Jun 152010
 

Upon reading the The Rugged Software Manifesto, I decided to summarize my thoughts on what good software should and should not do. In the spirit of “keep it simple, stupid,” I’ve somewhat condensed the 10-item manifesto to three:

  1. The software should do what it’s advertised to do.
  2. The software shouldn’t create a portal into my system via every Chinese and Russian malware package that hits the Internet virtually every minute of every day.
  3. The software should protect the users from themselves.

Let’s dive right in with the first item: software should do what it’s advertised to do. Hey, antivirus vendors — BOO! Yes, that should scare the pants off the the antivirus world, since for the past year their products have essentially failed miserably at protecting Windows-based systems from a litany of malware.

Would you buy a car knowing that the brakes on it would only work four out of every five times? Probably not. So aside from blind obedience to “standard security practices,” why would you purchase and, worse yet, rely on antivirus products knowing that they don’t work? Despite their miserable track record at identifying and protecting against most of the prolific viruses out there, virtually every enterprise network relies on them for securing their computers. After all, the antivirus products claim they protect.

A typical scenario: new malware gets released on the Internet and finally makes the news after a few million computers get infected. The CIO reads an article on CNN about the latest onslaught, then hurriedly calls someone on his or her staff to get an assurance that “their” systems aren’t infected. The staff member reports that all their antivirus products were just updated and that none of their systems is infected. The CIO sighs with relief.

What’s wrong with this picture? Well, let’s suppose the reason that the malware is spreading so successfully is because the current slew of antivirus products wasn’t able to detect it. If that were a valid assumption, then it would also be a valid assumption that scans against the systems “protected” by the antivirus products would fail to detect the malware. This actually isn’t such a hypothetical situation — it’s one that plays out tens of thousands of times every day.

Software programs are generally written for a purpose and sold to provide some sort of solution to customers. If they don’t work well, we get frustrated. If they don’t work at all, we should be getting our money back. And if they don’t work, and the vendors know they don’t work, and people are subsequently harmed by the failure to function as advertised, civil liability should become a problem for the vendor.

Let’s now move on to the second item: software shouldn’t create a portal into my system via every Chinese and Russian malware package. If your first reaction to that statement runs along the lines of “that’s a very politically incorrect statement to make,” you’re obviously concerning yourself about the wrong things. Conficker — ever heard of it? Conficker was released onto the Internet over a year ago and, based on empirical data, we can safely say that more than four million Windows boxes throughout the world are currently infected with one of the three variations of the malware. Four million machines infected — for over a year!

Security researchers know why this has been so difficult to eradicate. First of all, a significant percentage of the infected boxes reside in such places as China, and many of those boxes run bootleg copies of Microsoft products. Because of this, the systems are not “updated” online, resulting in Windows boxes that are never patched. Unfortunately, once a system gets infected with Conficker, it can’t update the system; the malware disables both Microsoft updates and most third-party antivirus products. So from that point forward, you have a box that’s infected with no way of updating either the operating system or the antivirus product (which obviously didn’t work so well in the first place).

And now we have Zeus. If you’ve ever read any of Brian Krebs’s articles about companies having their corporate bank accounts drained, chances are you are hearing about Zeus. Zeus is malware that is designed to do a lot of nasty stuff — the most prominent of which is that it steals all your login and password information you use when logging into your online bank account. A few other annoyances it’s capable of are disabling the antivirus products on the system, blocking Microsoft updates, and it gives the bad guys complete access to your system from halfway around the world. All it takes to load on your system is good ‘ol Internet Explorer and a link.

To add insult to injury, once Zeus captures your bank login credentials, it even phones home to tell the miscreants that you’re currently logged in. They can then send commands to your bank through your computer using your network connection sending your money far, far away.

Zeus works flawlessly. Antivirus doesn’t. And there’s really nothing that Windows seems to be able to do to stop the proliferation of malware that just never seems to go away thanks to the never-ending list of IE exploits. It would be nice if both Microsoft and the antivirus products put a few protections in place against all these back-door applications that actually worked, but I guess their programmers aren’t quite as well motivated as the ones in Russia and China that are writing the malware.

Finally, the third rule I propose: software should protect the users from themselves. If there’s one thing I’ve learned from 27 years of law enforcement, it’s that you can’t protect stupid people from themselves. Really. No matter how hard you try, nature seems to have a way of always trying to clean the gene pool. But there are things that software developers can do.

Have you ever clicked on a link and got a pop-up asking if you really want to install that program? If Microsoft removed that one feature alone, a very significant number of infection vectors would dry up. As an alternative, if the person insists on installing that software he or she just found from a pop-up on a Web page, the operating system should pop up another window asking, “Are you sure?” And finally, if stupid users simply kept clicking on “Yes” just to get rid of the pop-ups, the operating system should provide some final prompt that would require some degree of thought process, such as a prompt asking, “If zero comes first, and next is one, what comes before one?” Or even a warning saying, “If your lips are tired from reading this, please click no.” That would probably prevent a lot of accidental drive-by infections.

There was a study done somewhere some time ago where people were sent e-mails that contained a single sentence, “Do not execute the attached program — it is a virus and will infect your machine.” The “malware” was actually tracking software that, once executed, sent a tick mark to a server somewhere that was designed to count the number of stupid users that actually ran the program. When some of those “victims” were contacted and asked why they ran the program, the most common excuse was “I wanted to see what the virus looked like.”

Seriously, the OS needs to find a way to protect people like that. Google Chrome might very well offer some protections against this by making the computer little more than a client to a server. It’s the way I personally feel the industry needs to be heading.

So while I fully agree that software manufacturers should be held to a much higher standard, some products should be simply taken off the market due to blatantly false advertising.

avatar

Andrew Fried

Andrew Fried is a Senior Consultant with Cutter Consortium's Business Technology & Digital Transformation Strategies practice. His passion and tenacity for identifying and stopping Internet criminal activity has earned him the respect of leading industry experts.

Discussion

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)