A summary of comments on the subject of the Love Bug virus and related issues, starting with a flame from yours truly. ------------------------------------------------------------------------ From: "Paul Hilfinger" Subject: Public perceptions of computer security Date: Mon, 08 May 2000 16:21:20 -0700 Colleagues, Perhaps some of you saw the comments of supposed experts concerning the "Love Bug" virus last Friday on The Newshour with Jim Lehrer. I hope that I was not the only one who was appalled. Basically, their commentary implied (intentionally or not) that (1) viral attacks of this nature are unavoidable, and (2) when they (inevitably) occur, it requires active efforts on the part of the virus-scanning industry to produce countermeasures and users must be ever-vigilant to make use of the latest countermeasures as soon as they are available, and (3) there will always be a window (hopefully narrow) during which the attacks succeed. As far as I can see, the truth of the matter is that (1') viral attacks of this nature are in principle entirely avoidable (even if one insists on having executable attachments), (2') their avoidance should not require ongoing active efforts, but (3') their avoidance DOES require some care and re-design on the part of software vendors (most notably Microsoft). As long as the public continues to believe 1-3, there will not be the pressure to accomplish 1'-3', so programs such as the one I cited are in fact detrimental to network security. I reluctantly contemplate getting publicly into the fray. First, though, I solicit your advice and comments on how most effectively to proceed. Paul ---------------------------------------------------------------------------- From: "Paul Hilfinger" To: Doug Tygar , Joe Hellerstein Subject: Re: Public perceptions of computer security Doug Tygar writes: > Actually, I'm not convinced that viral attacks in general are avoidable > (although specific attacks are certainly avoidable.) I would be interested > in knowing how you would prevent the attacks in general. Although my remarks apply to a range of different applications, I was referring specfically to the content of the article in question: e-mail attachments. There is, of course, an obvious existence proof: I am NEVER infected by these viruses and never will be since I don't EVER look at (potentially) executable attachments except under duress and when I am very sure of their provenance. Personally, I doubt that the value added of executable attachments outweighs the risks. But let's, for the sake of argument, assume that there is some substantial value to them. Under the assumption that such attachments are valuable, there is nothing in principle that requires that, once executing, they must have unlimited access to one's system. The Java model of providing that all iffy accesses be subject to being checked against a security policy allows a system in which, for example, the out-of-the-box default provided to normal users is an extremely conservative policy that (e.g.) allows writing of limited amounts of reading and writing in pre-specified sandbox directories, and asks permission for other things (and the user is provided with documentation that says "Usually, don't give permission unless ..."). This brings us to Joe's point: Joe Hellerstein writes: > I'm not sure I disagree with the experts. Until you show me a complete, > usable desktop computing system that's formally proven to be safe on all > inputs, I would concur with their analysis. If you don't analyze behavior > on all inputs in all states, you can't prove anything about opportunities > for exploitation. > If you can't prove anything, there are windows of opportunity. So the > game is to narrow those windows. Now you can jump up and down that people > don't use well-known techniques to do that, but the spirit of their > comments is still mathematically correct. No? No. What you are saying is that because we are human, there will be bugs -- errors -- in our system security software. Undoubtably true, whatever Prof. Dijkstra may think. But that's NOT what these experts were arginng. They were implying that successful infection by a virus is NOT the result of an error in our system software, but that our system software by its nature must inherently allow infection by novel viruses for at least the brief period before someone takes action --in effect that not even God could write a (usable) system that would keep out e-mail viruses. Remember the nature of the security systems these guys are advocating -- mutations of a virus performing a particular attack can get through. In contrast, the nature of errors in traditional OS security (as addressed, say, by security patches from Sun) is that when the error is patched, an infinite set of related attacks, regardless of mutational disguise, are forever prevented. That's what I meant by my remark concerning the