Internet Paranoia

Are Internet viruses and trojan horses really as dangerous as we've been led to believe?

Filed under Consumer Ripoffs

Skeptoid #17
December 28, 2006
Podcast transcript | Listen | Subscribe
Bookmark and Share

Today we're going to take a skeptical look at computer security. How real are the threats we are warned about all the time? Do these supposed threats pose any actual danger, and if so, what kind? What steps do we really need to take?

In the early days of web browsing, innovative programmers created cookies as a way to store session variables on the visitor's computer. When Bob visits Amazon and tells the server that his name is Bob Smith, Amazon writes "Bob Smith" on a nametag and sticks it on Bob's shirt. This is a cookie. It permits Amazon to accumulate a shopping cart full of merchandise for Bob, and to know where to put each new item without asking Bob to identify himself each time he brings something else to the register. The server can say "Ah, you're Bob Smith, good to see you," and it knows which shopping cart to put Bob's new DVD into. Without cookies, it would be necessary for Bob to log in each time he adds something to his cart. Not only is this inconvenient for Bob, it requires substantially more server resources. Server resources are not infinite. The more efficiently a web server can run, the faster it can serve Bob. And, when Bob's name tag is prominently plastered to the front of his shirt in the form of a cookie, there's less chance for Bob to be misidentified and be sent the wrong merchandise. Cookies are good for everyone.

Skeptoid.com even uses cookies, albeit in a simpler way. When you submit a comment on an episode, the name and hometown that you enter into the comment form are saved on your computer as cookies. This allows Skeptoid.com to automatically fill in these fields for you, the next time you want to submit a comment. Saves you a few dozen keystrokes, and makes your entries more consistent. Just a minor convenience feature. Minor, but still a good thing.

Unfortunately, in the early days of Microsoft Internet Explorer, some genius in Redmond decided that Internet Explorer might seem superior to Netscape — its main rival at the time, if you remember — if it would raise caution flags and warn you about terrifying security risks with scary dialog boxes. Internet Explorer eventually became the only significant web browser and a whole generation of web surfers was raised with the belief that cookies were a security risk to be feared and blocked at all costs. The idea is that an unscrupulous individual might sneak into Bob Smith's office, look in the cookies folder on his computer, and learn that "Bob Smith" is the name he used to identify himself to Amazon.

Cookies are just plain vanilla text files. They contain no program logic or encryption. The good thing about this is they can't contain program code like viruses or trojan horses. The bad thing about this is they contain human readable plain text, so that anyone with access to your computer can read them. Since nearly every other program and data file on your computer uses human readable plain text, is this truly such an egregious security risk? Programmers and software engineers know that it's not, but marketing people never let the truth stand in the way of a sale. If they can convince you that your computer's normal operation constitutes a risk that can be mitigated by purchasing their software, they know they've got lots of sales.

Some people think that cookies can be used to steal credit card numbers or other information from your computer. Not only is there no mechanism by which this could work, it's illogical. The web server is what writes the cookie to your machine, and obviously it can't write anything it doesn't already know.

Referrer codes are another normal function that's being marketed as a security risk. Whenever a web browser visits a server, it sends a referrer code. This is the URL of the web page from which the browser came. This is part of the http specification and is a normal function, it's not the nefarious evil plan of some hacker. Let's say our friend Bob is reading the news on CNN.com and sees an ad for a plasma television from Amazon. Bob's in the market for a good plasma, so he clicks the ad. Amazon's web server receives a referrer code from Bob's browser that tells it Bob linked from CNN.com. Amazon may use the referrer codes to analyze which of their advertisements are most effective, an analysis that's essential to good advertising. If Bob buys something, CNN or some third party may be entitled to a sales commission for referring the business, which Amazon is happy to pay since they're happy to have Bob's business. Amazon may even see where Bob came from and offer him the special CNN discount. The referrer code is great for Amazon. At best it's great for Bob, at worst it's no skin off Bob's nose. Referrer codes are also used for many other useful things on the web.

