Are Internet viruses and trojan horses really as dangerous as we've been led to believe?
by Brian Dunning
Filed under Consumer Ripoffs
December 28, 2006
Podcast transcript | Listen | Subscribe
By Brian Dunning, Skeptoid Podcast
Episode 17, December 28, 2006
Today we're going to take a skeptical look at computer security. How real are the threats we are warned about all the time? Do these supposed threats pose any actual danger, and if so, what kind? What steps do we really need to take?
In the early days of web browsing, innovative programmers created cookies as a way to store session variables on the visitor's computer. When Bob visits Amazon and tells the server that his name is Bob Smith, Amazon writes "Bob Smith" on a nametag and sticks it on Bob's shirt. This is a cookie. It permits Amazon to accumulate a shopping cart full of merchandise for Bob, and to know where to put each new item without asking Bob to identify himself each time he brings something else to the register. The server can say "Ah, you're Bob Smith, good to see you," and it knows which shopping cart to put Bob's new DVD into. Without cookies, it would be necessary for Bob to log in each time he adds something to his cart. Not only is this inconvenient for Bob, it requires substantially more server resources. Server resources are not infinite. The more efficiently a web server can run, the faster it can serve Bob. And, when Bob's name tag is prominently plastered to the front of his shirt in the form of a cookie, there's less chance for Bob to be misidentified and be sent the wrong merchandise. Cookies are good for everyone.
Unfortunately, in the early days of Microsoft Internet Explorer, some genius in Redmond decided that Internet Explorer might seem superior to Netscape — its main rival at the time, if you remember — if it would raise caution flags and warn you about terrifying security risks with scary dialog boxes. Internet Explorer eventually became the only significant web browser and a whole generation of web surfers was raised with the belief that cookies were a security risk to be feared and blocked at all costs. The idea is that an unscrupulous individual might sneak into Bob Smith's office, look in the cookies folder on his computer, and learn that "Bob Smith" is the name he used to identify himself to Amazon.
Cookies are just plain vanilla text files. They contain no program logic or encryption. The good thing about this is they can't contain program code like viruses or trojan horses. The bad thing about this is they contain human readable plain text, so that anyone with access to your computer can read them. Since nearly every other program and data file on your computer uses human readable plain text, is this truly such an egregious security risk? Programmers and software engineers know that it's not, but marketing people never let the truth stand in the way of a sale. If they can convince you that your computer's normal operation constitutes a risk that can be mitigated by purchasing their software, they know they've got lots of sales.
Some people think that cookies can be used to steal credit card numbers or other information from your computer. Not only is there no mechanism by which this could work, it's illogical. The web server is what writes the cookie to your machine, and obviously it can't write anything it doesn't already know.
Referrer codes are another normal function that's being marketed as a security risk. Whenever a web browser visits a server, it sends a referrer code. This is the URL of the web page from which the browser came. This is part of the http specification and is a normal function, it's not the nefarious evil plan of some hacker. Let's say our friend Bob is reading the news on CNN.com and sees an ad for a plasma television from Amazon. Bob's in the market for a good plasma, so he clicks the ad. Amazon's web server receives a referrer code from Bob's browser that tells it Bob linked from CNN.com. Amazon may use the referrer codes to analyze which of their advertisements are most effective, an analysis that's essential to good advertising. If Bob buys something, CNN or some third party may be entitled to a sales commission for referring the business, which Amazon is happy to pay since they're happy to have Bob's business. Amazon may even see where Bob came from and offer him the special CNN discount. The referrer code is great for Amazon. At best it's great for Bob, at worst it's no skin off Bob's nose. Referrer codes are also used for many other useful things on the web.
As you might expect, the security software vendors market referrer codes as a threat too. Their best explanation is that it's none of Amazon's business where you came from. That's true, in a strictly Libertarian sense, but in a practical sense, it's really helpful for them to know. Many services such as Amazon can better customize their offerings when they know where their visitors are coming from. A technology called Collaborative Filtering allows Amazon to say "Visitors from CNN prefer the new Rick Astley video." If you use security software to block your browser from sending referrer codes, the best you'll get is a more generic Internet experience. The worst you'll get is that some web services won't work at all.