pernicious nature of the biological metaphor at the retreat: we don't get infected because there are errors in our makeup, we get sick because given the design of our immune systems, we MUST be subject to attack by new (or modified) organisms. In contrast, OS's get "sick" because of buffer overruns, failures to encrypt, failures to evaluate things in the proper protection domain, and other (correctable) ERRORS. Even if we never reach perfection, we CAN get closer to it. These experts I am railing against, by contrast, imply that it is impossible EVER to get more secure. This is a dangerously false message. Granted, I don't know if they've actually thought about the implications of what they've said, or whether they'd change their tune when faced with my objections, but that's irrelevant to the fact that they have grievously misinformed the public. By the way, as one who dealt with his first security issue almost 30 years ago, I am not insensitive to how difficult the problem can be. In particular, I think that denial-of-service attacks are particularly sticky (although in the most recent example, the real issue was that there were systems that could be broken into to provide bases for attack). Nevertheless, in contrast to these experts, I know that the situation can be radically improved, and I believe it therefore irresponsible to suggest to the public that they might just as well shrug and accept the inevitable. Paul ------------------------------------------------------------------------ From: "Paul Hilfinger" To: Doug Tygar , Joe Hellerstein Subject: Re: Public perceptions of computer security Date: Tue, 09 May 2000 00:14:27 -0700 Doug Tygar writes: > So, let's say I want to send you a Word document, or an Excel spreadsheet, > or a URL for a great piece of shareware. What will your response be? Is > it unreasonable to want to share Word documents? No, but why ON EARTH should Word or Excel be designed in such a way that I have to worry about opening a document?! These programs don't really need to be able to perform completely arbitrary operations without a user's knowledge, consent, or permission. With proper design, they could allow only certain operations (or access only to certain files) without explicit permission, and require "informed consent" for anything exotic. Details matter here. The burden, it seems to me, is on others to give me specific examples of what kinds of potentially dangerous operations really have to be allowed without fetter; I suspect that a careful examination will show that there aren't any such operations. Consider even the question of executing arbitrary shareware. Now in one sense there isn't much of a problem here, since a user presumably understands (in contrast to someone opening a Word document) that he is about to execute an arbitrary piece of code that can do anything, and so he shouldn't be surprised at anything that happens. However, with modern operating systems (even not-so-modern ones), the careful user could set up a special account for trying out shareware -- one with a quota and perhaps with limited net access, for example. This would limit damage done by a malicious program. Such "sandbox account" could be made to implement rather elaborate security policies. Of course, such treatment would not work for a utility program, but at least it is the user's decision -- as informed as he wants it to be --whether to use the utility. My point is that if relatively straightforward techniques like this can limit the damage done by rogue shareware, we ought to be able to do a really good job with Word documents. > Your point about restricted execution environments is a good one, although, > of course, as you point out, one is constantly tempted to waive those rules > to do really interesting things with applications. Poorly designed security is onerous, and apt to be circumvented, but well-designed security measures can be pretty convenient. I use ssh, for example, which allows very convenient access between machines. To make the security-is-too-much-trouble argument properly, one would have to produce examples of important classes of functionality that FUNDAMENTALLY require burdensome security measures to run safely. It's not enough even that they NOW require such measures, since I readily acknowledge that there is work to be done. I have yet to see a single example of an important functionality with insurmountable, INHERENT security problems. I wrote: >> Nevertheless, in contrast to these experts, I know that the >> situation can be radically improved, and I believe it therefore >> irresponsible to suggest to the public that they might just as well >> shrug and accept the inevitable. In response to which, Joe Hellerstein wrote: >Might this be the crux of your irritation? It's a very defensible point. I >suppose your analogy in virus-land here would be to convene a group of family >planning "experts" to conclude that "AIDS happens", it's part of planetary >evolution that people will die from sex and drug use, and the hell with condoms >and clean needles. Not a pretty point of view. I agree that a little bit of >"safe computing" religion from our friends at the OS companies would go a long >way. Yes, this is the crux of my ire (it is stronger than irritation). Even here, though, beware of biological metaphor: in contrast to the situation with human sex, my point is that it is entirely reasonable to expect "automatic condoms" from vendors, so that users (1) know when they do unsafe things and (2) those unsafe things are pretty rare. Paul ------------------------------------------------------------------------ To: Doug Tygar , Joe Hellerstein Date: Tue, 09 May 2000 19:14:55 -0700 Subject: Re: Public perceptions of computer security Doug Tygar writes: > On one level, I agree with you, but on another, I'm not so sure. The macro > facilities in Word and Excel are useful to some users, and because of the > way the applications are used, macros should travel with the underlying > document. Hence, a virus problem. One problem is that opening a file > doesn't mean what people think it means, and the other is that saving a > file doesn't mean what we think it means. As I said in an earlier message, God is in the details. You are committing what I think I shall call the "Fallacy of the General Case": "There are users who want to be able to have their Excel spreadsheets write files in class X. Oops, writing file F compromises the system. Too bad, I guess security is impossible." This argument (very common) is invalid unless F is a member of X. You have to argue that checking that file references are restricted to some safe class X is inherently impossible. (Note: I am using "writing files" as a generic risky operation; clearly there are others, like launching arbitrary applications). You might argue that we don't know in advance what files a user might want to have his macro write. But this asks the wrong question. I would look at examples of how users used exotic macros and propose a general safe class whose boundaries our applications and system software could easily enforce. Users could then try to work within that class (and perhaps evolutionarily evolve its boundaries). I speculate that this is not a particularly difficult problem -- that the extent of users needing truly arbitrary things out of their Excel macros is grossly exaggerated. Which suggests, perhaps, Doug's last point: > The great dream of security specialists is an overarching framework that > addresses all these problems, but I think that in fact the problem will be > fought in the trenches -- application by application. Again, my main point in this entire discussion is that I am hearing extremely dangerous, essentially fatalistic, talk about system security that is not justified by the facts. There is a good deal of work to be done, but the point is that it CAN be done, contrary to the what the public is told now. Paul ------------------------------------------------------------------------ From: dewar@gnat.com (Robert Dewar) To: discuss@isoc-ny.org, eric@voluntech.org, jrh@umcc.ais.org Subject: Re: Discuss: Microsoft and Viruses Date: Tue, 9 May 2000 09:53:05 -0400 (EDT) Unknown individual 1 writes: >> It infuriates me that virtually all the press puts the blame on >> >> a) the evil kid who wrote the virus >> b) the stupid users who do not take care to protect themselves >> >> when in my mind, most of the blame should be placed on Microsoft designing >> a system without even the SLIGHEST thought about system security. Basically >> the problem is that Windows and its associated technology was developed >> when MS was clueless about the Web, and worrying about Web security was >> simply not on their radar screen. Unknown individual 2 writes: >Absolutely. I begged my company not to use Exchange / Outlook as our mail >system. Utter lack of security and susceptibility to this kind of denial of >service were a few of my reasons. >Only one person (Sen. Orin Hatch, to my dismay) actually got the press to >listen to him regarding this. His office doesn't use Outlook for e-mail, >and thus wasn't directly affected by this attack. Robert Dewar: It is not just denial-of-service, this work actively deleted files. Some worse copy cat versions delete critical system files so that your system can no longer boot! Now what kind of system allows itself to be destroyed by email this way? ------------------------------------------------------------------------ From: dewar@gnat.com (Robert Dewar) Subject: another viewpoint Date: Tue, 9 May 2000 10:05:41 -0400 (EDT) >From owner-discuss@isoc-ny.org Tue May 9 09:40:24 2000 From: "Rosen, Scott" To: "'Eric Hancock '" , "'Robert Dewar '" , "'dewar@gnat.com '" , "'discuss@isoc-ny.org '" , "'jrh@umcc.ais.org '" Subject: RE: Discuss: Microsoft