhealthy
dependence on the status quo, and they’re way too willing to give
their corporate buddies a pass on the very same egregious behaviors
that they condemn when it’s someone who is not a fellow goodoldboy.
Or goodoldgirl, as the case may be.My favorite example is the infamous Sony rootkit (the first one,
not the second
one).
F-Secure doesn’t look very heroic in that fiasco, despite their
heroic efforts to appear heroic:“It didn’t take a computer scientist with a PhD to
sniff out Sony BMG’s software glitch. It was spotted by John
Guarino, owner of TecAngels.com, a two-person PC-repair outfit in
midtown Manhattan…After investigating, he discovered that it was
Sony BMG’s software.“That’s when F-Secure got into the act. Guarino sent an e-mail
to the Finnish company…”The article goes on to explain why F-Secure didn’t go
public:“F-Secure and First4Internet made little progress
because they couldn’t agree on the terms of a nondisclosure
agreement.”When Mark Russinovich broke the story, F-Secure followed hot on
his heels and glommed the glory. Interestingly, and I am sure it’s
a total coincidence and completely unrelated, Microsoft purchased
Mr. Russinovich’s company, Sysinternals, a few months later. It’s
ever so cynical to believe that they were purchased to silence any
possible future outbursts of truth; why would a company that is
whole-hog into FUD, DRM, lock-in, and controlling customer’s
equipment and data want to do that?Not Only Bribes, But Lousy Bribes
I don’t do many product reviews because I can’t afford to purchase
many items for independent reviews, and if I do accept a review
unit then I am forced to deal with the vendor more than I want to,
which is often not a positive experience. My absolute worst
experiences were with security products. I still remember some
Internet-gateway-in-a-box thingy that I reviewed some years ago–
it was hot purple with gaudy orange cables. I commented on the
colors in the review, and the vendor crabbed at me about it. It had
very noisy cooling fans, which is not a good thing for a device
billed as “place it anywhere, even on your desk!” Right, if you
want hearing loss. They didn’t like that either. My advice to make
it quiet both in colors and noise, instead of getting on my case,
was not appreciated.After the first Sony rootkit debacle things heated up for the
security industry, and some of them were desperate for some good
press. I won’t name names because I’m chicken, but suddenly I was
getting offers of all-expenses paid trips to conferences, cool
hardware things for “permanent loan”, and all the (Windows-based,
of course) software I wanted. I hate conferences, especially the
kind infested with clingy parasitical propaganda people, and I
don’t need gobs of stuff cluttering up my house, so even if I were
receptive they weren’t hitting the right buttons. The worst offer
of all was to be a salaried in-house shill writing white papers and
“helpful” “technical” articles. Easy half-time work for full pay! I
don’t mean to sound like I think I’m some kind of saint, but I do
have some pride, and if all I wanted to do was make money I’d be a
drug dealer because it’s more honorable.While law enforcement does need to join the new millennium and
have a role in investigating and prosecuting cybercrime, it’s only
useful after a crime has been committed. When anyone talks about
involving law enforcement in prevention, it almost always means
eroding more of our liberties and invading our private lives even
more. So please read Jim’s article, and if you have any additional
suggestions I’d love to hear them. It would be nice to actually
figure out what to do before every thought, word, and deed are
criminalized.