Opinion
Frank da Cruz
Columbia University Academic Information Systems
[email protected]
September 2001
As seen in Newsday :-)
This page was written for the Columbia University community but might be
useful to a wider audience. It does not represent current Columbia
University Academic Information Systems (AcIS) policy or mainstream AcIS
directions, nor indeed mainstream thinking. It describes a way of using your
Windows PC in combination with central Unix servers and the Internet that
keeps your PC safe from hostile attack as well as from data loss due to
natural disaster or accident, and is offered as an example of one relatively
experienced person's working environment. All opinions herein are mine alone.
[Note: many links have gone stale since 2001; no attempt has been made to
fix them or write around them. Also, obviously, many things have changed
since then, but not necessarily for the better.]
Most recent update:
10 May 2011
Contents . . .
- How Bad Is It?
- Is All of This Inevitable?
- How to Ignore Viruses and Get Your Work Done
- The Junk Mail Plague
Iloveyou,
Melissa,
Anna Kournikova,
SirCam,
Code Red,
Nimda,
FunLove,
BadTrans,
Goner,
UPnP Buffer Overflows,
Hybris,
Klez,
Bugbear,
SQL
Slammer,
Sobig.E,
DCOM-RPC,
Mimail,
Blaster,
Sobig.F,
Welchia,
Beagle,
MyDoom,
Netsky,
Download.Ject,
. . . What next?
In this age of viruses, worms, hackers, crackers, swindlers, and actual
terrorists, computer security has taken on an unprecedented urgency. Although
every platform (and the network itself) has its security holes, the current
rash of incidents is primarily due to the following facts:
- A single platform -- Microsoft Windows on Intel-based PCs -- dominates
the computer market and the Internet;
- This platform is enormously complex and full of bugs;
- In many cases, it is open by default to incoming connections;
- Dangerous features are enabled by default (e.g. in the mail, office, and web clients);
- Its users tend to not to be "computer experts", nor do they want to be.
The Internet is the ideal transmission vector for viruses. Unlike biological
viruses, whose spread is limited by all sorts of factors, an Internet virus
can cover the entire planet almost instantaneously, affecting millions of
Internet-attached PCs before countermeasures can be taken. When your PC is
infected with a virus, not only can it suffer damage, but it can also be
transformed into a weapon to launch new attacks in your name or your
company's name against your friends, relatives, colleagues, business partners,
customers, and the world at large.
System and
network administration, once the province of highly trained professionals, is
suddenly the responsibility of all people who have an Internet-attached PC.
Microsoft Windows comes in two basic varieties (leaving aside the palmtops,
set-tops, etc): Windows 95 and its descendents (Windows 98 and ME), and
Windows NT and its descendents (Windows 2000 and XP). PCs preloaded with
these operating systems attract customers by a combination of low cost, cute
graphics, ease of learning, and market pressure ("it's what everybody uses").
Ease of learning requires that all features be enabled by default so people
don't have to go through confusing technical configuration dialogs, or indeed
know or learn anything at all. Such features include:
- Shared disks and printers.
- JavaScript and Active X in the Web browser.
- A mail client that automatically launches helper applications for incoming
message attachments.
- Applications that automatically run macros and scripts embedded in data.
Each of these is an entry point for attacks. Windows 9x/ME adds to this
list a complete and utter lack of security in the local disk file system.
There is no concept of file ownership, group membership, access control,
protection or read / write / execute / delete permissions. All files are wide
open to anyone who can access your computer, for example in their "Network
Neighborhood". This includes your confidential files, personal information,
financial information, Web browsing history, security keys, and anything
else you might wish to keep private.
In Windows 98, ME, and NT, Personal Web Server (PWS) is installed by default,
and this is carried forward automatically when upgrading to Windows 2000,
where PWS is converted to Internet Information Server (IIS); this, plus the
inevitable bugs in these services, is the basis for
buffer overflow
attacks like
Code Red.
Every few weeks a new worm or virus plunges the planet into another
panic. Often these viruses can be removed from your PC only by
reformatting your hard disk,
reinstalling the operating system from trusted media, reinstalling all of your
applications, and then patching and upgrading everything before you
reconnect your PC to the network. You can not restore your own data files
(even if you had backed them up) without danger of reintroducing the
virus. Meanwhile, you are expected to constantly patch and upgrade Windows
and your applications, install virus protection and intrusion alert software,
and patch and update that software too, on AT LEAST A DAILY BASIS, to
guard against known viruses. But of course this is no defense against new
viruses exploiting as-yet unknown bugs and loopholes, and even if your
own PC is fully patched and the patches are effective, you might still be
vulnerable if your neighbor's is not (see
Robert
Graham's analysis of the January 2003 SQL Slammer worm).
