Don't Blame the Victim
Editorial by Carl Landwehr
May 21, 2000

Following the I Love You virus and its copycat variants, there was the usual spate of news articles and discussions about why this happened, whether it should have been prevented somehow, what this or that organization did to respond, and whose fault it was. In many discussions, there has been a strong a note that since we can't know what the next virus will look like, we need to focus our efforts on educating users not to open "suspicious" attachments. This is blaming the victim.

I fully agree that security is not just a matter of technology. In  many environments, the weak link in our defenses is the human one. Organizations do need to worry about "social engineering" attacks and need to be sure that their employees are appropriately informed about the possibility of such attacks and how to respond to them. And they need to be aware of the importance of configuring their systems safely and keeping up with releases that patch security holes.

But I cannot stomach the idea that users must be expected to guess what is safe for them to open and what isn't. For example, here is an extract of testimony before Congress following the recent incident, as reported by the Associated Press:

   The easiest way [to stop future viruses] is to educate people
   about computer "hygiene," including not opening unexpected e-mail
   attachments, said Harris Miller, president of the computer group
   Information Technology Association of America.
   "This bug was passed along because people were opening e-mail
   that they shouldn't," said Miller. [...] "Why, in a professional
   environment, would you open something that says `I love you?' Good
   common sense should tell you that if it's not coming from someone
   who should be saying `I love you,' then you shouldn't open it."
Of course, in many cases people who received this message did receive it from someone they knew and trusted. Mr. Miller is not alone in his opinion, however. I heard similar comments from other "expert" sources on television and radio interviews as well.

For technologists to suggest that foolish users who unwisely open dangerous attachments should be the focus of the community's attention in the wake of the recent virus attacks is disingenuous to say the least. To think that users should be able, by looking at the name and extension of a file, to guess whether it is safe to open it or not, is silly, and to suggest that the security of our systems should depend on users' intuition in this respect is irresponsible.

Technology that would permit attachments to be opened in a separate domain with limited privileges has been known for, conservatively, 25 years. Of course, today's dominant operating systems and applications don't exploit this knowledge very effectively. Instead, they seem intent on integrating applications so closely that any application will have complete access to every other application's data and programs without any notification to or permission from the user.

When problems occur because developers seem to pay little attention to the security risks entailed, for example, when programming language support is added to applications, it is an affront to technologists to suggest that the problem is with uneducated users. 

Perhaps there is room for a little hope. Microsoft's initial response to the latest virus amounted to "not our problem -- anyone can write a virus for any platform." But a week later, they released a patch that will add at least a little bit of isolation between Outlook's mail facilities and the attachments users open.

The "price" of this added security, in terms of user inconvenience?  A Palm Pilot user wishing to resynchronize address books will be confronted with a dialog box asking whether it's OK to do that. What this seems to say is that, because the developer was unwilling to provide this degree of isolation in the first place, the world was left vulnerable to such elementary attacks as we saw wasting resources around the world on May 4.

I urge you to speak up in defense of the right of users to be naive and of the responsibility of developers to produce systems that are not only convenient but also safe against well-known attacks.

--Carl Landwehr

[Opinions expressed above are my own and not necessarily those of  Mitretek Systems]