and Viruses Date: Tue, 9 May 2000 09:39:08 -0400 Here is another, interesting take on the issue by Rob Rosenberger, operator of the Computer Virus Myths site, http://www.kumite.com/myths/, who takes issue with pinning the blame on Microsoft (and others). - Scott 5 May 00 NBC'S TOM BROKAW opened yesterday's newscast not with the death of John Cardinal O'Connor, but with the death of the Internet. Brokaw works in the same city as America's greatest Roman Catholic leader, yet the old geezer played second fiddle to a mediocre worm/virus. Amazing. The Internet died yesterday, by the way. Oh, the humanity! Let's all pause for a nano-minute of silence... {sniffle} I'll miss the web even more than the dead priest guy. (What was his name again? Right, O'Connor.) CNN.com focused so much journalism effort on the ILoveYou virus that they couldn't even offer the Catholic leader a correct title. (It's "John Cardinal O'Connor.") Makes you wonder if CNN.com ever demeaned "Her Royal Highness, Queen Elizabeth." Yes, you heard me: a mediocre worm/virus. Peter Watkins (Network Associates) and other antivirus bigwigs agree with me on this point. True story. I checked my email in an airport Internet bar yesterday. Brokaw came on the air -- and the bar turned into a movie set. Camera One focuses on my face: "Could you turn that up?" Camera Three focuses on the bartender as she operates the TV remote. Camera Two pans the patrons, who all fall silent as Brokaw describes the horrifying über-virus. Then the news shifts to some old guy in a casket. Camera One stays on me as I toss a bill on the counter, swig one last gulp of beer, and turn to leave. Man, I shoulda raised my pint to the patrons. "A toast to the Internet: we hardly knew ye..." Hear, hear. OKAY, ENOUGH WHINING. Let's go over the stuff you need to think about. Caution: you'll upset many corporate virus experts and CIOs if you point these things out to them. First, ask yourself a simple question. Did the virus itself clog up your company's email system -- or did hysterical virus alerts clog up your company's email system? If your company got whacked by the ILoveYou virus, don't ask why it happened so quickly. Ask why it happened at all! Didn't the experts learn about this problem last year when Melissa struck? If your company virus expert says "we learned enough to react in minutes instead of hours," then you should ask why your firm still responds to viruses after the fact. If someone blames Microsoft Windows or Microsoft Outlook or Microsoft Visual Basic Scripting, ask why antivirus software didn't stop the virus at the email gateway. "The attachment name said '.txt.vbs', yet your recommended antivirus solution couldn't recognize such a simple (and well known) trick. What gives?" If your virus expert blames Microsoft's ubiquity for the virus, ask how much more common the world will grow when we standardize on Java or Linux or whatever else comes next. If he/she babbles about improved security in the next great operating system, ask "why did Java specification v1.1 downgrade its security model?" If someone recommends replacing Microsoft Outlook with another product, tell them "A virus must first reach a computer before it can ever hope to infect it. Email offers an excellent transmission method no matter what email product we use. Thus, we should try to stop viruses before they enter our email infrastructure." If your virus expert says the firm uses gateway antivirus software, say "it doesn't work very well, does it?" If a virus expert urges you to get daily antivirus updates, argue "first you told us to inject updates into our computers on a quarterly schedule. Then you told us to inject updates on a monthly schedule. A few years ago you started telling us to score a fix every week. Last year you told us to avoid Y2K viruses by injecting our computers on a daily basis. I swear, you sound like a pusher and I feel like a drug addict." If a virus expert says you need antivirus software to protect you from ILoveYou, say "if we'd turned off Windows Visual Basic Scripting last week, then our PCs wouldn't have gotten infected. This means our PCs could've protected us from ILoveYou before it even existed. We don't need to update our antivirus software -- we need to update our antivirus experts!" I could go on for hours about all the stupid things pseudo-experts will recommend in the days to come. Things like precautionary disconnects. Time-delayed email scanning. Persistent antivirus updates (you'll need a persistent Internet connection). Redundant virus scanners. Crippled user interfaces. Obscure operating systems. Expensive replacements for the software you already own & use... Fearmongers will moan the obligatory "wake-up call" phrase. Every expert on the planet (myself included!) will try to get valuable free media exposure. Reporters will create instant experts out of thin air without even