Jon Galloway has a nice rebuttal of the article from yesterday.  You can read it here (too much good stuff to even bother trying to quote).

Wanted to follow up on a few things from yesterday.  First, to an extent, I owe Mr. Atwood an apology.  I still stick by everything I said yesterday but I think the tone was wrong.  The truth is, while I still think his post was ridiculous, it wasn't completely without merit and any idea with merit deserves to be treated fairly and with an open mind.  So to the extent that I didn't do that I'm sorry.

Another point from yesterday comes from the comments to Mr. Atwood's post.  The commenter wrote...

Jeff hit idea #2 of the six dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ and I totally agree. It is just a scaling issue.

The link leads to an article by Marcus Ranum who claims to be "a renowned expert on security design and implementation" who was "the implementor of the first commercial firewall" (he spelled implementer wrong not me).  For the record, I don't know if those claims are true or not and the reason I put them in quotes was only because I couldn't find any verification for them aside from Wikipedia.  

Anyway, in a post entitled "The Six Dumbest Ideas in Computer Security" he lays out "idea #2" for us...

Why is "Enumerating Badness" a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness. In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems:

• Spyware
• Viruses
• Remote Control Trojans
• Exploits that involve executing pre-installed code that you don't use regularly

Thanks to all the marketing hype around disclosing and announcing vulnerabilities, there are (according to some industry analysts) between 200 and 700 new pieces of Badness hitting the Internet every month. Not only is "Enumerating Badness" a dumb idea, it's gotten dumber during the few minutes of your time you've bequeathed me by reading this article.

The basic flaw in Mr Ranum's theory is that he's living in the 80s where every application was on the desktop and every communication was 1-to-1 over a modem.  The web allows people to use applications that their administrators wouldn't have even dreamed of and it allows them to do it in packets that are often encrypted. 

More to the point everyone's addiction to the web keeps administrators from blocking most sites outright.  I would love to live in a world where I could specify what sites users were allowed to visit and block all the rest but that isn't the world we live in.

Given that fact I'd argue that web data, specifically secure web data, can't be enumerated.  This leads me to Mr Ranum's next point...

Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, "That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is!" To which I respond, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO's charter.

Well, I don't think CTO's are saying they don't know what different apps they rely on I think what they are saying is that they can't limit what web apps a user uses to only the ones that are business related.  Everyone in most companies, including senior management, uses the web for their personal use at this point and most of that usage is over their corporate network.

Anyway, I've already spent far too much time on this.  I don't know why it annoyed me so much but I think it has something to do with the prevalent attitude in the blogosphere that "we're right and everyone else is an idiot".  So Jeff Atwood can contradict decades of conventional wisdom with no real explanation as to why he thinks almost every other security expert in the world is either an idiot or a liar and no one questions it.  When people do that without even acknowledging how crazy their idea sounds it makes it seem like the blogosphere isn't a place for serious debate and that annoys me.

I've always thought of Jeff Atwood as one of the smarter bloggers out there but his most recent post on Virus Scanners borders on lunacy.  In a nutshell he says they're completely unnecessary if you just run your PC under a non-Administrator account.

Let me preface this with a little background, I am the administrator of an organization with around 190 computers (which varies depending on how many employees we have at any given time).  With very few exceptions no one has Administrator or even Power User privileges (the few exceptions being where it was necessary such as in the case of our Payroll program which requires it be used under an admin account).  We use both Norton Anti-Virus Corporate Edition and Webroot's Spy Sweeper on every workstation. 

That said, let me quote Mr. Atwood so you can get his whole point...

The performance cost of virus scanning (lose 50% of disk performance, plus some percent of CPU speed) does not justify the benefit of a 33% detection rate and marginal protection. I would argue the illusion of protection is very, very dangerous as well.

Ask yourself this: why don’t Mac users run anti-virus software? Why don't UNIX users run anti-virus software? Because they don't need to. They don't run as administrators. Sadly, the cost of running as non-admin is severe on Windows, because MS made some early, boneheaded architectural decisions and perpetuated them over a decade. But the benefit is substantial. There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator.

I believe we should invest our money, time, and effort in things that make sense, things that work. Things like running as a non-administrator. And we should stop wasting our time on voodoo, which is what anti-virus software ultimately is.

He then corrects himself right after the above paragraph saying...

To be fair, anti-virus software is more effective than I realized. In the August 2007 Anti-Virus Comparatives, the lowest detection rate was 90%, and the highest was 99.6%.

That alone should be reason enough not to listen to him on this.  Someone who is that far off is obviously not an expert in the field.  But putting that aside lets address the Mac/Unix point.  Mac and Unix machines aren't targeted by virus writers because their install base is so low and that's pretty much an established fact.  There has already been a "proto-virus" that proved OS X could be infected so the idea that they are immune doesn't hold much water. 

Which brings me to my biggest point, you don't need to be an administrator to destroy user files.  Lets be logical here, a malicious virus has two goals (A) to compromise the machine so it can spread and (B) to do damage to the machine's valuable files.  I can tell you from personal experience that a limited account can still run scripts and it can still send e-mails which means it can still do everything that a virus would need it to do.

Remember, a virus doesn't need to destroy system files to be effective!

I don't know.  I honestly had to think long and hard about posting on this because the idea is just so preposterous to me that I was afraid it would turn into an attack post.  The only reason I decided to go ahead was because I didn't want to see some young IT person go around pushing this idea and get fired for doing so.  Let me make that point in closing, if you are an IT person who thinks he/she can run a network without virus protection you will get fired!  Because if anything goes wrong you'll have no defense for yourself. 

"I know every bit of professional guidance says you need security software but this guy with no obvious security experience wrote on his blog that it was unnecessary..." 

Not going to go over well.

Mr Atwood makes another point about Blacklists but I'm going to save that for a later post because I think that justifies its own post. 

Addendum: For the record, he is right about security software being a performance hog and that is a significant problem but certainly not one that justifies ignoring security all together.