As you might expect, the security software vendors market referrer codes as a threat too. Their best explanation is that it's none of Amazon's business where you came from. That's true, in a strictly Libertarian sense, but in a practical sense, it's really helpful for them to know. Many services such as Amazon can better customize their offerings when they know where their visitors are coming from. A technology called Collaborative Filtering allows Amazon to say "Visitors from CNN prefer the new Rick Astley video." If you use security software to block your browser from sending referrer codes, the best you'll get is a more generic Internet experience. The worst you'll get is that some web services won't work at all.

Viruses are a genuine pain in the ass. If you're running Windows and you use the Internet at all, your computer will probably download at least a dozen new ones a day. There are numerous ways that viruses can be embedded in web pages, in advertisements on web pages, in media presentations, even in some older graphic images. Big money is made by some of the more cleverly designed viruses (or trojan horses, whatever term you prefer). Sometimes all they do is install fake cookies on your computer to tell Amazon that some guy in Indonesia is entitled to a sales commission next time you buy something. Sometimes they make your computer part of a distributed illegal file sharing system. Sometimes they turn your computer into a spam server. Sometimes they install browser toolbars that lead you to more virus pages when you use them. Sometimes they install software that displays popup advertisements. Fortunately, free software such Spybot Search & Destroy or Ad-Aware can genuinely eliminate all, or almost all, of these threats. So what's the Skeptoid angle on these?

$2/mo $5/mo $10/mo One time

The reason people develop viruses and trojan horses is to make money, through advertising or sales commission programs. Really all of the threats described above ultimately lead to money. It benefits nobody to write a virus that erases your computer or causes some problem. Such viruses do exist, mainly in the early days of the Internet, but since they're not profitable, they've gone almost completely out of fashion. People want your business and they want your money, there's no profit in erasing your hard drive. Invariably, when I make this rant, I get the comment "My aunt had her computer erased by a virus," or "I have a virus that makes my screen go black and deletes my address book." The truth is that software conflicts and system crashes are more likely responsible for these problems. If you own a computer, problems are the price of admission, and every owner will eventually lose data. But there are a thousand normal operating system problems that will be the most probable culprit. It makes no sense for someone to write a virus that does these things, when they can just as easily write a virus that earns them money. Just as in nature: the viruses that thrive are those that don't kill their hosts.

Use Spybot Search & Destroy and Ad-Aware to scrape this crap off your machine and keep it running lean & mean, but don't buy the expensive commercial software that does no better and that makes claims designed to take advantage of customers with minimal technical knowledge. Or just use a Mac like I do, since none of this crap runs on Unix. And, don't bury your thoughts too deeply in cyberspace. Remember you'll always be most vulnerable to what is statistically by far the biggest threat: that your computer will simply be stolen.

Follow me on Twitter @BrianDunning.

Brian Dunning

© 2006 Skeptoid Media, Inc. Copyright information

References & Further Reading

Berners-Lee, Tim. "RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0." Internet FAQ Archives. Advameg, Inc., 1 May 1996. Web. 30 Nov. 2009. <http://www.faqs.org/rfcs/rfc1945.html>

Bidgoli, Hossein. The Internet encyclopedia: Volume 1. Hoboken: John Wiley and Sons, 2004. 253-259,328-329,576.

Kristol, D. "RFC2965 - HTTP State Management Mechanism." Internet FAQ Archives. Advameg, Inc., 1 Oct. 2000. Web. 30 Nov. 2009. <http://www.faqs.org/rfcs/rfc2965.html>

Lavasoft. "Ad-Aware by Lavasoft." Corporate web site. Lavasoft, 30 Nov. 2009. Web. 30 Nov. 2009. <http://www.lavasoft.com/>

Miller, M. Absolute Beginner's Guide to Computer Basics. Indianapolis: Que Publishing, 2007. 148-150.

