OpenIDPCs for non-geeks
A couple of interesting links about the security problems faced by the vast majority of the home PC using public, who don’t know how to install security updates (or even what they are) and don’t have a corporate IT department to bail them out when they run in to problems. Joe Average User Is In Trouble is a column by a security expert bemoaning the scale of the problem. Do we all need a personal system administrator? is a call for advice from Steve Garrity for tips on minimising the support calls he gets from his parents, and includes an excellent response from Matt Haughey in the comments.
I’ve been called to a less-geeky friend’s PC before to find it so infested with malware that it had slowed to a crawl. Most security breaches seem to come from Internet Explorer and Outlook Express, so Matt’s advice to replace them with Firebird and Thunderbird seems like a particularly good idea. Placing PCs behind a hardware router is a great idea as well as it at least prevents nasty traffic from the internet from probing the computer—although as Adam Kalsey points out such a set up won’t prevent malicious software that has already snuck its way on to a PC from calling home.
I believe an awful lot of geeks don't actually understand how most home users user their computers, and how completely messed-up so many of them are.
Almost always when I look on non-technical people's computers (and even computers at the BBC), there's some kind of spy-ware: be it IE toolbars they can't get rid of, non-website popups they can't control or other stuff, they've just lost control.
Windows really needs to be better at letting users control their computers, not the other way round. Microsoft seem to be getting the message though: XP SP2 will have firewall on by default and the Messenger service turned off by default. The Longhorn pre-alpha build also has a popup blocker and a dialog to easily remove ActiveX plugins (like IE toolbars).
Updating is another interesting one: recently I asked a friend why they didn't update and they said "I don't know which updates to install". Windows Update is confusing. People don't understand the difference between critical, non-critical and driver updates. Nor do they care - users just want to get on with whatever task they're trying to do.
It needs a huge, green, one-click "Get the updates I need to keep my computer secure" button. Or automatic updates, which I'm a fan of. There have been many good arguments against automatic updates, but I believe they're preferable to the current situation: people just don't update, worms keep on propagating.
Tom Gilder - 29th October 2003 13:45 - #
Randy Towers - 29th October 2003 15:44 - #
The average Windows user probably does need a personal sysadmin these days, if only to update their system and keep spyware and adware to a minimum. Tom's comment is on point -- the next Windows release should make it easier for non-technical users to control their machines. Too bad Longhorn won't be released until 2006.
Hopefully, Apple can take advantage of this two-year window and convince people to switch to what is arguably a superior (and safer) operating system.
Louis - 29th October 2003 16:45 - #
I assume all public access Windows PCs will be infested with spyware. I stayed at a hotel a few weeks ago where the only internet access was from a shared PC in the lobby. It had a keylogger that also randomly took screenshots of the screen and emailed everything to an unspecified address. I wiped it clean with SpyBot Search and Destroy, and installed Firebird as the default browser.
Ironically, the PC had Norton Antivirus on it, fully up to date and auto-everything. This stuff really needs to be rolled into antivirus programs, because *nobody* is aware of the current spyware threats. At least a few people have heard of viruses.
Mark - 29th October 2003 16:45 - #
I don't believe Trojans and Spywares should be rolled up in Anti-Virus Software.
Already, it leads to confusion for example, Norton published a security response on q-hosts and developed a removal tool for it. Norton isn't in the Trojan Business, but in the Anti-Virus business, creating a removal tool for a trojan horse implies that Norton Anti-Virus can also function as an Anti-Trojan Software, it can't but unsuspecting home-owners are not aware of this. I have seen this confusion in the Security Newsgroups I frequent
I believe Anti-Virus companies should stick to what they do best and leave Trojans to the Anti-Trojan Companies and Adware/Spyware to the relevant software. Of course it has the potential to create more confusion for the home user having so much to remember but if an Anti-Virus Software occassionally cleans out Trojans, I believe it has the potential to do more damage for the unsuspecting home-user expecting the Anti-Virus Software to clean out future Trojans.
Kayode Okeyode - 29th October 2003 17:14 - #
Meri Williams - 29th October 2003 17:37 - #
jgraham - 29th October 2003 19:01 - #
Your comments remind me of an article I read in vymths.com which I believe, sums up the thinking behind unsuspecting home-users expecting the Anti-Virus Software to be magical:
Vmyths.com was referring to the daily virus definitions by the way (I can't find the article but it was in response to Microsoft buying an AntiVirus Company). The point being that you cannot put that amount of trust in the hands of one organisation. Geeks may know better, but the average home-owner doesn't and blindly trusts their Anti-Virus Software. Recall that the internet is largely unregulated? We need some checks and balances and separating Virus/Trojans/Spyware/Malware between various organisations who have expertise in their chosen fields is in my opinion, safer in the long run.
How about security in-depth? If I recall correctly, there was a malware that disabled Anti-Virus Software and Firewalls in order to propagate (was it bugbear? I can no longer recall).
Having all three bundled in one Anti-Virus software will only work in the short term, spammers/hackers will adapt by focusing their attention on one application, unsuspecting home owners will not adapt because they still think of the PC in the same way they think of the television.
Kayode Okeyode - 29th October 2003 20:53 - #
If you require users to install 3 different programs they will (at most) manage to install one of them. There is a great deal of evidence for this. For example, how many home users (which is to say, non technical) do you know who have, of their own accord, installed an anti virus program? Probably a few. How many have installed a spyware removal program? In my experience, none. Now you can try to educate people about your taxanomy of computer threats and why you need three different programs installed rather than one. But it almost certianly won't work - you've got to teach too many concepts to people who don't care to understand them. On the other hand, if the next update of their antivirus program starts alerting them to spyware and trojans, they will be able to remove them with zero effort. That will work.
Note that I'm not arguing that having a single program is technically superior. It might not be (although I find your argument about malicious programs disabling the protection unconvincing - this is, at best, a second order effect, since the programs can be disabled whether or not they are integrated), but practically the best technical solution is not always the most effective. If users were really clued up about security, they wouldn't use windows (which would wipe out most virus / spyware / trojan issues immediatley). But they don't, because the extra effort required to switch platforms is more than most people are willing to expend on their computers. They're not even prepared to change email programs or browsers from that supplied with the computer. This isn't really unreasonable behaviour; they have a reasonable expectation from other fields that supplied accessories will function better than third party addons (like the remote control supplied with a TV is generally better than another remote control at controlling that TV), and have no knowledge that computers are different. In fact, many people probably believe that the more progams they install the worse their computer will perform - with some evidence to back this up (install spyware, watch IE become unusable).
My point is that asking users to know they need three or more seperate programs just to keep their computer usable is unreasonable. There is no intuition they can apply from other fields (where things don't suffer this kind of problem) to reach that conclusion, so expecting a sizable fraction of users to reach it is wishful thinking
jgraham - 29th October 2003 22:24 - #
We will just have to learn to disagree on how PCs should be secured.
But for the record, here is the link to Bugbear disabling Antivirus softwares and firewalls
I am sure there are others (I can't believe it hasn't been tried again)
Kayode Okeyode - 29th October 2003 22:43 - #
Sam - 5th November 2003 09:55 - #
�载 - 15th January 2005 09:13 - #