Tuesday, August 11, 2009

The Other Cause of Security Problems

Well, like clockwork we see blog posts and news articles about some new virus, some new kind of malware, a brand new security exploit. I use Linux to avoid this sort of thing, because it's secure by design. But also, I'm a smart person, so I'm not likely to be fooled by the tricks malware authors use to compromise systems. I read this article by Katherine Noyes on Linux Insider just a few minutes ago, which touched on one of the biggest reasons that there are so many computer problems these days. Yes, the 85+ percent market share held by Windows is the main contributor, but it shouldn't hog all the infamy for that.

What's the other reason? There are too many idiots using computers. Yes, that's right. Most people aren't smart enough to use their computers properly. Sure, they can use the mouse, keyboard, and know how to do word processing, email, browsing, play music and watch videos. But beyond that, most users don't give a second thought to keeping their computer secure, keeping it up to date, or maintaining it. Not convinced about users not being smart enough for computer use? Read these quotes from the article linked above:

"the Velma problem, which I named after a customer who you could actually send an email to that said, 'turn off your antivirus and look at these puppy pictures!' -- with a file attached called 'happy_puppy.jpg.exe' -- and she would run it, every single time,"

The worst case I had was a guy that would run ANYTHING that had the word 'lesbians' in it," he added. "The antivirus could scream, the antispyware would do everything but throw itself in front of the guy trying to stop him, and he would ignore or even turn off all his defenses to run 'hot_lesbians.mpg.exe'.

You think that's bad? I have a friend who has to fight his family on computer security issues. He once told off his little sister that she shouldn't be downloading screensavers and eye candy programs from the massive file download websites because they're usually ridden with viruses. She dismissed her brother's well-meaning criticism, saying that the risk is worth it. It is THAT kind of attitude, deliberate ignorance, that makes all of the security problems in the world far, far worse.

So, what can we do to improve security? I say we should add more to the computer classes in our K-12 public education, and make computer security practices mandatory for graduation. Give presentations to classes, so when the kids go home they repeat what they learned to their parents.

That, and require ISP's to take more responsibility for the system security of their customers, by setting up their routers to automatically detect suspicious activity, such as botnet-instigated spam and Denial of Service attacks. That, and requiring all customers to maintain at least basic security.

Many others feel the same way about this problem and the possible solutions. Unfortunately, we come to the thorny issues of time, money, and politics. To get security into public education, and to put more requirements onto ISP's, the government must be persuaded to implement these solutions and write the necessary laws. To any readers out there, start by contacting your local government. That's where it starts. And if any politicians are reading this, you know what to do!


  1. No, you can't solve this with more laws. You can't outlaw stupidity. These laws would be unenforcable. The examples of willful self-sabotage in your article illustrate that beautifully.

    On the other hand we also perpetuate this situation ourselves. Who has never helped a friend or relative clean up the malware mess on an infected Windows machine? For free.

    Everytime we clean up a mess caused by willful stupidity or ignorance for free, we perpetuate the culture that you don't need to know how to maintain a computer. Computer maintenance is badgering your local geek to clean up the umpteenth mess.

    If malware issues are to stop, we need to practise tough love. No more cleaning up for free. No more sparing of feelings.

    Why is Linux still secure? One half is sane defaults. The other half is tough love. Typing in rm -rf / as root will get you ridicule instead of pity when you whine that you lost all your files and OS. Making wild_Nude_Picture_Of_Celebrity executable and getting owned after running, will get you an explanation that you shouldn't run any unknown piece of code and expect only good things. Do the same thing again and you'll be called a dumb ass. Nice? No. Effective? Oh yeah.

    We need to duplicate that culture in the Windows circles. Deliberately shirking responsibility should be met with ridicule. People need a real incentive to not act like a brainless monkey. Legislation is rarely effective. Peer pressure on the other hand can move mountains.

    The only thing that I see that goverment could do that would be higly effective would be to mandate minimum pricing on malware removal. Make shure that shops can't charge less than $ 150,== for a removal session. Let's see if people still say it's worth it to run the risk of malware infection.

    In essense, stupidity should hurt.

  2. Why would I outlaw stupidity? Doing so is in and of itself stupid. I was proposing laws to counteract ignorance and irresponsibility. However, you do have several good points. It is a cultural problem. Also, that minimum price of $150 is not going to solve anything. I can understand the reasoning behind it, but in this economy it is very irresponsible. I know that in my household paying such a price would mean going a month without groceries. And there are many households that are even worse off than I am. What you'll be doing is just encouraging people to go to geeks to fix the computers for free.

    On the other hand, if the minimum price for removing malware is higher, then a person is more inclined to appreciate the free malware removal they get from the local geek, and therefor would be more inclined to listen to the geek about how to prevent the malware problem from occuring again in the future. Though, if the persons' just going for the free service because they're a cheapskate, then of course they will not appreciate it.