Windows started out as a convenience, but now keeping up with all the
patches and security alerts and recovering from attacks can be a full-time
job. The constant struggle against worms and viruses makes every person
and organization that uses Windows PCs less efficient and often a burden to
others. People lose their work, often great amounts of it. Companies lose
vital business information. Credit card info is stolen, altered, or
published. Critical web sites and servers are compromised. Organizations
must install switched networks, firewalls, and filters and hire new security
staff at great expense, driving up costs and prices and/or causing layoffs,
and this still does not solve the fundamental problem.
There is no "last bug" in Windows, no "last patch" to make Windows
safe. (In September 2002 -- a year after this document was first
written -- you could find
THIS
freshly posted at the Microsoft website: "Because of the nature of hacking,
there is almost no way to fully certify a computer as 'clean' of all malicious
software or changes that are made during the hack.") [Note: The Microsoft
Knowledge Base article was later altered at the source to remove this
sentence.] A senior Microsoft executive said,
"We really haven't
done everything we could to protect our customers... Our products just aren't
engineered for security"
(Infoworld 5 Sep 2002).
Craig Mundie, Microsoft chief technical officer, said in an address at the
company's campus in Mountain View, Calif. [that] it's impossible to retrofit
earlier versions of Windows to make them secure
(Internet Week,
15 Nov 2002).
The worldwide Internet opens your PC up to a virtually limitless
number of hackers who, by the very Law of Large Numbers coupled with the low
price and universality of PCs and the vast complexity of Windows, will find
the next bug or hole, and the next, and the next. The process will only
intensify as time goes on, as long as Windows and Intel dominate the market
and the Internet. (In fairness, the same thing might happen with any other
dominant platform, such as Linux, but at least Unix-based operating systems are
designed from the beginning to be secure if properly administered, so attacks
on them are based more on bugs than on fundamental design deficiencies. In
any case, a better defense against planet-crippling viruses would be the
diversity of platforms we enjoyed prior to the mid-1990s.)
During the Code Red and Nimda onslaught of September and October of 2001, the
following document was researched and written by Jeff Altman of the Kermit
Project, who was also Columbia's resident security expert and Windows
expert, on what it takes to actually use Windows and its applications as
your primary computing environment:
http://www.columbia.edu/acis/security/safecomputing.html
Personally, I find the prospects laid out there both horrifying and sickening.
The amount of time and labor that goes into securing your Windows PC on a
continuing basis plus that required to recover from the inevitable
successful attack is staggering, especially considering that these devices
were bought in the first place to save us time and labor, and even then there
can be no guarantees of safety. And if you noticed that Jeff's article is
somewhat dated... Of course it is. Nobody has time to keep it up to date.
Constantly patching Windows and all its applications, not to mention writing
about how to do this and updating the document on a continuing basis, is far
too labor intensive to be an effective approach to security.
No.
As anyone who used computers
before the Windows-and-Web explosion can tell you, it is quite possible to
get all your work done in a perfectly safe environment without bothering one
bit about viruses, worms, and hackers, even if you have an Internet-attached
Windows PC on your desk, even if it is up and running 24 hours a day. Begin
by closing the open doors and windows:
- Disable File and Printer Sharing
- Control Panel → Network →
File and Print Sharing. If "I want to be able to give others access to
my files" and "I want to be able to allow others to print to my printers" are
checked, uncheck them. In every version of Windows the dialog is a bit
different; in XP it's
Control Panel → Network Connections →
Local Area Connection → General →
Properties, then uncheck the File and Printer Sharing for Microsoft
Networks box.
The initial configuration of a PC that was preloaded with Windows depends
on the PC vendor. We must assume that every vendor enables everything by
default in order to make their products more attractive, but we do not know
this for a fact.
- Disable Other Services
- Start → Run services.msc. This shows a list
of services that run on your PC, many of which open it up to entry from the
outside. Click once on a service name to see a description of the service.
Right-click on the service name and then choose Properties to modify the
service (e.g. change it from Automatic to Manual or Disabled). Two such
services are especially in need of attention: Remote Registry (allows other
computers to change your computer's Registry) and Server (file, printer, and
named pipe sharing): these should be disabled. Why file and printer sharing
are still enabled in this list after disabling them in the previous step is
another Windows mystery.
- Don't Use Internet Explorer
- Use some other browser, such as
Mozilla and its followon,
Firefox, or
Netscape, instead. You might be able to
make your browser safe by going through all sorts of incomprehensible dialogs
and applying many patches, but you'll never really know. Anyway, since most
Web-based attacks are aimed at IE, it's better not to make yourself a target.
In Netscape, Edit → Preferences → Applications
to disable automatic launching of any Microsoft applications
(e.g. .XLS files launching Excel, .DOC files launching Word,
etc) -- change each of these to "Save to file" (go through the whole list, one
by one). Similarly in Mozilla (Helper Applications, Save to Disk).
- Be Careful with JavaScript
- JavaScript is required to access most business-oriented or interactive
websites (such as
Amazon.com).
