This title comes from a Slashdot posting from January 7, 20051. The posting describes a horrible root vulnerability in Linux 2.4 and 2.6, which if exploited, would grant a non-administrative user root access to the operating system.

The same goes for Microsoft Windows in most ways. Without users, we wouldn't have any problems with viruses, spyware, broken programs that need administrator access just to run, screaming teenagers who need administrator access so they can run Kazaa, and all of the headaches usually found on an abused Windows computer.

Sysadmins don't usually fault their users for computing problems, instead blaming Microsoft for creating the environment that makes it possible. For example:

...this is a band-aid approach and a funny way for them to admit defeat - because it's holes in Microsoft's operating system that built the entire spyware industry to begin with.2

Kelly Martin lost sight of the real problem.

For one, "spyware" comes with many "free" applications available on the Internet. For example, Kazaa comes with the GAIN Toolbar and Kazaa's installer forces you to agree to install this software before it will install Kazaa.3

For another, users just can't resist free music. It acts just like a drug. Users will gladly install spyware-infested software, knowing full well what they're giving up, in the name of somehow screwing the man.

Kazaa's sponsors are not exploiting a weakness in Microsoft Windows. Instead they are exploiting a weakness in the user. For this reason alone, you all need to stop blaming Microsoft for your spyware woes.

In my experience of eleven years, the most effective way to avoid viruses, trojans, spyware, etc is to practice safe computing. This takes many forms, for example, using a firewall, not downloading strange software from the Internet without reading about it first, asking questions of other, real, security experts, and recently, using your software with limited user accounts and choosing software designed for current versions of Windows.

Doing these things is easier said than done, however. Like breaking your addiction to alcohol, tobacco or caffeine, changing your computing habits is very difficult.

  1. http://linux.slashdot.org/article.pl?sid=05/01/07/2028203
  2. http://www.theregister.co.uk/2005/01/07/microsoft_anti_spyware/
  3. http://www.kazaa.com/us/terms2.htm, Sections 7.6 and 9.1. The truth hurts, doesn't it?

Which brings us to the point of why, "without users..."

Last month a client asked me to rebuild their Windows 2000 computer. This was going to be the third time the computer had Windows reinstalled on it due to performance problems. I asked them to consider before-the-fact approaches this time, including a hardware firewall, using limited user accounts, and not using bearshare. They gave it a go, and found they couldn't work the way they were accustomed to.

Of course, it was my fault.

This is not a GTKY rant. If you administer Windows computers, you know what I'm talking about. If you were ever blamed for breaking the computer by trying to fix problems before the fact, then this is getting to know yourself as much as me.

Trying to explain that the computer is a power tool, complete with safety guards, is not enough. Trying to explain that you will have to come back in two months to "re-fix" everything again (at a cost to the user) is not enough. Trying to explain that anti-virus software doesn't stop spyware is not enough. Trying to explain that some software vendors are just too damn lazy to care about their customers' computer security, and that they should choose software from other vendors, is not enough. In fact, there is nothing you can do if the user is dead set on wrecking their computer again.

Now, you tell me. If we didn't have users, would this still be a problem?


prole asks an important question: "But if it's not a problem with Windows, how come there's so little spyware for the Mac?"

Answer: The Macintosh OS only has three percent of the personal computer market share.1 Just like most of the computer games industry, it's not in the spyware industry's best interest to chase down such a small percentage of users.

Or, put another way, if you wanted to profile a large chunk of Internet users, and only three percent of them used the MacOS, why write a special version of your spyware? Especially when there are non-OS-specific profiling methods, such as transparent gifs, cookies, and javascript at your disposal?

To be absolutely fair, spyware authors will eventually release spyware that works, and even self-installs, on limited user accounts on Windows 2000 and Windows XP. Even if it only works when that specific user is on the computer. But, just like writing specially for the MacOS, not enough users practice safe computing yet as to warrant the effort.

  1. http://www.theregister.co.uk/2005/01/12/mac_rumour_sites_get_it_right/