Posted on 10/27/2003 4:42:42 AM PST by Salo
Opinion
One of the many hats I wear here in St. Louis is that of college instructor, writes SecurityFocus columnist Scott Granneman. I teach courses in technology at Washington University, recently ranked the ninth best overall college in the nation by U.S. News & World Report, and at St. Louis Community College at Florissant Valley, one of the better community colleges in the area. I teach smart people at both locations. One is composed of folks who can pay the high prices for an education at a nationally-ranked university, and the other has people who work during the day and want to improve their skills at a good public school while keeping their costs low.
In other words, I see a pretty good cross-section of the computer users in our area.
Oh sure, some of my students are what we'd call "computer people," who work professionally programming or administering various systems or developing Web sites. But those are few and far between. Most of my students are office workers, or writers, or homemakers. Almost all of them run Windows at home and at work, usually ME or XP. They all know how to "use" their computers, which means that they can write papers, read email, use the Web, and even install software (as long as it's not packaged as a ZIP file: most of them have no idea what a ZIP file is or how to use it). In other words, your typical American computer user.
I'm here to tell the security pros reading this that we are in deeeeeep trouble when it comes to securing the computers of these people.
Security is just not a concept that "normal" folks focus on. It's not even on the radar screen. It's just not thought about at all.
The problem
"Do you update your anti-virus software regularly?" I'll ask them. Most look at me as though I'd just asked them if they refloozle their hossenblobbets with tinklewickets. A few will tentatively volunteer a timid, "I ... think so?" Some are willing to admit that they don't even have anti-virus software. At least they're sure.
"Do you run Windows Update regularly?" I'll ask next. Hmmm ... those hossenblobbets really do need refloozling. Some state that yes, they do run Windows Update, but they have no idea what it is doing to their computer, so they just agree to everything and assume it's all good. Most say they've never done it once, if they even know what it is.
"Do you have DSL or a cable modem at home?" is my next question. Ah, finally! A question they can all answer. They know the answer to this one! About half usually have some sort of broadband connection, and they are enthusiastic in their answers: "Yes, I do! You betcha! Love it!"
"Great!" I continue. "Do you have personal firewall software running on your computer? Do you have a router/firewall so your Windows machine isn't directly connected to the Internet? Did you remember to turn off file and printer sharing if your Windows machine is directly connected to the Internet?" A pause ... and we're right back to hossenblobbets and tinklewickets.
It's enough to make someone who cares about security throw up his hands in frustration and just give up.
Especially when we look at the unending stream of patches that has been flooding from Redmond, Washington over the past couple of days ... uh, weeks ... uh, months ... oh, the heck with it: years. Just last week Microsoft announced a mega-patch for five security vulnerabilities deemed "critical". Windows Server 2003, which Microsoft promised would be its most secure OS yet, has already had nine security bulletins issued for it. Windows XP, the flagship desktop OS for home and business users, has released patch after patch after patch, as a search at the SecurityFocus Vulnerability Database will disclose. To top things off, some of Microsoft's patches are themselves buggy, requiring further patches and updates to fix these patches.
It is a huge - and growing - problem for IT professionals at businesses to keep up with all the patches Microsoft issues. How, then, are non-professionals supposed to deal with the problem? More importantly, how are security pros supposed to deal with the bigger problem: that non-pros don't deal with the problem?
Solutions?
We can't just ignore the problems with insecurity that our non-IT friends, family, co-workers and acquaintances have with their computers. If their machines are compromised, we feel the effects, whether we realize it or not.
We feel the effects when we end up spending several hours each week doing pro bono IT work at the homes of the people we know (I've tried sending my Mom a bill, but she never pays, the deadbeat).
We feel the effects when the Internet slows to a crawl due to a sudden explosion of traffic caused by a particularly-virulent virus or worm.
We feel the effects when we get even more spam, sent from compromised zombies to everyone else on the Net, or when those zombies are used in DDOS attacks on anti-spam Web sites.
We feel the effects when zombies owned by our unknowing friends and family are used to secretly host scams, or porn sites ... or worse.
In my angrier moods, I sometimes think that we should require licenses to operate computers, just like we require licenses to drive automobilies. I know that such a plan would never work in the real world, but it's a pleasant fantasy all the same.
So what can be done? First of all, Microsoft desperately needs to improve the underlying security of their products. As I talked about in my last column, there are fundamental problems with the way that Microsoft designs its systems. Email programs that contain embedded Web browsers that are themselves embedded into the operating system are disasters waiting to happen. Microsoft makes it too easy for people to do stupid things with its software, and it needs to remedy that.
