Udostępnij za pośrednictwem


Beware of the dancing bunnies.

I saw a post the other day (I'm not sure where, otherwise I'd cite it) that proclaimed that a properly designed system didn't need any anti-virus or anti-spyware software.

Forgive me, but this comment is about as intellegent as "I can see a worldwide market for 10 computers" or "no properly written program should require more than 128K of RAM" or "no properly designed computer should require a fan".

The reason for this is buried in the subject of this post, it's what I (and others) like to call the "dancing bunnies" problem.

What's the dancing bunnies problem?

It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".

The user wants to see the dancing bunnies, so they click there.  It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies.  It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.

There are lots of techniques for mitigating the dancing bunny problem.  There's strict privilege separation - users don't have access to any locations that can harm them.  You can prevent users from downloading programs.  You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies).  You can force the user to input a password when they want to access resources.  You can block programs at the firewall.  You can turn off scripting.  You can do lots, and lots of things.

However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever's necessary to bypass your carefully constructed barriers in order to see the bunny

We know that user's will do whatever's necessary.  How do we know that?  Well, because at least one virus (one of the Beagle derivatives) propogated via a password encrypted .zip file.  In order to see the contents, the user had to open the zip file and type in the password that was contained in the email.  Users were more than happy to do that, even after years of education, and dozens of technological hurdles.

All because they wanted to see the dancing bunny.

The reason for a platform needing anti-virus and anti-spyware software is that it forms a final line of defense against the dancing bunny problem - at their heart, anti-virus software is software that scans every executable before it's loaded and prevents it from running if it looks like it contain a virus.

As long as the user can run code or scripts, then viruses will exist, and anti-virus software will need to exist to protect users from them.

Comments

  • Anonymous
    July 12, 2005
    So where can I see the dancing bunnies?

  • Anonymous
    July 12, 2005
    I don't know where you can see dancing bunnies, but I know where you can go to see squirrel fishing:

    http://www.utacm.org/gallery/?pid=3946&cid=176

    :)

  • Anonymous
    July 12, 2005
    Larry, I don't completely disagree with your assertions, but I don't completely agree either.

    From an information security perspective, antivirus is REACTIVE in nature to an existing KNOWN threat in which a signature has been built. Antivirus is a poor substitution for security best practices that can significantly reduce and mitigate risks to UNKNOWN attack vectors. AV definitely plays a part in a defense in depth posture, but if an attacker wants to make dancing bunnies do the mambo on a victim's host, they are going to continue to find ways to do so while we rely on reactive technical safeguards like antivirus and antispyware.

    And as you point out, education isn't going to solve it entirely either. The weakest link in security is the human factor, and if someone wants to watch a bunnie dance... they will figure a way to do so.

    So what IS the right answer? Wish it were cut and dry. Least privilege can play a part here. As could virtualization and application containment. However, in the end a well designed mandatory access control system COULD indeed make for a safer computing environment that wouldn't need antivirus or antispyware. Unfortunately, the desktop landscape is not willing to be confined in such a manner. Hopefully the changing security landscape being introduced through things like LUA and application containment in Longhorn will be able to assist us here. We will have to wait and see.

  • Anonymous
    July 12, 2005
    I remember reading that comment, too. I think it was on (surprise, surprise) slashdot, in response to that article about the Channel9 interview with Steve Ballmer.

  • Anonymous
    July 12, 2005
    Dancing bunnies, huh. 300% scale wooden horses, huh. A jedi seeks not these things. A properly designed system includes a user who sees right through the dancing bunny, recognizes the Greek warriors inside, and deletes the email from the server without even downloading it.

    Unfortunately, such a user is rarely seen using a modern consumer OS.

  • Anonymous
    July 12, 2005
    Will people be able to see dancing bunnies on dumb terminals where only programs chosen by the admins are allowed to run(by registry settings)?

  • Anonymous
    July 12, 2005
    So....a properly design system AND a properly designed user? :-)

    Personally, I don't have any anti-anything software on my laptop. Hardware firewalls, text-only mail interface and I run with LUA. So far, so good...