However some versions of some browsers (notably IE) have bugs and/or
vulnerabilities accessible through JavaScript. To be safe, disable it
(e.g. in Netscape, Mozilla, or Firefox, Edit → Preferences
→ Advanced). If you need to use JavaScript at a
particular trusted site, enable it while you visit the site, then re-disable
it. This is especially important if you use a GUI email client, since people
can send you HTML-format mail with embedded JavaScript.
- Don't Use a Microsoft E-Mail Client
- Same deal as with IE, but moreso. Originally, Microsoft e-mail clients
such as Outlook had "everything" enabled, up to and including letting anybody
who sends you mail to RUN PROGRAMS ON YOUR COMPUTER (in a belated attempt to
appear more security-conscious, more recent versions are blocking more and
more types of enclosures; reportedly Outlook 11 even blocks HTML).
Anyway, as with IE, even if you disable "everything", the program is still
potentially full of bugs that present inviting targets to hackers. But worse,
it's your Microsoft Outlook Address Book that is most often used as the basis
for further attacks (at first the attacks were directed against addresses in
your address book; more recently with Klez and Sobig, the
addresses are used in forged e-mail bombs, so it appears that not only you,
but everybody in your address book, is spamming and attacking the world). If
you must use a GUI mail client, make it
CubMail (Columbia only) or
Netscape or Mozilla
Messenger. Better yet, use a host-based mail client, explained below.
Avoid "free" Web-based e-mail systems (other than CubMail) for any number of
reasons: they transmit passwords in the clear, they violate your privacy
and/or author rights, etc.
- Ditto for Other Microsoft Office Applications
- Microsoft Word is
not the only package
with the macro language problem.
It's the entire Microsoft Office suite. Office XP is supposed to be more
secure but who knows (and if it is secure, you probably won't use it because
security = inconvenience). Use them for working on your own files,
but watch out when importing other people's data files.
- Watch Out for Applications that Use Helper Applications
- If you use a PC-based email client, Web browser, or other application that
is not from Microsoft, it might still use Microsoft applications as helpers or
viewers for e-mail attachments, Web pages, or other documents. For example,
if a document is tagged as "Content-Type: application/msword;" or has
a name that ends with ".doc", your application software might feed it
to Word. For each application that you use or install, you must go through
its setup configuration to replace all dangerous associations with harmless
ones (you can -- and should -- do this Windows-wide but many applications
override the Windows-wide associations).
- Don't Use Microsoft Word as the Helper for DOC Files
- Any time Microsoft Word opens a document your computer can catch a virus.
This can happen if you open the document in Word's File menu, or if you
clicked on the document on your desktop or in a file list, or because Word is
registered as the "helper" application for .DOC files and can be
triggered by visiting a web page or opening an e-mail enclosure. If you need
to read Word files, use WordPad and register it as the helper application for
.DOC files (or else read them on a Unix-based platform with Antiword,
Star Office, or Open Office). If you need to create plain-text files, use
Notepad, Wordpad, or (better yet) a text editor on the central servers
(discussed below) instead of Word. To create or edit "rich" files of your
own, you can use anything you like, including Word, since the chances of
giving yourself a virus by editing your own file are pretty slim.
- Disable Internet Services
- You probably do not need to have Web servers, FTP servers, and the like
running on your desktop PC. Inviting connections from the outside world to
your own PC is like leaving your house open and posting a big
"rob me" sign on it. If you want to have a Website, put it in your
~/public_html/ directory on Cunix. Departments that are running
production Web servers on Windows (not to mention organizations outside
Columbia that do so) are in constant danger and are guaranteed to be
continuously probed and attacked from all over the world. Columbia departments
should move their websites to secure platforms in secure locations.
On 19 September 2001,
the Gartner Group recommended that
"enterprises
hit by both Code Red and Nimda immediately investigate
alternatives to IIS, including moving Web applications to Web server
software from other vendors, such as iPlanet and Apache."
- Don't Run Peer-to-Peer Software
- If you are serious about computer safety, you won't use your PC as an
entertainment center. Running Internet "peer-to-peer" software --
Napster, Aimster, Madster, Gnutella,
Kazaa
-- to share commercial music and videos might or might not be legal or
ethical, but it is dangerous because it opens your computer up to
incoming Internet connections and you don't know what the software is
doing (click on the Kazaa link to see what I mean).
You probably don't have the source code, and if you do, you
probably didn't read and understand every line of it, and anyway since there
is no business relationship between you and its authors, you can't hold them
responsible for what happens to your PC. Using this software is also
dangerous because it exposes you and/or your school or employer to possible
criminal prosecution and lawsuits. It's not worth the risk. Support the
artists you like by purchasing their CDs or DVDs.
