28 November 2007

Not that Nick Brown

OK, so I googled myself, and I was second on the list. I'm not this Nick Brown (PHP is more my style than ASP). And I'm definitely not this Nick Brown.

What to ask Santa to bring you

If you're interested in why software goes wrong - and anyone who uses a computer for anything more than reading the occasional e-mail should be - then there are a couple of classic books you should have read by, say, December 30.

The first, little-known but very accessible, is "Digital Woes: Why We Should Not Depend on Software" by Lauren Ruth Wiener. This is about 14 years old and hardly mentions the Internet (!), but it is extremely readable and gives a good insight into the organisational issues around software projects. Anyone who buys software or IT services, and especially anyone who is the business owner of an IT project, should have read this book thoroughly before the salesperson from EDS, CSC, or IBM drops by.

If you're in software development, you could then move on to the daddy of all books on writing software, "The Mythical Man-Month: Essays on Software Engineering" by Frederick P. Brooks. Although most people under 40 will struggle to understand some of the technical references, and some of the suggestions have been made obsolete by hardware improvements, the general principles of how software development works are still as valid as they were 32 years ago when the first edition of the book appeared. My favourite quote: "Adding people to a late project, makes it later". If you can get your pointy-haired boss to understand that, you're half-way there.

11 November 2007

Throw off your mental chains

The first person to link to my blog was Steve Riley, who gets paid to "do security". It was nice of him to mention my AUTORUN.INF hack, even if he didn't recommend it (for reasons I didn't quite gather).

Anyway, while flicking through the archives of Steve's blog, I found this article which questions the whole need for anti-virus software. Yesss!

Having steered a corporate network through three major software generations over the last 17 years, without spending a penny on anti-virus software in that time, I can confirm that you don't need anti-virus software. Not just on your own PC, gentle technically-aware reader; not on your users' PCs, either.

We currently have 1800 PCs, all running XP SP2, with all users having administrator privileges, allowed to install more or less any software they want, allowed to visit most Web sites (except for a few which we've specifically blacklisted for hosting malware), and we have not had a single report that any user has lost a single byte of data to a virus, in all that time, going right back to DOS 3.3 and Digital Pathworks.

Steve tries to suggest that this approach may not be for everybody, although I suspect he's just trying to sound like he's being less radical than he is - kind of like those non-religious people who can't actually bring themselves to say that they're atheists (this is a simile, please don't write in about it). He has hit the nail on the head: if your anti-virus software doesn't ever detect anything, what use is it? Other bloggers tip-toeing around this subject, but not quite ready to fully admit their apostasy in public, are Adam Vero (who, I suspect, has become a non-believer, but - probably correctly - doesn't think his customers are ready for such a drastic step), and Aaron Margosis, who has a "lite" approach (he suggests you don't need an anti-virus if your users don't have administrator privileges).

To me, installing anti-virus software because you're afraid of viruses, is like hiring a retired, but very dumb, police officer to stand guard in your home 24/7 because you're afraid of burglars. Every time any member of your family tries to move from one room to another, they get asked for ID. No ID, no place at the dinner table. And because your oldest kid's name is "Lexy" (geddit?), she gets extra-special treatment: a strip-search every morning when she gets up, to make sure she didn't get converted into a burglar during the night.

I wouldn't object so much, if viruses were even 1% as terrible things as people make out. I know users who would rather have a sudden, unrecoverable, scrape-the-platters hard drive crash, than the idea that any form of worm, virus, or trojan is on their PC. Strange, since pretty much the worst a virus can do is trash all your data (yes yes, I know it could e-mail your grocery list to some randomly-selected guy in Latvia), which is the same thing, and oh yes, modern viruses don't do that. In fact they don't do very much damage to their "host" PC; if they did, rather less that 25% of the world's PCs would be in botnets, because their owners would have noticed and done something about it.

The only bits of malware to have caused significant disruption to our network were the "MS-Blast" and "Sasser" worms. And guess what? Because they exploited a vulnerability in Microsoft's DLLs, anti-virus software didn't work (except, perhaps, to clean them up, which in any case was a one-line registry entry). People flooded to their anti-virus vendor's site, to be told "get the security patches from Microsoft". You paid the cop every day for a year, but he couldn't protect you from a burglar who wore a very small mask.

Talking of disk crashes: we change between 3% and 5% of our PC hard drives every year. We try to get to at least half of them before they die (by monitoring certain disk-related system events), but we know that of the 1800 PCs on our network, about 35 will experience sudden and irreversible disk death. We don't worry too much, because our users keep all their important data (by definition) on network drives. But if users do want to keep data locally, the backups which they make (!) are also useful protection against the day when the evil mega-virus makes the inter-species crossover (the one from "Hollywood" or "the marketing department of anti-virus companies" to "the real world").

So, put up the built-in Windows firewall (just in case the next exploit worm gets on to your Intranet), run some daily checks of the key parts of the registry (I'll write up how we do this, one day), submit suspicious files to VirusTotal (on average, after a week, one-third of the virus engines used by that site still don't detect any given virus, in my experience), build your PCs with a separate disk partition which you can boot to clean up malware in the main partition, and above all, stop worrying. You will get some viruses, worms, and trojans on your network, and they won't kill you. In fact, chances are you already do have several bits of malware anyway, because you're trusting that dumb cop to protect you, and he can't recognise 1/3 of the burglars.