    I don't want no steenking dancing bunnies!

  • Anonymous
    July 12, 2005
    Back in the days where no embedding scripting is there the only way to be infected is by running the executables. (I know there's more kinds of infection strategies nowadays, but this remain the most commonly seen "technique".)

    It makes me think that "lack of automation" can sooner or later be advertised as software "feature" as well. :)

  • Anonymous
    July 12, 2005
    although I agree that there will always be a need for tools to clean up after a system compromise, the need would be greatly mitigated by use of a capability based security model in addition to an accessibilty model. Perhaps this is what is meant by a properly designed system.

  • Anonymous
    July 12, 2005
    skaro:~ james$ touch dancingbunnies
    skaro:~ james$ chmod +e dancingbunnies
    chmod: Invalid file mode: +e
    skaro:~ james$ ./dancingbunnies
    -bash: ./dancingbunnies: Permission denied

    Behold OSX's superior dancingbunnies protection ;)

  • Anonymous
    July 12, 2005
    http://en.wikipedia.org/wiki/Dancing_pigs

    Oh, and 'Secrets & Lies' is a fantastic book. Regardless of whether one agrees with the author or not, it should be read by anyone doing any security-related work in I.T.

  • Anonymous
    July 13, 2005
    Anonymous: Ok, that's it - dancing pigs... This is what happens when you post late at night...

    Dana, you may very well be right. There are some interesting things being done in this space, however :).

    I also forgot to mention that separation and sandboxing DO work on servers - because administrators are less likely to fall prey to the dancing pigs problem.

    I'm going to keep the post as bunnies even though it's the wrong term of art.

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    " but then the machine isn't a PC anymore, it's a computing resource 100% managed by an IT department."

    On this definition most people who have PCs don't need PCs. Many of us would happily accept the occasional visit from (or to) the computer therapist if that meant we were proof against viruses or anything else that makes the system bagadap.

  • Anonymous
    July 13, 2005
    Larry, anti-V and anti-S cannot protect against or repair all of the ills caused by any executable you put on your machine. You are avoiding the real issue which is that the OS network services and common applications like Outlook are the entry points for malicious things that get in despite normal responsible use. No one expects someone to repair or protect against the most overt dancing bunny example, they simply want a system that does not usher the bad guys in through the back door.

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    Unrelated to the previous posts, but why do you list "no properly designed computer should require a fan" as an unintelligent comment?

    I consider one of the biggest failings of modern desktops is the fact that they waste so much energy that they require fans.

    Hopefully we will soon move back to a world w/o fans. In fact I think computers should have no moving parts. Much higher reliability. Thankfully the vast majority of computers int the world today don't have fans, only desktops and servers do, so there is hope.

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    Vince, I was hoping someone would notice that one :)

    It comes from an industry luminary who designed a computer with this design philosophy. Unfortunately, the tolerances for this computer were such that putting a piece of paper on top of the computer would cause it to melt down.

    Low power consumption and low heat are wonderful goals. But to say that a computer is flawed because it has a fan...

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    But your ibook has a fan. In the eyes of that luminary, it's a flawed design. It should be able to handle all normal use without it.

    Rob: Who said anyting about the web browser? The user received an email that said: Save this java file on your hard disk and run it. When the security popup comes up, be sure to click "yes" or you won't see the bunny. On some machines, you'll need to disable the firewall, to do that, you do this.

    And they quite happily do that, and install the root kit.

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    Here's a free version of a software product for end users using Windows Desktops that uses virtualization to solve end user problem of dancing bunnies

    http://www.greenborder.com/downloads/tdThankyou.html

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    I've read all those posts suggesting that the solution to the malware problem is to add hurdles so the user cannot run the malware without confirming they want to in any number of ways. You've all absolutely missed the reason that antivirus software is a better solution than anything you've suggested.
    The "solutions" suggested here all pose hurdles to the user for legitimate use as well as when malware is involved. Those hurdles are likely to cause:
    a) first frustration
    b) second an automatic, undiscerning, mechanical response after the hurdle is seen a few times - eventually offering no protection at all
    Antivirus software is superior. It offers little interference during legitimate use. The user is more likely to be surprised and take notice of warnings when they occur. The warnings can be worded in a very strong way because they're only displayed when it is incredibly likely that malware is involved. The user is usually not presented with any way to bypass the protection because it is almost certain that malware is present.

