Better Read Than Dead?
That Anti-virus Program May Be Helping Someone Else to Read Your E-mail
By Robert X. Cringely
Another week, another e-mail virus. This time it is nakedwife.exe, a nasty little number that e-mails itself to all your friends and enemies before blowing-up your system files. Nakedwife.exe: what are we, stupid? Yes. And as you'll see below, sometimes the cure is even scarier than the disease.
A reader, desperate for support in his mission to convince management that a more thoughtful approach to e-mail is called for in the aftermath of nakedwife.exe, reminded me that I have written before about this basic problem, comparing it to the disease susceptibility of hybrid crops. Nakedwife.exe, like most of these e-mail viruses, afflicts users of Microsoft Outlook under various versions of Windows. Don't run Outlook and you won't have a problem. Don't run Windows and you REALLY won't have a problem. Virus writers aim their work where it can have the greatest effect, which means Linux users running some freeware POP3 e-mail program will probably never be hurt. But that's not the way things work in industry, where the byword is standardization, which is to say "Kick me." No, it says "Kick us all, please."
If, as a systems administrator, you don't want to support more than one e-mail program in your organization, that's fine. Just make the e-mail program you do support one that isn't very popular. The standard here isn't Outlook, which in itself means nothing, it's POP-3 or SMTP, or IMAP. There are hundreds of good e-mail clients, some of them even better than Outlook. Remember your Mom asked, "If all your friends drove on the wrong side of the road, would you do it too?" If all the other kids use Outlook, will you use it too? Wise up. It's not that Outlook is bad, just that using it makes us victims.
Or you can stick with Outlook, if you really must, and rely on virus scanning to keep your e-mail safe. This is a solution of sorts, but like the birth control pill, it has a predictable failure rate. The problem is that viruses can make it past the scanner if the scanner hasn't yet been told about the virus signature. That is, you generally can't filter for viruses until somebody has already been hurt. This latency results in approximately three percent of e-mail viruses making it past a virus scanner -- ANY virus scanner. Heck, the pill does better than that!
The gold standard of e-mail virus detection isn't found in the USA, but in the UK, where MessageLabs scans e-mail for several hundred thousand business users. To my knowledge, there is nothing like MessageLabs in the U.S., and there should be. The service is simple, but thorough. Before your incoming mail even gets to the corporate firewall, it goes through FOUR MessageLabs virus scanners stationed at an interchange point that is the British equivalent of a NAP or a MAE. Three of the scanners are the same ones you could buy except that MessageLabs updates their virus signature databases every 10 minutes, which you wouldn't. Three scanners are better than one because one is always going to post a virus signature before the others and because compounding that 97 percent filtering rate increases the likelihood of catching a given virus to significantly more than 99 percent.
If you feel like taking personal responsibility for protecting your system from e-mail viruses, there are some good standalone products and some very good products that appear to stand alone. In that latter case, I am referring specifically to the Symantec's Norton e-mail anti-virus scanner. If you are running this very good program, do you know how it works? Presumably, like most other virus scanners, it sits on your PC applying virus signatures to each e-mail and attachment as they come over the wire. Nope, that's not the way it works.
Norton's e-mail anti-virus program actually hijacks your mail. It replaces your existing pop3 mail server (say cringely.com) with pop3.norton.antivirus.com. It changes your account name, too (in my case replacing "bob" with "bob/cringely.com"). The program leaves your SMTP connection as is, which means it only scans incoming mail. And all that incoming mail is going through the Norton server, which has your password (nabbed from Outlook, just like a virus might do) and could allow your e-mail to be read by anyone with access to the Norton server. In fact, the whole thing feels like a virus, doesn't it?
The Symantec folks are quite up front about how their product works, which is to say you can figure out all this from the documentation �- not that they warn you about it. It is easy to see their rationale, too. By scanning at their place, rather than yours, they can be sure to use the latest virus signatures and even the latest scanning program. Heck, that program can run on any operating system Norton likes, making it possible to use something more robust or scaleable than what you may be running on your PC. And by scanning outside your firewall, they keep all the bad jujus out of your network. Still, it scares me knowing that anyone out there has the capability of reading my e-mail, especially given my poor spelling.
This business of how the system works differently than we expect isn't new at all. I remember back in the days before there was commercial use of the Internet, and corporate e-mail in Silicon Valley typically used the UUCP system. UUCP (Unix-to-Unix Copy Protocol) had a different naming convention than we use today (bob!cringely.com -� the exclamation point was pronounced "bang" -- instead of [EMAIL PROTECTED]) and the complete address even contained routing information. It's that routing information thaat spooked me, because in the mid-1980s, all Apple e-mail arrived through a server at Sun Microsystems (sun!apple.com). Still, the mail went through, but that was a much simpler time.
The moral of all this is that nothing really works the way we think it does and we simply aren't secure, even when we think we are.
Now I have three quite specific beefs with this system as it presently pretends to function. First, there are all these darned viruses. Have you noticed how the story behind the virus is so often that it was written in a programming class? What the heck are students doing writing viruses in class? Which computer science class, exactly, is the one for virus writers? What advantage is there for a student to know how to write a virus? Does it somehow help them in other programming tasks? I don't think so.
Second, why our systems are so darned insecure? Do they have to be? I have a friend who is in charge of data security for a large defense contractor and he claims that most of the current security threats � viruses, trojans, denial of service attacks and others �- are easily handled with relatively simple hardware and software. If that's the case, then why do companies lose data? Why are viruses so disruptive? Why can denial of service attacks shut down a Yahoo or a Microsoft? My friend says, quite bluntly, it's because many data security "experts" aren't all that smart.
And finally, we get to the very heart of the problem as defined, I believe, in RFC 1281, which says we're on our own because there isn't any data security built into TCP/IP, nor will there ever be any. Why? This is like freezing the price of gold at $35 per ounce �- ultimately impossible and generally hindering growth. Just because it made no sense to add security to TCP/IP in 1973, why can't we add it today? We can and we should. The fact that we don't comes down to sheer laziness and an appalling lack of imagination.
|
Home | The Pulpit | I Like It | Baloney | Old Hat | Tell Me When | Pass It On | Bob's World
|
|