Further than that, Microsoft needs to improve the way that its operating systems are updated and patched. A recent decision to consolidate patches into a monthly release is not, however, the way to go. Sure, on the one hand it makes things easier for the security pro who now only has to download and apply a mega-patch once a month. But, on the other hand, do you really feel like waiting three weeks until the next mega-patch comes out, hoping and trusting that you don't get bit in the meantime? And do you think your grandmother is going to remember to install that monthly patch? I can just see it now: "Hi, Grandma. Yeah, I'm doing fine, and so's the dog. Sure, cookies would be great! Hey, did you remember to install your Microsoft mega-patch yesterday?"
To counter the immense problem of the millions of people who never install personal firewall software, Microsoft bundled an extremely simplistic "Internet Connection Firewall", or ICF, with Windows XP. Unfortunately, ICF is turned off by default, and it's hard for users to find if they do want to enable it. Even worse, ICF only blocks incoming traffic, so Trojans that try to phone home are in the clear. Evidently Microsoft is going to improve ICF in future versions of Windows, including future shipping copies of XP (which is good, considering that the next major version of Windows, code-named Longhorn, isn't going to see the light of day until 2005 at the earliest). It's going to be enabled by default, which is a good start, but there's no word about blocking outbound traffic at this point.
To counter the immense problem of the millions of people who never install or update anti-virus software, Microsoft recently purchased GeCAD, a small Romanian anti-virus software company. Microsoft hasn't made it clear how deeply it intends to get into the anti-virus business, and analysts are divided, with some sure that Microsoft will eventually challenge Symantec and McAfee and the other large AV vendors, and others arguing that Microsoft just intends to get a better handle on improving the security of the Windows platform. I suspect that Microsoft hasn't yet decided what it wants to do on this front. Forcing AV software onto end users is a good thing, but I would really hate to see Microsoft destroy another software market by bundling new capabilities into the OS (the same concern applies to personal firewalls in the previous paragraph).
To counter the immense problem of the millions of people who still do carelesss things with their email, like open attachments they weren't expecting, Microsoft is making changes to the way its corporate email program Outlook behaves (including, however, the addition of odious DRM (digital rights management) features that will cause more problems than they solve). These are good changes, but let's see what happens once Outlook has been in the real world for a few months. I hope that the days of constant security issues with Outlook are over, but I'm taking a skeptical wait and see attitude, an attitude that seems entirely justified, based on one bizarre "feature" that the brand new program displays. Oh, by the way: if you or someone else you know uses the the free Outlook Express, you're out of luck. Microsoft has no plans to improve it any further. If you know someone using Outlook Express, get them onto something else ASAP, like Mozilla Thunderbird.
To counter the immense problem of the millions of people who never run Windows Update (or Office Update, for that matter), Microsoft will probably install patches and updates automatically, by default. This makes me nervous, to say the least, since Microsoft has a history of releasing patches that don't work, or cause new problems, or require updates for the patches themselves. And personally, I don't like anything automatically installed on my machines. I want to be in control. But for the great mass of computer users out there, I think it's a solution that is unfortunately necessary. If people won't do it themselves, then it needs to be done for them. Let's just hope it works smoothly.
An unrequested but necessary responsibility
Microsoft can do a lot, but its still the folks in the trenches who are left with the hard work and the dirty jobs. Yeah, I'm talking to you, the security professional reading this column. You and I have a lot left to do. We bear some of the blame for this mess by both mistaken actions and inactions but, more importantly, and more unfortunately, we bear most of the burden. Even if we don't want to, we're going to have to work with the people around us to help improve this pretty awful situation.
I know a lot of you are already performing what feel like the labors of Hercules. You're providing the free tech support that I mentioned above. You're spending hours downloading and installing patches, and cleaning up for folks when their computers become bewitched, bothered, and bewildered. You're the one driving out to CompUSA to buy a router/firewall when your parents get that new DSL connection. And you're the one patiently explaining yet again to yet another person why they need to install anti-virus software.
But we can do more. No, we must do more.
Because like or not, Windows ain't going away for a while. Probably not ever, totally (calm down, Linux and Mac OS X users - I'm on your side, but let's be realistic here).
We've got to do more, because who else is going to do it? Microsoft claims it's working as hard as it can to improve the security of its products, but the success of that claim is, to put it politely, debatable. Besides, as we all know security is one big chain that is only as strong as its weakest link, and the weakest link is always ... the people. Microsoft can work and struggle to give its software a secure foundation, the same strong foundation that much open source software already has, but as long as it makes it easy for smart people to do dumb things, we're always going to have a problem. So it's up to us, the people reading this column, the smart people who try to do smart things, to help the great mass of computer users.