Viruses are a genuine pain in the ass. If you're running Windows and you use the Internet at all, your computer will probably download at least a dozen new ones a day. There are numerous ways that viruses can be embedded in web pages, in advertisements on web pages, in media presentations, even in some older graphic images. Big money is made by some of the more cleverly designed viruses (or trojan horses, whatever term you prefer). Sometimes all they do is install fake cookies on your computer to tell Amazon that some guy in Indonesia is entitled to a sales commission next time you buy something. Sometimes they make your computer part of a distributed illegal file sharing system. Sometimes they turn your computer into a spam server. Sometimes they install browser toolbars that lead you to more virus pages when you use them. Sometimes they install software that displays popup advertisements. Fortunately, free software such Spybot Search & Destroy or Ad-Aware can genuinely eliminate all, or almost all, of these threats. So what's the Skeptoid angle on these?
The reason people develop viruses and trojan horses is to make money, through advertising or sales commission programs. Really all of the threats described above ultimately lead to money. It benefits nobody to write a virus that erases your computer or causes some problem. Such viruses do exist, mainly in the early days of the Internet, but since they're not profitable, they've gone almost completely out of fashion. People want your business and they want your money, there's no profit in erasing your hard drive. Invariably, when I make this rant, I get the comment "My aunt had her computer erased by a virus," or "I have a virus that makes my screen go black and deletes my address book." The truth is that software conflicts and system crashes are more likely responsible for these problems. If you own a computer, problems are the price of admission, and every owner will eventually lose data. But there are a thousand normal operating system problems that will be the most probable culprit. It makes no sense for someone to write a virus that does these things, when they can just as easily write a virus that earns them money. Just as in nature: the viruses that thrive are those that don't kill their hosts.
Use Spybot Search & Destroy and Ad-Aware to scrape this crap off your machine and keep it running lean & mean, but don't buy the expensive commercial software that does no better and that makes claims designed to take advantage of customers with minimal technical knowledge. Or just use a Mac like I do, since none of this crap runs on Unix. And, don't bury your thoughts too deeply in cyberspace. Remember you'll always be most vulnerable to what is statistically by far the biggest threat: that your computer will simply be stolen.
© 2006 Skeptoid Media, Inc.
References & Further Reading
Berners-Lee, Tim. "RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0." Internet FAQ Archives. Advameg, Inc., 1 May 1996. Web. 30 Nov. 2009. <http://www.faqs.org/rfcs/rfc1945.html>
Bidgoli, Hossein. The Internet encyclopedia: Volume 1. Hoboken: John Wiley and Sons, 2004. 253-259,328-329,576.
Kristol, D. "RFC2965 - HTTP State Management Mechanism." Internet FAQ Archives. Advameg, Inc., 1 Oct. 2000. Web. 30 Nov. 2009. <http://www.faqs.org/rfcs/rfc2965.html>
Lavasoft. "Ad-Aware by Lavasoft." Corporate web site. Lavasoft, 30 Nov. 2009. Web. 30 Nov. 2009. <http://www.lavasoft.com/>
Miller, M. Absolute Beginner's Guide to Computer Basics. Indianapolis: Que Publishing, 2007. 148-150.
Safer Networking. "Spybot Search & Destroy." Corporate web site. Safer Networking Ltd., 25 Nov. 2009. Web. 30 Nov. 2009. <http://www.safer-networking.org/en/home/index.html>
White, J. Just the Computer Essentials. Stow: IROL Press, LLC, 2007. 131-132.
Reference this article:
Dunning, B. "Internet Paranoia." Skeptoid Podcast. Skeptoid Media, Inc., 28 Dec 2006. Web. 2 Mar 2015. <http://skeptoid.com/episodes/4017>