In the next few weeks, new computer users are likely to get an unpleasant introduction to the topic of computer security. They'll unpack the new computer, log on to the Internet and get some e-mail attachment from a friend. Thinking it's some cute little widget (if it's called Happy99, it must be a New Year's thing, right?) and they'll open it.
But Happy99 isn't fun; it's what's called a worm. It will infect their system, then attach copies of itself to outgoing e-mail, in the process making a great many people very annoyed. It will probably take these poor saps a week or so to realize what's happened.
There are many people at fault in this scenario, not least of whom are the virus programmers who can't be bothered to, you know, get a life. But much of the blame also has to be placed with software developers who didn't stop to consider security issues while they were scrambling to add new features.
The paramount example of this is Microsoft Word's macro capability. Starting with Version 6.0 of this word processor, Microsoft added sophisticated automation tools that allow programmers to create shortcuts, add new features and integrate Word with other programs.
But Microsoft neglected to consider that bad people use computers too. It did not take long before Word macro viruses--which look harmless but, behind the scenes, erase data and scramble Word's settings--became the leading virus threat, and today Symantec's Antivirus Research Center reports that macro viruses account for over 80 percent of the 200 to 300 new viruses it spots "in the wild" every month.
I personally have received so many Word files with embedded macro viruses--even from other technology journalists and computer-industry publicists--that I always open strange Word files in read-only mode to be safe.
Steve Lipner, manager of Microsoft's security-response team, said the company has locked Word's doors more tightly with each successive release. In Word 2000, for instance, the program will alert you if a document has a macro embedded in it, then ask if you want to run the macro. (If you see this message, for heaven's sake, click "no."). It also will not automatically run macros that haven't been digitally signed by their author. These are all good ideas--it's too bad it's taken the company four major revisions of Word to incorporate them.
And too many of these tactics require you to plumb the program's byzantine innards to find the proper check box under the right tab inside the appropriate dialog box. Argues Joel Diamond, technical director of the Windows User Group Network: "When you have 98 percent of all documents . . . being written by one particular word processor, Microsoft should take greater responsibility for letting the user click one button to turn on every security defense."
Microsoft is hardly alone in making these mistakes. In the summer of 1996, Apple Computer offered a Mac equivalent of Win 95's "AutoRun" feature (which allows a CD-ROM to play automatically) with its "AutoPlay" option. Software developers, who needed to configure their programs to take advantage of this new capability, mostly ignored it--it's not as though CD-ROMs were that hard to install on a Mac in the first place.
Virus writers, however, did not; in May 1998, the "AutoStart" virus began exploiting AutoPlay to spread itself from one Mac to the next--on disks or over a network--erasing data along the way. This particular pest wasted a great deal of time for many Mac users, including a few people in the News Art department of this newspaper. It also reinvigorated the Mac market for anti-virus software.
Apple still has this feature enabled by default in the Mac OS, for reasons that escape me. (Apple declined to comment for this story.) Don't make Apple's mistake yours; go to the QuickTime Settings control panel, select AutoPlay and uncheck the "Enable CD-ROM AutoPlay" box, and you won't have to worry about this virus arriving on the next CD-ROM or Zip disk.
The future, unfortunately, looks worse than the present. E-mail developers have been scrambling to enable their products to display messages with the same interactive content as the Web itself--plain old text apparently won't do. But while you can choose what Web site to visit, you don't get a vote on who sends you mail, and whether or not your correspondents will be ethical.
One consequence: The "Bubbleboy" virus, discovered earlier this fall, exploits the Web-display capabilities in Microsoft's Outlook and Outlook Express to infect your computer--even if you just select the message without opening it--and then mail copies of itself to everybody in your address book. This vulnerability was closed with a patch Microsoft had released back in August--but how many people have bothered to download that? And what about the next vulnerability?
"People are still producing software in Internet time; there's not enough focus on making things secure," said Gary McGraw, author of two books on computer security and a vice president at Dulles-based Reliable Software Technologies. He noted the increasing number of animated Christmas cards being e-mailed back and forth: "People like to send around those executable Christmas card things and, you know, they're cute . . . but what else is it doing?"
You can't tell. Given the woefully clumsy security options in most e-mail programs, your best bet is to not to open any attached files until you scan them with an anti-virus tool. If it looks like an actual program--its name ends in ".exe"--don't run it at all. (Help out your own correspondents by pointing them to a Web-based greeting card instead of attaching the card into your e-mail.)
And keep that anti-virus software installed and up to date. This chore takes time and, sometimes, money. It's a tax we all have to pay for somebody else's poor planning, and if you feel like sending the bill to Apple or Microsoft, I don't blame you one bit.
Living with technology, or trying to? E-mail Rob Pegoraro at firstname.lastname@example.org.
Shopped for consumer-electronics goodies lately? Rob Pegoraro will host a live Web discussion about the trials of buying computers and other gadgets at 1 p.m. this afternoon. To join, visit www.washingtonpost.com/liveonline.