Of course users are, but I am loath to engage in too much blame there. Remember, it's easy to blame the victim and also not productive.
The persons most to blame are, of course, the virus writers. Let us not forget that viruses and worms are not acts of nature. They are not like earthquakes or storms. They don't just happen. They happen because someone wrote them.
After that, the people to blame next are the ones who wrote the sloppy code, which allows such a thing to be made in the first place. Bugs aren't acts of nature, either. They're there because someone screwed up. I'm a software engineer, and I find myself blaming most of the people who wrote the bugs and those who didn't fix them. Then I remind myself of what I wrote in the previous paragraph. However, I think that software developers have a responsibility to write programs that aren't exploitable like that.
Certainly, the people who open an attachment are at least a little to blame, but they're hardly alone. A few years ago, when one of these e-mail viruses circulated around, a friend of mine accidentally unleashed it on his company. It was an accident -- a momentary lapse of reason -- one of those dumb things we've all done. Blame or not, the people who open these attachments are victims of a crime. Someone who walks down a dark alley may have in some sense been asking to get mugged, but that hardly absolves the mugger.
In my mind, it also doesn't absolve the people who made the alley or those who didn't light it, if I'm not stretching that metaphor too much. Perhaps it's the software developer in me, but I am appalled that we're still having these problems. How many years has it been since viruses started spreading through attachments and a con to get someone to run them? Five years? 10 years? More? Why aren't there blade guards on e-mails? It seems to me that there's an obvious answer to that: Addressing insecure software isn't on the priority list of the developers who write the e-mail client, their product managers or their management. There has been enough time for them to fix these issues or at least come up with workarounds. Yet, these insecurities have been there so long that we end up blaming the victims more and more.
I suppose while I'm at it, I also ought to rail against the sys admins who still allow attachments with extensions of .EXE, .SCR, .PIF, .BAT and so on, too. I've blocked those from my e-mail systems for years. Alas, because of Mydoom, I've also put in a filter that blocks zip files, too, but I'll probably remove that one in a few weeks.
Bugs don't just happen. Worms don't just happen. But, double-clicking something you didn't mean to does. I've done it -- just never to malware. I'll bet you have, too.
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in February 2004