- Disable Windows Messenger
- In Fall 2002, direct marketing software companies discovered it was
possible to make ads pop up on the screens of Windows users by sending NETBIOS
messages on the local network or across the Internet. Who knows what
other vulnerabilities are exposed through this path into your PC.
For Windows XP, Microsoft explains how to disable this feature
HERE.
For other Windows OS's, who knows. Also see other documents on this topic
from:
Anyway, the July 2003
DCOM RPC
episode caused most sites to block TCP/UDP traffic on ports 135, 139, and 445,
so you won't be seeing the annoying popups any more.
Microsoft
says, the
Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface
"allows a program running on one computer to seamlessly execute code on a
remote system", which strikes me as an odd feature to put on mass-market
Internet-connected computers.
- Disable Automatic Windows Update
- This is not exactly a security issue, but you might feel better if you are
more in control of your computer. Furthermore, it sometimes happens that a
site blocks the messages Windows sends back to home base to check for updates;
once that happens, Windows retries the message once per second. The local
network can bog (or melt) down quickly with all the signs of a Denial Of
Service attack, and the network police might well come crashing through your
door to see what "you" are up to. In Windows XP, Automatic Windows Update
can be disabled in:
Control Panel → System → Automatic Updates
Most security experts will tell you that it is essential to apply updates
constantly, continuously, and instantly, to avoid falling prey to the latest
attacks, and if you use Windows as Microsoft intended (i.e. for everything),
that's good advice. Personally, I don't bother with updates, antivirus
software, or Zone Alarm. The way I use Windows, I don't need to.
- Don't use Public/Private Key Pairs
- Some people think that SSH connections are better than clear-text Telnet
connections because SSH doesn't send passwords over the network in the clear.
When they discover that they can use SSH to log in without a password by
setting up public/private key pairs, and that this opens up other
possibilities like remote execution of commands, tunneling, etc, they can't
resist. The trouble is, your key files are on your PC disk in a well-known
location. Given the infinite variety security holes in Windows, it's just a
matter of time before someone gets your key files and (if you have encrypted
them) cracks them offline, thus stealing your identity and gaining access to
all the computers that you have access to. Once this happens, there is no
straightforward method of recovery. Therefore, if you must use SSH, it is
better to use it only for encryption, typing your password every time you make
a connection to another computer. Better still, choose a manageable
form of security such as Kerberos (supported at Columbia), SSL/TLS, etc. More
about this HERE (see, especially, Section 3.2).
(If you have to use SSH with public/private key pairs, you can keep your
secret material (keys etc.) on a floppy disk or USB mounted memory stick, and
insert the disk/stick into the machine only when you attempt a connection to a
remote host with SSH; keep it locked up at other times.)
- Enable Internet Connection Firewall
- Windows XP and later have their own built-in Internet Connection Firewall
(ICF), but you have to "enable" it, and I suppose this can't hurt
(Control Panel →
Network Connections →
(Choose your network type) →
Properties →
Advanced →
Internet Connection Firewall →
Protect My Computer and Network).
I also can't say that it's necessary if you follow all the other
recommendations given here. So far, it hasn't been necessary for me. I
confess, I do have Norton Antivirus installed, mainly just to satisfy
myself that my PC remains virus-free, and so far it has. But you never
know... Windows has so many secret entrances from the outside world, I don't
think ANYBODY could tell you how to close them all -- and even if they did,
you'd spend an entire day groveling through obscure menus that are different
in every Windows version, with no record of what you'd done, and no guarantee
that your menu selections actually did anything, or that whatever holes
you closed wouldn't open up again all by themselves, in the interest of
user-friendliness.
In summary, don't use Microsoft applications,
don't use any other applications that automatically execute embedded programs
or scripts or macros in their data files (this can include
PostScript
viewers and even
PDF utilities),
disable all services that open your PC to incoming network connections,
including disk or printer shares and "content sharing" or any kind, as well
as automated updates.
While you're at it, learn to be a good network citizen. Software
vendors don't make this easy for you because they want you to become hooked on
their products and force others to use them. Some points to keep in mind:
- If your e-mail consists of only words, send it as plain text.
Avoid fancy formats like HTML and especially proprietary ones like Microsoft
Word; many people can't deal with them and/or don't appreciate them (see We Can Put
an End to Word Attachments by Richard M. Stallman and
Please
don't send Word Documents by email! by Tobia Brox). Not only
are Word documents Microsoft-specific, unnecessarily bloated, and can transmit
viruses, they also might contain information you did not intend the recipient
to see (such as
paragraphs you decided
to delete). HTML is dangerous too, because Windows-based Web browsers
contain so many bugs and security holes. Since PC-based e-mail clients tend
to send fancy formats by default, you have to go out of your way to make them
stop.
- Remember that not everybody on earth has Windows. Some people use
Macintoshes, Linux or other forms of Unix, VMS, IBM mainframes, and all sorts
of other platforms. Don't assume they can handle Windows-specific formats.
