And the Real Blame for Spyware goes to...

©Jerry Stern 2004, All Rights Reserved. As seen in ASPects, September 2004

I just cleaned up another computer for a new client. It had 256 viruses, mostly Sasser worms, around 800 spyware files and settings, and worst, it had 32 programs auto-loading from all the different magic start locations in the start menu, in the registry, and in a few other spots that I won’t mention, because I won’t help the malware authors hide their toys. In short, it was an expensive doorstop. And it had a twin brother, too–a notebook. Fewer viruses, more spyware, same functionality–none.

The computers had been running reasonably well since they bought them nearly two years ago, but the customer decided to get residential DSL from the local phone company, and had taken the self-install kit, including both the DSL modem and a wireless router/hub/switch/gadget, and had decided to set the router up later. She then followed the instructions for setting up DSL, never saw a warning about worms and firewalls, and got connected, and then immediately got shut down again by a worm that wasn’t stopped by the firewall, because her router wasn’t plugged in, and because the antivirus wasn’t up-to-date, and because the Windows XP software firewall was off by default, and because her Windows patches weren’t in place.

This is typical of intelligent professionals who haven’t gotten the word about patches and worms; they make the assumption that a new product will work out of the box, and keep working until they drop it on the floor, or until they ask it to do something new and unexpected, like run on high-octane gas. If it was any other kind of appliance, they would have been totally correct–the toaster doesn’t explode when you put in a new kind of bread. “But honey, this toaster doesn’t do semolina rolls. It only does muffins and whole wheat!” Kaboom!

So, who’s to blame here? I wrote the bill to the owner of the computers, for cleanup work and two new antivirus programs that won’t expire on a schedule. Let’s see now:

The local phone company provided a router/firewall, so they must be doing their jobs, I suppose, although they didn’t explain that connecting to their service without it was unsafe at any speed, or that the email service they provide was loaded with viruses, because they don’t filter worms and they don’t virus-check email.

The computers came from an appliance superstore, who didn’t explain patches or antivirus or worms or spyware. They said, “Take it home, plug it in, turn it on, do stuff.” Or was that what they said about the electric skillet? Not their fault, I suppose.

The systems were built by one of the top three makers of boxed systems, and they set everything up on the computer in advance, including desktop setup icons for six internet dialup companies, a long distance over-the-web service, and a music service. Oh, and a link to online live tech support was in the start menu, too, under start, program files, the manufacturer’s name, system, diagnostics, service, online help. Which, of course, requires the computer owner to already be online and able to use chat software. In my experience, if the computer owner can do that, their only question is likely to be how to burn a music CD.

Windows patches, of course, were up-to-date as of four months before the day the computer was sold, and automatic downloading of patches was turned off. No software firewall was running, the antivirus was ready to install for a free 90-day trial, but not actually running, but the important stuff was all there: in the autoplays, there were four programs for phoning home for software updates to the music software, update checker for camera software for a camera that wasn’t included with the computer, update checker for CD-burning software and for a DVD-player, and a nifty little program that shares your photographs to a web site, also for that camera you didn’t buy, and for a very low annual fee. And the way a buyer finds out they have all these goodies in memory, running all the time, is by carefully exploring their startup menu and desktop icons and reading the small print on the license agreements to see just what they’ve already got working for them in the background. So it’s their fault that the computer is a doorstop, right? Well, ask them. Should be interesting.

Well, how about Microsoft? Well, in all fairness to them, they have gotten better at choosing default settings for safety, and they are a major target, but they did write an operating system that grew larger far, far faster than their own ability to keep up with the long history of hacker/cracker/script-kiddy/spambot attackers. Is it their fault? Well, read their license agreement some time. You know, that’s the statement you clicked ‘Agree’ to as you started up your computer for the first time. As crafted by their crack legal team, they are clearly responsible if the CD-ROM that holds their product is unreadable.

OK, so it’s all the fault of the computer owners that they didn’t know what they weren’t warned about. They were, however, recently warned, in writing, not to use their steam iron in the bathtub, not to use the electric screwdriver as a hammer, not to remove the tag from the mattress, and not to use the dry-cleaner’s plastic wrap as a crib liner. Go figure.

Someday, a computer will be a black box appliance. In science, a black box is a gadget that you use without knowing what’s going on inside all of the internal twinkly bits. You put in something; something else comes out. You put in electricity; you get heat. You put in batter; you get waffles. You don’t have to understand that the heat and the cooking are caused by electrical resistance from passing electrons through a carefully-sized conductor of electricity, or how the stick-proof coating works. You just make breakfast. Plug it in; it works.

I want my computer to do that.

So do my new clients; the cleanup cost $420, plus tax.

Jerry Stern is the editor of ASPects–the monthly newsletter of the Association of Software Professionals, and is the author of Graphcat and FileTiger, runs Science Translations, and is online at www.pc410.com