Social Contracts on Internet Security

Everyone and I mean EVERYONE tells you that the best thing you can do for yourself and others if you have a Windows system on the Internet is to run anti-virus software, and keep your patches current.  Otherwise your system can be a nuisance to others, as it is broken into and used as a bot to attack others.

That doesn’t work so well when the anti-virus software causes the user problems.  These systems take a performance hit, that is for sure.  But they can have bugs as well, as this page from McAfee  demonstrates.  What has happened here is that a program called “McScript_InUse.exe” has gone crazy, pegging the system’s CPU.  Not only does this kill performance of every other application on a system, but it can have an impact on your energy bill, because a 100% used CPU means that it will run faster with more fans on and more cooling required.

McAfee cannot be condemned for having bugs in their software, even though it is ironic that they exist in large part because Microsoft Windows has bugs that are taken advantage of.  It never-the-less brings up the question of whether such active scanning technology is the right approach, or whether we have to do better at providing better underlying security.  The extreme version of this would be provably secure programming, a field in which Dr. Gene Spafford (a network legend) has devoted his career.

In the meantime, however, we have to hold McAfee to a higher standard, just as we should Microsoft.  When people believe that they will be harmed by the very software that is meant to protect them and others, especially when the more negative consequences impact others, they will not upgrade.  We discussed this with the ETH Study, some time ago, and now we can expect additional consequences.