Safer Networking. "Spybot Search & Destroy." Corporate web site. Safer Networking Ltd., 25 Nov. 2009. Web. 30 Nov. 2009. <http://www.safer-networking.org/en/home/index.html>

White, J. Just the Computer Essentials. Stow: IROL Press, LLC, 2007. 131-132.

Reference this article:
Dunning, B. "Internet Paranoia." Skeptoid Podcast. Skeptoid Media, Inc., 28 Dec 2006. Web. 24 Apr 2014. <http://skeptoid.com/episodes/4017>

Discuss!

10 most recent comments | Show all 38 comments

What I'm going to say is not an ad hominem attack or in any way meant to invalidate Skeptoid arguments. It's just information to let Skeptoid listeners know what kind of man Brian Dunning is. He is not a very good role model. He is a sexist and has edited this podcast to remove his argument supporting cookie stuffing. I transcribed what the old podcast used to say (I have it because I have been following Skeptoid pretty much from the beginning):

The reason people develop viruses and trojan horses is to make money through advertising or sales commision programs. Really all of the threats described above ultimately lead to money. However, in point of fact, it's no skin off your nose. Sure, some guy in Indonesia [ed: or California] will get a sales commission that he didn't deserve but it didnt come out of your pocket.

Why would he edit this out? It sounds logical. Why did I add the California tidbit? Because Brian Dunning was indicted for cookie stuffing (what he calls fake cookies that lead to sales commissions) eBay out of over $5 million dollars. I can't find any information about what kind of sentence he got, but the bottom line is that when it comes to choosing a role model, you should indeed be skeptical of the skeptics. Also, if he is that good at making money, does he really need yours? As a long time listener I also remember how he used to proudly proclaim Skeptoid was the only podcast that did not accept donations. Bottom line:Don't invest too much in Brian Dunning

Stephanie Barnes, Ohio
September 25, 2011 6:59pm

Be that as it may, Brian's extremely interesting and amusing podcasts on my iPod have carried me through many a mile of marathon running, for which I'm extremely grateful and dearly hope that he'll long continue doing so. I make no excuses for lapses in morality, but if we accept that the essence of morality is doing the least possible harm to any living species in the interest of our own survival, then Brian has sinned not, for I fail to see what harm he has done to anybody. I actually wonder if eBay was not complicit in this whole thing, but then again, as a skepic I don't accept conspiracy theories.

Iain McFadyen, CENTURION
October 09, 2011 1:36pm

Wow! I had no idea about what commenter Barnes above said about Brian Dunning having been indicted for cheating eBay out of millions of dollars. It took some searching, but I found Brian's partial response:

skeptoid.com/blog/2011/10/05/a-partial-explanation/

Since this has been going on for many years, I'd expect a fuller answer from him by now. The gist of his answer is that it was all ethical (as I would expect from him!) and that eBay knew the methods he used. Since there's no way he'd think he could get away with something like this, I have to think that eBay and the prosecutors simply are completely wrong.

Does anyone have a 2012 update on this? Geez, I hope one of the most helpful and trustworthy men on the internet really is so.

Kyle Corbin, Raleigh, NC
July 03, 2012 5:55pm

As Stephanie Barnes pointed out, there's an undisclosed conflict of interests in this episode in particular.

Once your computer is compromised, you pretty much can't feel safe using it for anything sensitive like work or online banking until you format it. Even malware that's just trying to sell you something can make your computer unusable, hijacking your browser, using up all your memory, constantly popping up ads, and screwing with your system before showing ads for a fake anti-virus.

My favorite tool for removing malware is Trend Micro's HijackThis. I used it to remove malware that other software missed.

Max, Boston, MA
July 30, 2012 1:05am

There are a few factual errors in this one..
There are Viruses that encrypt (and thereby destroy) some of your files and demand a ransom in order to decrypt it.
Others can corrupt your files inadvertently or make your Scada system ruin your centrifuges.
Yes, you can steal credit card data via cookies (session highjacking, XSS), but its not the cookies fault.
Macs aren't immune to malware there are just too few of them around to make it worth attacking them - but that's currently changing..

