Worms, Security, Cell Phones, Oh My

Famous Quotes of the Third Millennium:
"Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks"
—anonymous user who still hasn't figured out that you DON'T OPEN ATTACHMENTS UNLESS YOU'RE EXPECTING THEM, 2001

Let's see, how can I best sum up the last few weeks. How about "Now is the summer of our discontent"? Naaah, poor old William S. is too heavily borrowed-from. "August is the cruelest month"? Well, I've never really forgiven T.S. Eliot for being the author of what eventually became that awful "Cats" play, so perhaps it's fitting revenge—but not direct enough. So let's just go with, "Boy, has this been the summer that the IT business would most like to forget."

The Sircam and Code Red worms have occupied more of my—and other techies'—time in the past month than I care to think about. Fortunately, Code Red's only damage was to crash my Microsoft IIS server. The worm didn't damage my Web pages because I locked the IUSR user account out of the NTFS permissions for every directory on my Web server except for read permissions on my wwwroot and winnt directories and read/write permissions on the one directory where scripts need the permissions.

I locked out the IUSR user account because I don't always have time to apply the most recent patches to IIS bugs. Anyone visiting the Web site is authenticated as IUSR_Webbox. (Your user account won't necessarily be IUSR_Webbox; it will be IUSR_ followed by the name of your Web server. My Web server's name is Webbox, thus the anonymous Web username of IUSR_Webbox.) So, no matter how buggy IIS is, this setup limits the damage to my site. If IUSR can't write to the D:\wwwroot directory, it doesn't matter what IIS is willing to let the worm do—NTFS will stop the worm cold. Code Red did crash my Web server as a result, which wasn't my heart's desire, but a call to Microsoft got the patches, and I was back up and running. (And yes, I know that there's more to this problem—the original Index Server hack attacked IIS at the System account level—but clearly NTFS mitigated the damage.)

The Sircam worm is a different story. Sircam is basically just a batch file. The worm gives the batch file a name such as mydocument.doc.bat, and because Windows hides file extensions by default, an unsuspecting person sees that the attachment is called mydocument.doc rather than mydocument.doc.bat. So the user opens the attachment, executing the batch file and multiplying the fun. At last count, 47 people have sent me the worm. One person has sent it to me 127 times, which has to be a world record in the "who can be most clueless with his computer?" category.

Two factors contribute to Sircam's proliferation: hidden file extensions and user education (or lack thereof). I've always thought that Microsoft's policy of hiding extensions is a bad idea. When I use a new computer, one of the first things I do is tell Explorer to show me the file extensions. I wish Microsoft would change the default setting to "Show file extensions" so that users can see the .vbs, .bat, or .cmd extension on an attachment, and at least some users won't double-click the attachment.

I find it hard to believe that by the second half of 2001, some email users still haven't heard that attachments can be fatal. It's been more than a year since I've opened an attachment from someone that I don't know or an attachment from someone that I do know but that I'm not expecting. And I've never run an .exe, .bat, .cmd, or .vbs file that I receive in an email, even those silly greeting cards that people send: I simply reply "Golly, it was really cute, thanks a lot" and delete the file.

I know that some of you think a virus scanner is the answer, but I don't trust them. Many virus scanners were woefully slow to react when the ILOVEYOU, Anna Kournikova, or Sircam worms appeared, so I hate to recommend this crutch that makes people stop thinking before opening files. A better answer is user training. One company uses a dunce cap to reinforce security training: Whoever opens the email virus first must wear the dunce cap for a week. (No, I'm not suggesting that every firm adopt this policy, but it is funny.) I think that displaying file extensions and giving users 10 minutes of training about email viruses will help slow down the spread of viruses. (And be sure to download the patch to Windows Media Player—WMP—before someone gets around to exploiting that bug!)

Security is always an unpleasant topic, and I hate to spend my entire commentary on unpleasantness. Let me finish this month by mentioning two cool products that I've just gotten my hands on. The first is a book about intellectual property and the Internet called "Internet Piracy Exposed," by Guy Hart-Davis (Sybex). As regular readers know, my columns sometimes touch on copyright and IP issues. Hart-Davis has done a stellar job of explaining what is and isn't legal regarding copyrights, and he's made the explanation eminently readable. Then he explains how Napster, Aimster NetMeeting, and other "piracy" tools work. He even includes an interesting set of vignettes in which actual Internet pirates anonymously justify—or rather, try to justify—their piracy. I found the book a quick and entertaining read.

The second Goodie of the Month is a new cell phone that I picked up, a Nextel 85s. I live in the middle of nowhere, and I got tired of the fact that my old cell phone worked everywhere except my house. I decided to try a Nextel phone after a visitor to my house showed me that he got perfect reception. But what's most interesting about the phone is that it's not only a cell phone; it's also a two-way radio (it works like a walkie-talkie with other Nextel customers) and an email client. The Nextel doesn't just receive email—many phones do that. People can also include canned replies in their email messages to my Nextel phone. For example, someone could include in a message the response options "Yes, that sounds great," "No, I prefer not to," and "Call me and let's discuss it." Then, when I receive the message, I simply choose 1, 2, or 3 as my response—very convenient when I can't get to email on my PC but don't have time for phone tag. The phone's dialer also uses voice recognition, and if I worked with the phone long enough, I think it could do most of what my Palm Pilot does; it even runs Java applications.

The downside? The phone's features are largely undocumented, requiring a bunch of phone calls to Nextel customer service. Unfortunately three of the five calls that I made were answered by staggeringly unhelpful—even rude—staffers. But Nextel wouldn't be the first company whose silicon units are of higher quality than its carbon units. Which brings us back to user training. . .

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.