Users are 'stupid' – Microsoft

I wrote a post over a year ago about how I deal with PCs which have become infected with malware (viruses/trojans/worms/rootkits, etc.):

what I do, is to re-install the OS – more often recently it is XP, turn off System Restore, install XP SP2, Microsoft Anti Spyware, Spybot, Adaware, and AVG… or consider formatting the PC.

It seems that I was on the money with that advice – eWeek are reporting today that Mike Danseglio, program manager in the Security Solutions group at Microsoft said at an InfoSec conference in Florida yesterday:

When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit

Malware is becoming more difficult to detect because malware writing has become a big business. The people who write these malware programs now do so for profit. They write programs which allow them to use infected machines (to send spam, for instance) and they sell their services to companies who want use infected machines. The more machines they control, the more money they can make. It is therefore in the malware writer’s interest that the malware be as unobtrusive and difficult to detect as possible.

Danseglio said:

We’ve seen the self-healing malware that actually detects that you’re trying to get rid of it. You remove it, and the next time you look in that directory, it’s sitting there. It can simply reinstall itself,

This is similar to my observation that malware can hide in the System Restore volume and can re-install themselves after a scan is run.

The one place where Danseglio and I disagree fundamentally is in the apportioning of blame. Danseglio said:

Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity

Personally, I believe that if the software allows people to be fooled into clicking on a phishing link (and some of the phishing emails I have received have been extremely convincing), then it is the software which is stupid and not the user.

6 thoughts on “Users are 'stupid' – Microsoft”

  1. That was a bit rich calling people who are tricked by phishing as being stupid.
    I’m not surprised though because Microsoft have been treating users as idiots for years, e.g. that annoying assistant in Word that asks if you are writing a letter.

    You are right, some of those phishing expeditions are very convincing and not everyone has an MSc in security and cryptography. How is a relatively new user supposed to know that banks or ebay or amazon do not ask for your password. I mean, I don’t know the first thing about microbiology, but that doesn’t make me stupid.

    I have to agree that when a computer is infected either by malware or a rootkit, the first course of action should be to disconnect from any network and then reformat the hard drive before re-installing. That holds for all operating systems including windows, linux and mac osx. You just never know how clean your machine is after you attempt to remove the malicious executables. In fact, in many cases it is irresponsible not to reformat because attacks could continue to be launched from your PC or server without a full reformat.

  2. Personally, I believe that if the software allows people to be fooled into clicking on a phishing link (and some of the phishing emails I have received have been extremely convincing), then it is the software which is stupid and not the user.

    And what would you suggest be done? Software is dumb. It always has been and will most definitely be for the foreseeable future. All a computer or piece of software can do is it what it has been programmed to do and it’s is extremely difficult to program an intelligent piece of software – hence we don’t have true AI.

    Sure, there are some excellent pieces of software that use advanced heuristics to find patterns and/or identify and classify items it has never come across before but saying that software is stupid because it allows a user to click on a phising like is fairly stupid.

    How is the software to know that it is a phishing link? Sure, heuristics – great – but heuristics are also known “best-guess” solutions – by definition they are not definitive. It IS the user who is stupid – maybe the person was just duped into the click the link, or maybe the person is not aware of these scams, or maybe the phishing is so good that even someone working for the “real” company can be fooled by it but it is still the person that is stupid (read as “unaware” or “lazy” or “just plain stupid”).

    However, Microsoft and other companies are tackling the problem straight on – the anti-phising features in IE 7 for example are fairly good, but once again they rely on a group or people (Microsoft employees in this case) actually checking reported sites to verify that they are, or are not, phishing sites.

    If you think that it is easy or possible for software to be this intelligent at the moment Tom then why can’t we please see your solution.

    P.S. Love the blog. Keep up the good work – but I had to pull you up on this one. YOU ARE WRONG 😉

  3. @Larkin – agreed absolutely.

    @Brian

    If you think that it is easy or possible for software to be this intelligent at the moment Tom then why can’t we please see your solution.

    I am not a developer so I don’t personally have any solution to this – however, there are a series of toolbars listed on the Anti-Phishing.org website which do a good job – also, there is IE7’s anti-phishing capabilities to look forward to.

    So software can make a good stab at minimising this problem Brian.

  4. I am not a developer so I don’t personally have any solution to this – however, there are a series of toolbars listed on the Anti-Phishing.org website which do a good job – also, there is IE7’s anti-phishing capabilities to look forward to.

    So software can make a good stab at minimising this problem Brian.

    Yes. Plenty of solutions out there that help – but at the end of the day it’s up to the user. As with most bad and “evil” things these days I think education is the key – educating people though is a challenge.

    But, just to put your quote “the software which is stupid and not the user” into perspective – recently there was a *lovely* virus going around via email. The virus was an executable contained inside a password protected zip file – virus scanners can not scan inside password protected zip files as everything is encrypted. The user however could read the password from the email, open the zip file, and run the exe. Was the software stupid – most definitely not. Was the user – well I suppose that depends on your point of view.

    It’s almost impossible to write software to protect people when people still insist on doing silly things like above – once again, educating users is the key, but in the case above, whose responsibility is it to education the user? The company providing the email service to the user? The producer of their email client? The anti-virus company? The producer of the operating system? … the government?

    It’s the same with phishing and anti-phishing software – it can help, but no one should rely on it 100%. If a person does, sooner or later they will be stung.

  5. When Kevin Mitnick was hacking Vegas telephone exchanges, all he had to do was call someone, pretend to be IT or a supplier or someone and ask for passwords. No-one ever thought to say, “I don’t know you, can I have some verification/call you back on the IT number”.

    No phishing or zipping or whatever, just “social engineering” which is a nice way of saying “taking advantage of people who aren’t security conscious” or, well, just plain stupid.

Comments are closed.