There but for the Grace of Bill.... - page 4
Getting Down to that Crazy Nero Beat
The problem is that none of these factors account for the way Melissa and ILOVEYOU and all the other e-mail worms wreak so much havoc. The source of the problem is in front of the keyboard, not inside the software. Nontechnical users see security as a nuisance, not a priority, and as these folks start using Linux we are in for the same trouble as the Windows users are experiencing now.
When that happens--and it will happen unless we do something to prevent it--Linux will be held up to even worse ridicule than Windows is today. People who run Windows excuse its vulnerability with a shrug: "Well, I gotta have [your-favorite-app-here], so whaddya gonna do?" Many of the Windows users realize it's a mediocre system, just as people who bought VHS knew that beta was better. They put up with it because it's easier to swim with the current than to fight your way upstream.
Linux won't have that kind of Teflon-like image protection. When we in the Linux community advocate our favorite operating system, we are asking users to make a conscious choice instead of accepting the default. We are asking them to step out of the crowd, to accept a greater responsibility for the computing tools they use, to take an active part in their own destiny. In return, we offer them empowerment, freedom, and sharp, elegantly designed tools.
If Linux proves to have the same vulnerability as Windows, the novice users and the popular press won't care about all of that. They will decide that Linux is no better than Windows, really, and that people are better off with the devil they already know. Linux will be dismissed as another hype-wagon, sitting beside the road with a broken axle. It isn't fair, but it is exactly what will happen. The credibility of the open source movement will be crushed, just when we were beginning to be taken seriously by the suits in the boardroom. We will have lost our best chance at the mainstream, perhaps our last chance, and it won't even be our own fault.
All of this means that we cannot rely on end users, especially novices coming from the Windows environment, to manage Linux security in e-mail or applications. The stakes are too high, and we cannot afford a major public debacle like ILOVEYOU or Melissa.
By making themselves such an obvious target, and by demonstrating again and again that they are not committed to improving security by taking it out of the hands of apathetic users, Microsoft is taking the fall for all of us. They are taking it on the chin right now, and in doing so they are buying time for the open source community to get ready for what comes next.There is still time for Linux e-mail software to get smart about active message content. Let's get together and define a standard library interface for scanning arbitrary content. Pass it a file handle or pointer to an in-memory buffer, plus a MIME type string, and it returns a status code indicating that the contents are intrinsically safe (such as plain text or JPEG), that they are a potential risk (such as a Java binary) or that they are high-risk (such as Java code that opens local files or does other out-of-the-sandbox things). I'm not even saying that Linux has to implement these functions--just provide stubs in the default Linux installation, and leave it up to the distribution providers or third parties to implement the filtering. The e-mail software can let the user decide what to do with the results of the scan, and can refuse to let the user execute anything nasty. Anything that isn't intrinsically safe should never be automatically opened by the e-mail software, and it shouldn't be possible for the user to bypass this setting. The key is to have all the leading e-mail software call the same library API, so that content scanning can be implemented once by the system owner and enforced on all users, regardless of their choice of mail client.
Developers of application software for Linux need to learn from Microsoft's mistakes with Word and Excel security. Auto-execute macros that run without warning as soon as a document is opened are a Very Bad Thing. Period. The only good way to implement this feature is not at all. If a legitimate function is complex enough to warrant a macro, then one extra mouse click to activate it manually will not significantly reduce the user's productivity compared to the amount of work the macro accomplishes.
I won't pretend that I've covered every aspect of application or e-mail security here. All I've tried to do is to highlight the most egregious problems, hoping that someone will see the need for solutions. Nor is my proposal for a standard content scanning API meant to be technically comprehensive; others are far more qualified than I to design this. What I hope has happened with this essay is that people in the Linux community realize that we have a problem headed our way, and that we need to act to avoid it before it's too late.
Microsoft users around the world are busy today, reinstalling their operating systems and hoping that they can recover some of their data. Microsoft is getting well-deserved bad publicity for ignoring security, but ILOVEYOU isn't about bad software. It's about software that lets novice users do stupid things entirely too easily. ILOVEYOU only spread because people were gullible enough to open a love letter from someone they barely knew. These people aren't going to get smarter just because they switch to Linux.
We Linux users can learn from Microsoft's mistakes, if we are willing to do so. We can see that actively protective e-mail clients are needed, because we cannot rely on users to protect themselves. By establishing standards for how this is accomplished, we can ensure that Linux gets well-justified credit for making the Internet safer, not unjust blame for the foolish behavior of novice users.
For a few months more, Linux will retain its perception of being too complex for novices, and during that time, Bill Gates and his friends are buying time for us to prepare for those novices to reach our door. Microsoft looks bad today, yet there but for the grace of Bill go we all.