trying. Firms will issue press releases calling themselves the "first" to save the world from the evils of ILoveYou. ICSA already started the stats race with a press release containing estimates. ($1 billion, 30%, 70%, blah blah blah.) Editors will write countless witty headlines based on a catchy virus name. And for what? So we can continue to employ shallow thinkers in the computer security world? Bah. I honestly believe the media enjoys making funeral arrangements for the Internet. We've mourned its demise twice this year already! (Three times if you count the Y2K virus media fiasco.) Cardinal O'Connor only gets one funeral by comparison. ------------------------------------------------------------------------ From: "Eric Hancock" To: "Robert Dewar" , discuss@isoc-ny.org, jrh@umcc.ais.org, hilfingr@cs.berkeley.edu User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Subject: Re: Discuss: Microsoft and Viruses Date: Tue, 09 May 2000 11:29:39 -0400 In all fairness, it would be possible to send me a malicious shell script in an e-mail message. If I opened it in KMail under Linux and ran the enclosure, the same kind of damage is possible. Of course UNIX variants are designed to be multi-user systems, and I wouldn't have privileges do do much system-level damage. It would be harder to write a spam shell script, but certainly possible. I could do the same to a Mac using AppleScript. Windows, however, makes this a bit too easy. I won't even get into what I can do with Active Directory and a vba script. ------------------------------------------------------------------------ From: dewar@gnat.com (Robert Dewar) To: discuss@isoc-ny.org, eric@voluntech.org, jrh@umcc.ais.org Subject: Re: Discuss: Microsoft and Viruses Date: Tue, 9 May 2000 11:41:15 -0400 (EDT) <> But it would not get done in one click, and you would be FAR more likely to know what you are doing. People do NOT mail shell scripts around to one another, but they DO mail ordinary microsoft attachments because they are encouraged to do so. You can obviously also send an executable as an attachment, which once detached, and detarred and unzipped etc can be run and cause (limited) damage, but this is not a standard way of doing things. That's the insidious thing about the microsoft situation. MS has encouraged very dangerous behavior as the normal order of business. In Newsweek, a Microsoft executive is quoted in the ILOVEYOU article as saying that it is not acceptable to restrict functionality of the system in response to attacks of this kind. ------------------------------------------------------------------------ From: Doug Tygar Subject: Re: Public perceptions of computer security Date: Tue, 09 May 2000 19:44:18 -0700 >Again, my main point in this entire discussion is that I am hearing >extremely dangerous, essentially fatalistic, talk about system >security that is not justified by the facts. There is a good deal of >work to be done, but the point is that it CAN be done, contrary to the >what the public is told now. I think I understand your point, and this certainly is valid. One problem I have with media comments is that they tend to over-simplify everything. I think everyone (except people from Microsoft) would agree that Microsoft has been pretty cavalier about security in their systems (thus the excellent question that appeared in print media, at least: why was VB scripting turned on by default anyway?) My conclusion is that a Microsoft is just too sloppy about *everything* to care; and for some reason, public ridicule about their poor security doesn't seem to stick. People end up blaming the guy in the Philippines, not Microsoft. Bottom line: if you decide to go to the media, you'll need to be very clear (and concise) about your point, or else it will be easy to misunderstand. ------------------------------------------------------------------------ >From: Danny Sleator >Subject: the real "lovebug" >Date: Wed, 10 May 2000 12:10:08 -0400 >Message-ID: <23614.957975008@bobo.link.cs.cmu.edu> >Sender: Daniel_Sleator@bobo.link.cs.cmu.edu >Bcc: Blind Distribution List: ; > >I've seen a bunch of stories on this in the mainstream media (NYTimes, >NPR, CNN, CBS). Lots of moaning and hand-wringing about the inherent >and unavoidable dangers and risks of technology, and the completely >irrelevant story about tracking down the "culprit" who they blame for >costing businesses "$2.5B". > >None (except for a brief comment in the WSJ) have pointed out the >obvious fact that Microsoft is TOTALLY to blame for this problem. >Microsoft did not install obvious, simple, prudent protections that >would completely eliminate this kind of thing. Finally somebody pointed >me to this article by James Gleick: > > http://slate.msn.com/Features/lovebug/lovebug.asp > >Interesting that this appears on a Microsoft site. :-) > > Danny ------------------------------------------------------------------------