Today is a good day to code

The Security Question

Posted: December 31st, 1969 | Author: | Filed under: Companies, Sun Microsystems, Uncategorized | Tags: | No Comments »

The Security Question

Picture of Irv Owens Web DeveloperIt seems that something like three in every ten tech articles is about some virus, exploit, or other security warning. They are starting to sound like the local news, predicting doom and gloom because clicking on this email, or that link can wipe out your computer. I think they are being particularly unfair to Apple, being the largest company with a reputation for security. It wouldn't suprise me too much to see them pay someone to write a Mac virus so that they would have something to talk about. I guess dual-core processors isn't a juicy enough topic, they need something more scary so they go for the “flaws” in Mac OS that Apple patched. Give me a break! Any developer that has written a stitch of code knows that whenever you release any piece of that software to the public things come up that you didn't, and probably couldn't forsee. Mainly surrounding users, and they way they use the applications. Much of the more egregious user problems can be ironed out by getting complete specs and building proper functionality into software, but 90% of this stuff comes down to education.

Now they are harping on Dashboard in Mac OS X 10.4 “Tiger.” They are trying to make it out to be the next ActiveX as far as bad security goes, or bad development decisions. Dashboard is an incredibly useful feature for legitimate development. No software developer should allow malware writers to determine what features or software goes into their products. That would be kind of like allowing terrorists to dictate your country's foreign policy wouldn't it? Those types of decisions should be made by the users and the software developer. Security should be thought of after the features are included. Dashboard is relatively safe. You would have to be root, or be able to execute a perl script that would gain you root access to be able to destroy someone's computer. Since you have to jump through some hoops on a Mac to enable root user access, and for most applications you don't need to be root anyway, the effects of this will be minimal.

If you download a widget from what appears to be a legitimate site that turns out to be porn, just delete it and if it offends you, let Apple and the BBB know what the details are and how you feel you have been wronged. If you download a widget from a sketchy website and it asks you to authenticate and you do it, then it deletes all your files, you probably deserve to have it happen. No one would get into a car and drive it without learning how to not drive off into a ravine, computers are the same way, there are some simple rules about how to operate it safely, and it is up to the media and users to learn about how to do this.

Instead of just reporting on the bad stuff, giving hackers and malware writers more reason to write malicious code, how about educating Ma and Pa computer user about how to spot nasty code, or malware. I'll start.

  • If you open something from the web and the OS prompts you to enter your password, don't do it until you are absolutely sure about what you are doing. If a password is needed, the company that sent you the object should give a good explanation as to why.
  • In the case of Dashboard, I agree with a poster on macrumors; In your preferences, turn off “Open Safe Files after Download.” Make sure you have to explicitly execute the file to run it. This will prevent widgets from installing themselves
  • Think about where you are when you are downloading. Do you know these people? Is it a friend's site? What is their reputation? I don't download anything from a site of which I know nothing. If your pop-up blocker is saying that it has blocked ten pop-ups from this site, then you probably don't want to download anything from them.
  • Make sure you have a valid email address or phone number for anyone whose software you install. Chances are that if they don't respond to email or phone calls, then their software isn't any good. Unless of course you know personally the programmer.
  • Don't use Windows 98, Windows 95, or Windows 3.1 anymore. Go ahead, treat yourself to an update. Last time I checked Windows XP ran decently on a PIII 1 GHz computer with 256 MB of RAM. You probably shouldn't be running a pre-security era operating system if you plan to use the internet. If you are on a Mac, OS X 10.4 will run on a circa 2001 iMac G3, or an old PowerMac blue and white just fine. I am currently running “Tiger” on the iMac 500 and it is reasonable, but better yet, it is way more secure than Mac OS 9
  • Don't open email from people that you don't know personally, or who have a phone number that you have called. If you are unsure, just click new and send an email back to that person and see if you get a decent response. Better yet, delete anything that looks suspicious. I have friends ask me whether I got the email they sent, and I say no becuase I follow an aggresive policy regarding email. Usually we can catch up over IM anyway. Its that simple, just delete, delete, delete.
  • If you are on the web and you see that you have just won a new iPod, or that you have just won a trip, or you have just won a new laptop! Just remember that in this world nothing is given for free, and most of the time these are just hoaxes to get you to give up your personal information so the companies can spam you in various and sundry ways. If you get an email to that effect, or these silly refinancing emails, don't trust them. You have to ask yourself, how did they get my email address in the first place? They probably bought it from some spam outfit looking for a quick buck. They probably aren't reputable.

Probably the most important thing is to upgrade. Don't be afraid of updates from Apple and Microsoft. The short term pain of applying the patch and possibly having some buggy behavior is worth keeping the mountains of files you have on your computer and not losing them to some virus. Whether or not you like Windows XP / 2000 or Mac OS X, they are much more secure than their predecessors.

On the server side, admins should go ahead and update their IIS, JRun, Apache, Tomcat, JBoss, or whatever HTTP server they are using, it is a pain in the behind, I know because I just had to do it, but the more recent versions are way more secure. In most environments you might see some improvement in performance too, of course you should test it thoroughly before deploying the upgrade, and I know that most admins are way overburdened as it is, but isn't it better to have a updated server than to have to keep fixing the same old issues?