- Don't put enclosures (attachments) in your e-mail without prior agreement
(except for pictures in JPG or GIF format, which should be safe). People who
receive unexpected enclosures put themselves at risk whenever they open them,
so if they have any sense they won't.
- Don't create websites that take advantage of the very latest feature of
a particular browser or "authoring system". Such pages will almost certainly
not be readable by those who do not have compatible browsers, and in any case
are more likely to present security risks.
If you can type reasonably well and are willing to give up automatic opening
of e-mail attachments you can work with complete safety and a great deal more
efficiently in a "world of text", just as virtually everyone did prior to 1995
(so how hard can it be?).
Consider that AcIS maintains a vast armada of fast, secure Unix-based Sun servers, known collectively
as Cunix,
that you can access with a terminal emulator. These servers let you:
- Read and send e-mail with Pine, MM, or EMACS.
- Read and post netnews with Pine, Trn, Slrn, Gnus, or other text-based
newsreader.
- Edit text files with EMACS, Pico, Vi, Vim, or other Unix-based editor.
- Format documents for typesetting with TeX, LaTeX, Scribe, or Troff.
- Write, compile, debug, and execute computer programs in a variety of
languages including C, C++, LISP, Fortran, Java, and Perl.
- Use a number of scientific and statistics packages such as Matlab, SPSS,
SAS, Minitab, S-Plus, etc.
- Share files safely with your friends and colleagues at Columbia using
a flexible system of permissions and group membership.
- Make connections to other computers on the Internet with Telnet, SSH, FTP,
IRC, Lynx, Gopher, you name it.
- Access CLIO and other Columbia information services with ColumbiaNet.
In fact, this is how everybody at Columbia -- students, faculty, and staff --
used computers in the decades prior to Windows and the Web. It takes a little
time to learn text editing with
EMACS,
but the time is well invested, since EMACS is extremely powerful. Not only
can it do anything you can think of, but it is far less labor intensive
than a GUI point-and-click editor, which requires constant hand movement
between keyboard and mouse, endless grovelling through menus, and so forth
(favoring the novice or casual user over the experienced or heavy user).
Whereas with EMACS, if you're a touch-typist, your hands need never leave the
home position. To get started with EMACS, just type "emacs" at the Cunix
shell prompt, then type Ctrl-h (hold down the Ctrl key and press the "h" key,
then let go of the Ctrl key) and then press the "t" key for a tutorial.
If you need to use Microsoft applications like Outlook, Access, Excel,
Powerpoint, or Word on your PC, you can still do so, but do it with your eyes
open. Don't allow incoming network material (e-mail, web pages) to launch
these applications automatically. Launch them yourself by hand only on
trusted material, and then only after disabling all forms of macro
execution and other dangerous features in these applications (and reading all
the latest CERT security alerts about macro
viruses and vulnerabilities).
But what is trusted material? Good question. You have no way of knowing
in advance that a data file for an MS Office component -- Word, Excel, Access,
etc -- does not contain a virus, even if the file comes from a trusted friend
or colleague or family member, because they might be passing along a virus
without knowing it. You can test the file in advance with a virus scanner,
but the virus might be a new one that the virus scanner doesn't know
about.
Here are some of the benefits of a host-based, text-based work
environment:
- The central systems are safe. They are administered by computer
professionals who follow the daily security bulletins and install any
necessary patches immediately. It's their full-time job. Since the patches
are central, everybody benefits from them at once.
- The central file systems are redundant and backed up. Even
in the worst conceivable disaster, you would not lose more than a day's work.
In the normal disaster (a disk fails), a hot standby shadow disk is activated
automatically, transparently to you, and not even one character is lost.
- E-mail viruses scroll past harmlessly in your terminal window. You
are immune to e-mail viruses like Iloveyou, Melissa, SirCam, Nimda, Klez,
Sobig, and all those yet to come.
- Offensive and/or disturbing images do not pop up in your face while
you are reading email. All you see is text. You have to take explicit action
to view pictures or "open" other enclosures.
- Plain-text files do not carry viruses. The mere
act of loading a text file into an editor or displaying it on the screen,
or even just having it in your directory or referring to its name, does not
put you at risk in a text-mode Unix session.
- Plain text is transportable and immortal. "Rich text" such as that
produced by word processors is product-specific and therefore intelligible
only to other people who have the same product. It quickly becomes
undecipherable and useless as products change or expire. Plain-text ASCII
documents, on the other hand, written as long ago as the 1960s are perfectly
legible and valid today, and will remain so into the distant future, unlike
much more recent documents created by now- (or soon-to-be-) defunct word
processors. This applies to HTML and its successors too; not long ago we were
told that HTML 1.0 was immortal and that everything should be converted
to it; now just a few years later, HTML 4.0 declares everything in HTML 1.0 to
be "legacy" and "deprecated", and HTML itself is increasingly considered
passé in the neverending procession of new ML's and other standards.
