RSS Feed

Subscribe to this feed

Categories

Tags

Archive

View archive statistics

Calendar

Mo	Tu	We	Th	Fr	Sa	Su
30	31	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	1	2	3
4	5	6	7	8	9	10

Select a Date

Authors

Andrew Y. Lindell (38)

Recent posts

DNA cryptography?Rating: 3 / 1
Self-Encrypting Hard DrivesRating: 3.2 / 5
Diebold Audit LogsRating: 0 / 0

Blogroll

12/27/2006 3:16:00 PM

Security Bugs and User Responsibility

by Andrew Y. Lindell

Yet another security flaw has been found in Microsoft Word that enables an attacker to take complete control of a system via a maliciously generated Word file. You can see more information on the flaw at FrSirt and the Microsoft Security Response Center. Security organizations and Microsoft are advising users to be cautious when opening email attachments from unknown senders. Well, this is good advice, but it has nothing to do with the latest flaws that have been found.

It's important to differentiate between two distinct issues. First, software developers have the ultimate responsibility for ensuring that their products are free of bugs, and especially free of security bugs. Second, and irrespective of this, users are responsible for their own behavior and must understand that security bugs in software are likely to always exist. We need not be surprised at new warnings and must be cautious at all times, not just when a new flaw is discovered. How many times are users cautioned to not open attachments when they don't know the identity of the sender? How many times are users informed that they must regularly download the latest available security patches? How many times are users warned to not download "neat applications" from unknown sources on the Web? And the list goes on and on and on.

I want to stress that I am not diminishing the responsibility of Microsoft or any other software developer to release secure products. However, users have to understand that these bugs are not going to disappear. We can therefore choose to just complain and point fingers at Microsoft (or whoever has developed the buggy software), or we can take responsibility for ourselves and stop assuming that modern computers are secure. Modern computer systems are not secure and they probably won't be for a very long time. Let's just be careful!

Just to end with an anecdote, about five years ago I found myself in an airport with a cool machine that enabled anyone (for free) to video themselves and have the short video sent as an email. So, I sent my wife a short video telling her how much I missed her. When I was asked to enter a subject, I unthinkingly wrote "I love you". A few minutes later my wife received an email with the subject "I love you" (as in the I-Love-You virus) from an unknown email address (being the email of the airport), containing a video attachment. The first thing she did was close her email program, disconnect her machine from the network and call her IT team. Well, I felt pretty silly when they found out what caused all the fuss. However, at least I know that my family is careful. :-)

Be the first to rate this post