Nagilum, Germany
July 31, 2012 10:25am

this episode was very misinformed. i work in the malware removal business i noticed some things that are simply not true in this.

spyware anti-spyware isn't very good. i've tested it myself as well have watched test with live malware inside a VM.

and macs have a lot of malware.

Josh, Louisville
August 31, 2012 1:00pm

I am very disappointed in this episode. Not at all the quality that I usually come to expect of Brian.

Very in depth cookie look, but the short ad-on garbage about viruses and trojans was way off the mark.

So many thing are wrong, but what surprised me the most is when he said "none of this crap runs on Unix".

Informed, Australia some where
September 05, 2012 11:52pm

I've managed my cookies with extreme prejudice for a lot longer than MSIE (which I almost never use) has been around. I do this because these tiny little text files consume a disproportionately large volume of available hard drive space which has always been at a premium for me.

I almost never use active anti-virus software as I find it's usually the cause of many PC problems and they slow performance.

In thirty years I've contracted exactly one harmful virus which cost me two hours to repair and I'm to blame for launching it in the first place.

Raphael Swift, Warren CT
September 23, 2012 10:17am

I don't want to sound like a butt-head, but using a Mac doesn't guarantee safety from viruses.
And...
Being a computer technician myself, I've seen free software like Spybot and MalwareBytes miss some rather nasty malware and spyware on client computers. Not that those programs are ineffective - I believe that a good free antivirus like AVG or even Avast is good - and used in conjunction with some common sense, and a program like MalwareBytes (when you need it), you can keep the average computer pretty healthy and virus free.

Dan, Australia
November 07, 2013 8:54pm

I use Avast!,and add Sandboxie as another layer of protection.Since it runs your browser in a sandbox,malware has no way of accessing your hard-drive.Simply delete the sandbox when you sign off,and any downloaded malware is deleted as well.

Mike, Toronto,Ontario
February 26, 2014 5:39pm

Make a comment about this episode of Skeptoid (please try to keep it brief & to the point). Anyone can post:

Your Name:
City/Location:
Comment:
characters left. Discuss the issues - personal attacks against other commenters, posts containing advertisements or links to commercial services, nonsense, and other useless posts will be deleted.
Answer 1 + 6 =

You can also discuss this episode in the Skeptoid Forum, hosted by the James Randi Educational Foundation, or join the Skeptalk email discussion list.

What's the most important thing about Skeptoid?

Support Skeptoid
 
Skeptoid host, Brian Dunning
Skeptoid is hosted
and produced by
Brian Dunning


Newest
Your Body's Energy Fields
Skeptoid #411, Apr 22 2014
Read | Listen (12:50)
 
The Black Eyed Kids
Skeptoid #410, Apr 15 2014
Read | Listen (11:18)
 
Oil Pulling
Skeptoid #409, Apr 8 2014
Read | Listen (12:24)
 
Skeptoid Media is a 501(c)(3) Public Charity
Apr 4 2014
Listen (1:13)
 
15 Phreaky Phobias
Skeptoid #408, Apr 1 2014
Read | Listen (12:44)
 
Newest
#1 -
Listener Feedback: Alternative Medicine
Read | Listen
#2 -
The JFK Assassination
Read | Listen
#3 -
Asking the Socratic Questions
Read | Listen
#4 -
5 False Arguments for Raw Milk
Read | Listen
#5 -
The Vanishing Village of Angikuni Lake
Read | Listen
#6 -
The Riddle of the L-8 Blimp
Read | Listen
#7 -
The Secrets of MKULTRA
Read | Listen
#8 -
Who Discovered the New World?
Read | Listen

Recent Comments...

[Valid RSS]

  Skeptoid PodcastSkeptoid on Facebook   Skeptoid on Twitter   Brian Dunning on Google+   Skeptoid RSS

Members Portal

 
 


"Logical Fallacies 3"
inFact with Brian Dunning


Support Skeptoid