- You aren't distracted by a constant procession of photos, cartoons,
video clips, sound effects, animations, muzak, and pop-up promotions. You
can focus on your work.
- You receive important notices automatically when you log in. You
can also receive emergency broadcast messages while you are logged in. These
valuable services were forgotten when everybody started using the Web instead
of centralized shell accounts, but they still exist. Web users tend not to go
digging through the AcIS pages every five minutes to find out what's
happening and therefore receive no notification of server or network outages,
modem pool problems, security threats, and so forth.
You can access the central Unix servers securely from Windows by using
Kermit 95:
http://www.columbia.edu/kermit/k95.html
Columbia students, faculty, and staff can download Kermit 95 from the
AcIS Software
Distribution Center; other universities can get low-cost
ACADEMIC SITE LICENSES; individuals anywhere
can download it from HERE.
Kermit 95 is a product of AcIS's own
Kermit Project and is therefore
naturally in tune with the Columbia computing and security environment. Like
EMACS, it has a bit of a learning curve because it has a lot to offer. It's
not just a terminal emulator; it also lets you:
- Make securely authenticated and encrypted SSH, Telnet, Rlogin, FTP, or
HTTP connections.
- Transfer files in your terminal session.
- Use languages besides English in your terminal session.
- Write scripts to automate anything you could do by hand.
And lots more. CLICK HERE for a tutorial.
The Kermit 95 command prompt can even be a more powerful and
friendly alternative to the Windows shell.
My time-tested Windows setup is simple: one Mozilla window plus
several Kermit 95 windows acting as Kerberized (i.e. secure) Telnet clients to
Columbia hosts, SSH connections to other hosts, and when this document was
originally written I also had a copy of Kermit 95 accepting incoming
connections on the HTTP port so I could harmlessly absorb, log, and
automatically report Code Red and Nimda attacks via a Kermit
script. In the Kermit 95 terminal windows:
- I create and edit files on the Unix host with
EMACS.
This includes program source code, Web pages (like this one), E-Mail,
articles, and any other kind of text. Since I'm a fast touch-typist, EMACS
allows me to work quickly since I never have to move my hands away from the
home keys. Other host-based fullscreen text editors include Pico, Vi, and
Vim. Line or stream oriented editors are available too (such as sed, ed, ex)
but are used mainly in scripts, not by humans.
You don't need a "Web authoring system" to create a web page. Simple pages
like the one you are looking at can be entered easily by typing text plus a
few embedded HTML commands into a text editor. To see how easy this can be,
just tell your browser to "View Source" of this page. Web pages like this one
can be read by any web browser, whereas pages generated by Frontpage or
the like are inevitably designed to work with only one browser and break all
the others. All Cunix users automatically have their own websites: it is the
public_html subdirectory of your Cunix login directory; just make a
publicly-readable index.html file there and you have a home page.
- I read and send mail on the Unix host with MM, a
text-mode prompt-and-command e-mail client written here at Columbia in the
1980s. Viruses arrive constantly, just as they do for everyone else, but with
a text-based e-mail client, you see them rather than catch them.
Simply delete them as you would any other junk mail.
In the latest (late June 2004) outbreak, Microsoft is advising people to read
their website:
http://www.microsoft.com/security/incident/settings.mspx
which says (among other things) "Use plain text to read the e-mail messages
you receive".
Other host-based
text-mode email clients include
Pine
(a fullscreen menu-driven client with some support for attachments) and EMACS
Rmail. Pine is easiest to get started with, but MM is easier to use once you
know how, and it's faster and more efficient.
A special advantage of host-based text-mode e-mail clients is that they send
e-mail in simple and universal plain text format. An ordinary text message
consisting of a few sentences or paragraphs arrives at its destination in
exactly that form. But when you send e-mail with a Windows- or Web-based
e-mail client, it usually arrives in some hideous, bloated, and often
product-specific format that the recipient might not even be able to read,
often with viruses added, and that is also likely to be blocked at the gate
because it has the characteristics of spam. These
gratuitous conversions of plain to "rich" text are wasteful, unnecessary,
impolite, and often destructive. Soon you will find yourself wishing your
correspondents sent you plain-text messages, and perhaps even asking
them to do it.
The latest version of MM (0.91, Fall 2002) has a couple new features for
interfacing to the modern world. First, it can deal with 8-bit text (Latin-1,
UTF-8, etc) in a passive way (previously it would destroy 8-bit text). And
second, it now lets you download messages to your desktop PC; for example, a
MIME message (perhaps containing multimedia elements) for display by your PC
mail client AFTER you have looked it over in MM to satisfy yourself it is
safe. CLICK HERE
for details. You can even write your own MM command files to delete unwanted
mail (spam, viruses, etc);
CLICK HERE for an
example.