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 13, 2005
    Larry Osterman said:
    > Who said anyting about the web browser? The user received an email that said: Save this java file on your hard disk and run it. When the security popup comes up, be sure to click "yes" or you won't see the bunny. On some machines, you'll need to disable the firewall, to do that, you do this.

    There has to become a point where the user realises that they are having to jump through too many hoops and what they are doing is wrong. Maybe I'm being too optimistic and there will be a day of carnage when someone spams these types of people saying "flicking the voltage level switch on the back of your computer will double its performance." Maybe evolution taking effect to remove these people from the computer equivalent of the gene pool?

    I still hold that any child processes of an internet application (web browser, email client, news reader, whatever) should be run with reduced privileges.

  • Anonymous
    July 13, 2005
    The comment has been removed

  • Anonymous
    July 14, 2005
    The comment has been removed

  • Anonymous
    July 14, 2005
    Never underestimate the ingenuity of complete fools.

  • Anonymous
    July 15, 2005
    The comment has been removed

  • Anonymous
    July 15, 2005
    The comment has been removed

  • Anonymous
    July 15, 2005
    Except they do get it on their computers.
    http://www.proudlyserving.com/archives/2004/11/all_my_base_are.html

  • Anonymous
    July 15, 2005


    the argument I'm hearing here is that the only security vulnerabilty that Outlook, and by extension I suppose Outlook express, has is that users open attatchments. This is so obviously not true that I am worried that the people making it are on Microsoft supplied drugs. This is the implication of the blog post, but it also a statement made by various commenters. This is so much bull, do I actually have to compile a list of links here to various Outlook vulnerabilities over the years that did not require anyone to open any attachment?

  • Anonymous
    July 15, 2005
    how about this list, boy so many vulnerabilities.

    http://www.google.com/search?hl=en&lr=&c2coff=1&q=outlook+vulnerability++site%3Akb.cert.org&btnG=Search

  • Anonymous
    July 16, 2005
    Vince,
    As regards CPU fans, intel didn't trust OEMs to calculate the correct heatsink so they supplied fans with the CPUs so it didn't matter.

  • Anonymous
    July 17, 2005
    "a) lock down workstation configuration (including Software Restriction Policies)
    b) use Windows DRM
    It's really not that hard (especially with MS software)"

    Have you actually deployed either of those two technologies in a production environment, larger than your testing lab? The technology isn't ready yet and the industry isn't supporting them. Token effort, with no follow through.

    JJ


  • Anonymous
    July 19, 2005
    Secrets and Lies... interesting title. There's another book called that by some guy Schneier as well. I prefer the first one (see URL)

  • Anonymous
    July 21, 2005
    The comment has been removed

  • Anonymous
    September 19, 2005
    The comment has been removed

  • Anonymous
    August 18, 2006
    Raymond today has a discussion up about the folly of trying to set security with a granularity of per-DLL. ...

  • Anonymous
    March 13, 2007
    PingBack from http://winblogs.security-feed.com/2005/07/13/beware-of-the-dancing-bunnies/

  • Anonymous
    May 06, 2008
    PingBack from http://dancingbunnies.wordpress.com/2008/05/06/so-why-dancingbunnies/

  • Anonymous
    November 12, 2008
    PingBack from http://blog.radvision.com/codeofcontact/2008/11/12/secure-system-secure-user/

  • Anonymous
    June 14, 2009
    PingBack from http://cutebirdbaths.info/story.php?id=561

  • Anonymous
    June 16, 2009
    PingBack from http://fixmycrediteasily.info/story.php?id=1977

  • Anonymous
    June 18, 2009
    PingBack from http://gardendecordesign.info/story.php?id=4295

  • Anonymous
    June 19, 2009
    PingBack from http://mydebtconsolidator.info/story.php?id=22971