And what's the greatest help we can offer them? It's simple, really: education.
We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.
Going back to my classes at Washington University in St. Louis and St. Louis Community College, I always spend time with my students educating them about various issues in security. I try to impress upon them the importance of anti-virus software, and Windows Update, and firewalls, both hardware- and software-based. If they have a broadband connection, I take some time to talk about the advantages it brings, but also about the dangers, and how they can protect themselves against those dangers. And you know what? My students are genuinely interested in what I can tell them, and most of them think about what I've said and actually act on it.
I can't teach my students everything, but I try to teach them something. Every security professional needs to do the same. We're at the forefront, like it or not, and it's up to us to help lessen the myriad of problems we see around us. Like it or not, we need to become educators - permanent educators - or we may find ourselves refloozling those hossenblobbets with tinklewickets one too many times.
Copyright © SecurityFocus
First I ever heard of it was last month, when one of my support circle got their computer hosed by something (still not sure what).
Freeware, and seems to be on the up-and-up.
The biggest thing is that people will pay for a year of Norton or McAfee, and then stop. We all know how useful an out-of-date DAT file is. ;-)
Getting the ordinary user to use a freeware AV package seems to be the best bet to me.
Wanna be Penguified? Just holla!
.-.
/v\ L I N U X
// \\ >Phear the Penguin<
/( )\
^^-^^
Got root?
Imagine if you drove a car but didn't want to bother learning how to use the brakes or the seat belt. Everyone should have a basic understanding of how to protect their computer.
Hmmm, tried to slip this one by us, huh?
Norton WinDoctor is the safe and easy way to diagnose and repair the most common types of Windows problems. It checks all the information necessary for Windows to run properly. Plus it checks for components needed by programs that run under Windows.Don't know why they don't have something like that on their web site. Basically, it scans the Registry and cleans up issues that it finds. This is generally A Good Thing.
Norton WinDoctor starts with a Wizard interface to let you choose the kinds of diagnostic tests you want to perform. After running the tests, Norton WinDoctor displays an easy-to-read report of the problems it has found. Problems are listed by problem type in the order of severity. You can choose to display the list sorted by name or status (whether they are fixed).
Norton WinDoctor lets you tailor the repair process to your own needs. You can specify which problems to fix and how to fix them. Or, you can let Norton WinDoctor fix all found problems automatically.
If you decide you don’t like a repair WinDoctor has made, you can undo it. To undo repairs you made in previous sessions, use Norton WinDoctor’s Repair History feature. Norton WinDoctor keeps Windows running at peak efficiency. This not only makes using your computer faster and easier, but also safer. By fixing errors that might otherwise lead to data loss, Norton WinDoctor protects your work.
Depends on what you use your computer for. I currently use anti-virus freeware, but even if my computer physically disappeared tomorrow, the only thing I would lose of importance is old/current homework.
If I actually did work with this thing, maybe I would shell out for something.
Define "patch".
1. A small piece of material affixed to another, larger piece to conceal, reinforce, or repair a worn area, hole, or tear.
2. A small piece of cloth used for patchwork.
3. A small cloth badge affixed to a garment as a decoration or an insignia, as of a military unit.
4. A dressing or covering applied to protect a wound or sore.
5. A pad or shield of cloth worn over an eye socket or an injured eye.
6. A transdermal patch.(See beauty spot.)
7. A small piece, part, or section, especially that which differs from or contrasts with the whole: a patch of thin ice; patches of sunlight.
8. A small plot or piece of land, especially one that produces or is used for growing specific vegetation: a briar patch; a bean patch.
9. An indefinite period of time; a spell: weathered a difficult patch after losing his job.
10. A temporary, removable electronic connection, as one between two components in a communications system.
And now, they want us to add another definition to the word "patch".
11. Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases.
Hey, I learned how to "google" something, I can learn other new words. Just don't tell me to download a "patch". A patch is made of denim and my momma used to sew them on the knees of my pants.
As for fear of viruses. Hey, you're going to get a new cheap computer every 36 months anyway, so if some virus takes it down, that's how you know it's time to shop. All these software add-ons cost more than the computer is worth.
As for teaching computer classes, unfortunately, from my experience, the world seems to be composed of two types of humans:
Those who can communicate in clear, simple language, and those who are good at computers. Rarely are both skills found in a single individual. Hopefully you're the exception.
Same here. There IS a beer requirement, too. ;-)
What's the deal - did you give up beer, Hank? :-)
Being a computer weenie, I'll have to agree with you there. :-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.