- I read and post netnews with
Trn,
a text-mode Threaded News Reader.
Others are available, including
Slrn
(which has an intuitive EMACS-like interface, complete with menus),
Tin
(another fullscreen newsreader, but with a Vi-like interface),
EMACS itself (its "gnus" command),
and some of the e-mail packages (such as
Pine,
but not MM). Free Web-based netnews sites are available too, but they tend to
have the same drawbacks as free Web-based e-mail sites: transmission of clear
text passwords, privacy concerns, author rights, . . . If all you want to
do is read netnews, however, Google
Groups (accessed from your Web browser) is just fine.
- If I need to produce publication-quality typeset material, I use
TeX, LaTeX, Scribe, Nroff, or Troff on the host.
These are far more powerful and flexible than "what-you-see-is-what-you-get"
word processing, and less labor intensive. Scribe and LaTeX, in particular,
provide for massive and highly structured documents including not just the
expected font selection and control (regular, bold, italic, proportional /
monospace, big, small, etc), but also bibliographies and citations, footnotes,
multilevel index, automatic chapter, section, and page numbering, automatic
generation of the Table of Contents, internal cross references, text in
multiple languages and scripts, change bars, figures, tables, mathematical
equations, and so on, plus the ability to change style elements globally, thus
allowing the same document to be output in many forms and styles, as well as
for many different kinds of printing devices and typesetters. For example,
Scribe includes a built-in database of "style sheets" for a number of
journals, allowing the same article to be submitted to one, then the next and
the next, simply by running it through Scribe again and requesting the
pertinent style. Although Microsoft Word might have begun to approach this
level of usefulness (20 years later), there are big differences. MS Word
files tend to "decay" as Word itself changes out from under them. And MS Word
files themselves are incomprehensible outside of Word, whereas Scribe and
(La)TeX source files are plain text, readable by humans. Even after Scribe
and (La)TeX cease to exist, their source files are legible and easily
convertible to the next thing -- XML or whatever. And host-based editors and
text formatters don't put viruses in your computer or your documents.
- I transfer files back and forth within my terminal session using
C-Kermit on the
Cunix host, which interoperates with Kermit 95 on my PC. Since the terminal
connection is secure (Kerberos or SSH), so are the file transfers.
- All my work is backed up automatically
because my files and e-mail reside on a central host. In general, I don't
don't keep anything on my PC that I care about. Or if I do, I transfer it
to Cunix where it will be backed up.
When reading e-mail:
- Kermit 95 automatically highlights all URLs. If I Ctrl-click on a URL in
the Kermit 95 terminal screen, Kermit sends the URL to my browser (starting it
first if necessary) and the page pops up automatically.
- I can print messages using MM's PRINT command, either on a Unix printer or
on my PC's locally attached (or network) printer via Kermit 95's pass-through
printing feature. You can do this in Pine too.
- I can view attachments before deciding what to do with them. Most of them
are junk and can be deleted and ignored. If something comes that might be
important, but is encoded, I can save it to disk and run it through
metamail
or uudecode to decode it and then decide how to handle it. If it's a Word
document, I can ask the person to resend as plain text, or I can view it with
Antiword on Cunix, or I can
download it to my PC with Kermit and look at it with WordPad. If I am certain
the message contains only picture enclosures (.jpg, .gif,
etc) I can use the somewhat more convenient method of viewing them described
HERE.
- If mail arrives in some strange character set, I can change Kermit 95's
character-set to match so I can see the message with the correct characters:
Spanish, German, Norwegian, Polish, Czech, Russian,
Greek, Armenian, you name it.
This setup is not necessarily for everybody, but I recommend it for people
who:
- Can type well.
- Use computers more for work or school than for entertainment.
- Don't mind reading documentation.
(The last point might be stated better as, "don't mind investing a little
time to learn tools that improve their productivity for years to come.")
If you fall into this category, perhaps the tradeoffs -- learning curve and
certain limitations, versus time and work lost due to viruses, not to mention
the damage they can do to others -- are worth it.
Remember: if you have a Windows PC connected to the Internet, then even
if you update and patch the OS and applications and antivirus and
intrusion-detection software every day, you're still not safe. Attacks
come first, the patches against them follow later. While you are sleeping,
your PC and/or files could be damaged and your PC could be used as a launchpad
for attacks against thousands of other computers, most likely including those
of your colleagues, friends, family, and business contacts -- the ones in your
Windows address book.
- DEFINITION:
- U-Mail
(n). Unwanted e-mail. A term to encompass not only spam (unsolicited
e-mail of a promotional or otherwise undesirable nature) and viruses, but also
responses sent to you when your e-mail address was forged as the sender of a
spam or virus message sent from somebody else's computer. Such responses
might include delivery status reports (e.g. no such user), virus warnings,
spam rejections, disk-full notifications, subscription confirmations, inquiry
acknowledgements, and vacation notices.
