Tuesday, August 11, 2009

The Other Cause of Security Problems

Well, like clockwork we see blog posts and news articles about some new virus, some new kind of malware, a brand new security exploit. I use Linux to avoid this sort of thing, because it's secure by design. But also, I'm a smart person, so I'm not likely to be fooled by the tricks malware authors use to compromise systems. I read this article by Katherine Noyes on Linux Insider just a few minutes ago, which touched on one of the biggest reasons that there are so many computer problems these days. Yes, the 85+ percent market share held by Windows is the main contributor, but it shouldn't hog all the infamy for that.

What's the other reason? There are too many idiots using computers. Yes, that's right. Most people aren't smart enough to use their computers properly. Sure, they can use the mouse, keyboard, and know how to do word processing, email, browsing, play music and watch videos. But beyond that, most users don't give a second thought to keeping their computer secure, keeping it up to date, or maintaining it. Not convinced about users not being smart enough for computer use? Read these quotes from the article linked above:

"the Velma problem, which I named after a customer who you could actually send an email to that said, 'turn off your antivirus and look at these puppy pictures!' -- with a file attached called 'happy_puppy.jpg.exe' -- and she would run it, every single time,"

The worst case I had was a guy that would run ANYTHING that had the word 'lesbians' in it," he added. "The antivirus could scream, the antispyware would do everything but throw itself in front of the guy trying to stop him, and he would ignore or even turn off all his defenses to run 'hot_lesbians.mpg.exe'.

You think that's bad? I have a friend who has to fight his family on computer security issues. He once told off his little sister that she shouldn't be downloading screensavers and eye candy programs from the massive file download websites because they're usually ridden with viruses. She dismissed her brother's well-meaning criticism, saying that the risk is worth it. It is THAT kind of attitude, deliberate ignorance, that makes all of the security problems in the world far, far worse.

So, what can we do to improve security? I say we should add more to the computer classes in our K-12 public education, and make computer security practices mandatory for graduation. Give presentations to classes, so when the kids go home they repeat what they learned to their parents.

That, and require ISP's to take more responsibility for the system security of their customers, by setting up their routers to automatically detect suspicious activity, such as botnet-instigated spam and Denial of Service attacks. That, and requiring all customers to maintain at least basic security.

Many others feel the same way about this problem and the possible solutions. Unfortunately, we come to the thorny issues of time, money, and politics. To get security into public education, and to put more requirements onto ISP's, the government must be persuaded to implement these solutions and write the necessary laws. To any readers out there, start by contacting your local government. That's where it starts. And if any politicians are reading this, you know what to do!