By mid-2002, the
Klez
worm had done a fair job of reducing the signal-to-noise ratio of Internet mail
by yet another order of magnitude. Every morning when I arrive at work and
read my e-mail, not only do I have preposterous messages from all over the
world, full of worms, viruses, get-rich schemes, scams, pornography, and
who knows
what else (even virus-laden ads for anti-virus products!), but it seems
that I also have been busy sending these messages myself while I slept since
much of my new mail is bounce notifications for e-mail from me to random
addresses all over the planet containing the same assortment of viruses,
worms, get-rich-quick schemes, etc.
Of course I did not send these messages, Klez did. Nor did the messages come
from my computer. Klez puts my address, which it picked out of other
peoples' address books, in the message's From: header; if you
look at the message's Received: headers, you'll see the true origin
of the message -- the person's computer where my address was found (or another
one subsequently infected from there, and so on).
E-mail that is forged in this way can be quite effective. Chances are high
that you will "open" a message if it is from someone you know, and chances are
also high that people who have your address in their address book also have
the addresses of people you know.
A few months after Klez debuted, I began to notice that some people were not
receiving email from me. It seems that "well-known spammer" lists accumulate
source addresses from Klez-generated (i.e. forged) massages, and some sites
use these lists as criteria for blocking spam. Here we see the seeds of the
breakdown of email itself. People who have never sent spam in their life are
branded as spammers and blocked from using email; the antibodies are more
lethal than the disease.
Anyway, now it seems "I" am sending tech-support requests to companies all
over the globe and subscribing to every conceivable mailing list, further
clogging my mailbox with automated responses and unwanted mass mailings. In
August 2002 only about 1 in 100 e-mail messages I received was legitimate, and
Columbia University as a whole received about a quarter million Klez messages
each day. It only gets worse. The entire Internet is now engaged in a
massive (but piecemeal, per-site) spam-filtering crusade that is increasingly
likely to block legitimate messages. Spam and virus mail will adjust itself
to pass through the filters, while the mere human beings responsible for the
filters won't be able to keep up. So you can expect that no legitimate
message will be immune from filtering. Since filtering policies are unique to
each site, it won't be easy to predict how to tailor your mail to get through.
(But if you can do it, spammers can do it too!)
At least by using a text-based email client, I don't propagate this avalanche
of letter bombs and junk mail. My mailbox is a Klez "sink" and my PC never
becomes another Klez source. I have a full view of each message so I can
easily tell whether it's forged by comparing the sender's address with the
source address accumulated along the route.
August 19-20, 2003: The
Sobig.F
virus raised the stakes by orders of magnitude. Like Klez, Sobig.F reads
email addresses from the infected machine's address book and picks one for the
From: address and another for the To: address. If your e-mail address is in
the address books of lots of Windows users, massive amounts of virus mail will
be sent "from you" and of course you will also receive lots of it, as well as
all the bounce messages, virus warnings, vacation notifications, subscription
confirmations, and other responses generated by this mail.
In a single 24-hour period, I received 16237 U-mail messages, 73MB worth,
compared to no more than 100 that were legitimate. This is with all sorts of
filtering already going on at the central mail server. At least 75 percent of
this traffic consisted of error or virus notifications from mail servers so it
can't be filtered without the danger of also discarding legitimate warnings.
Yet the volume is so massive it must be filtered, and this means it will
become increasingly impossible to know whether mail that you sent was
delivered (or had a virus!).
Perhaps MIME (Multimedia E-mail) was not such a great idea after all. It is
the source and carrier of most of today's worms and viruses. The idea that
e-mail should contain enclosures and attachments that can be associated
by the sender with a particular application that will be run
on the receiver's computer is such a flagrant, gaping security risk
it's almost inconceivable the IETF could have approved it. (In fact, there
was heated debate about this, but the design was evidently
"pre-approved" and discussions were purely pro forma.)
Postscript (2011)
Ten years later I still do everything pretty much as described above. By
doing all my work in a Unix shell, including reading and sending email, I
remain immune to many of the risks that others are exposed to every day.
The one big loophole is the Windows-based Web browser. Nobody can get by
without a graphical Web browser any more, and the truth is, no matter what
browser you are using (unless it's Lynx!), any time you click on a link
absolutely anything can happen to your computer. The situation might
be better with Mac OS X or Linux on the desktop, I really don't
know, but in an era when commerce dictates that running code on other
people's computers is a legitimate marketing tool, and when desktop
operating systems are so enormous that nobody knows what's in them, all
bets are off.
[ Top ]
[ CERT ]
[ UNIX ]
[ EMACS ]
[ Pine ]
[ MM ]
[ Kermit ]
[ AcIS Documentation ]
[ CU Computing History ]
Safe Computing / [email protected] /
Sep 2001 - Jan 2004 / May 2011.