The Security Mentor

I wrote a little while ago about people arguing whether computer users were "stupid" for not taking necessary precautions.

Here's a great comment about that. It's from a reader of security guru Bruce Schneier's wonderful online newsletter, "Crypt-o-Gram".

From: Dan DeMaggio
Subject: Step 1: Admit you have a problem

I love your Crypto-Gram and your thoughtful analysis. But I must take you to task for linking to Tim Mullen's Security Focus article about Walter Mossberg (and implying that you agree with it).

Tim says "The solution is for the end user to start caring." But that will never happen. Only computer enthusiasts care about computers. Only car enthusiasts care about cars. Only llama enthusiasts care about llamas. The vast majority of people in the world will never care about any of them.

Let me tell you about three products I've bought:

- I bought a car. The locks are not much of a deterrent, but they have kept the car perfectly secure (even in Detroit) for more than 10 years now. I take it in for a 10-minute oil change every three months (like it says to do in the owner's manual). When it breaks down (twice in 10 years), I make a phone call and have it fixed. To me, the car is merely a means to an end. I do not care about my car.

- I bought a house. I expect the locks will keep my house reasonably secure. The complex equipment in the basement may break every few years, but a simple repairman visit will fix the problem. I care about my house more than my car, but not by much. I would not have bought my house if I expected it to be a high-maintenance source of problems.

- I got my wife a computer with Windows on it. Within minutes of plugging it in, it started getting spam pop-ups. If I mistyped a domain name, I would get a site that did so many pop-ups and re-spawns that I had to reboot the computer. Keeping up with patches would take hours per month. Even though I'm a techie, I refuse to babysit that computer. If it becomes infected, I guess I'll just wipe and re-install.

The first two examples are "whole products". (See Geoffrey A. Moore's "Crossing The Chasm".) Almost everything I was going to need came bundled. Those things that weren't bundled were things that I knew about, things that were cheap (relative to the product price), and things that do not require much time or thought.

The third product is not a whole product. I refuse to hunt down all the services I need to turn off (but I did get a firewall). I refuse to waste my time downloading multi-megabyte patches and wait for the computer to reboot multiple times. I refuse to pay $100 to protect a $500 computer, especially because no AV software protects from all new exploits. (I know because regularly get new e-mail viruses marked "certified virus free" by AV vendors.)

I refuse to do these things because I know they don't have to be done (and the public will never do them anyway). Linux doesn't require any of that. I know Linux isn't a whole product either (yet), but it's easier to add documentation and support to Linux than security to Windows. If I were really paranoid about security, I'd (easily) migrate to OpenBSD. They've had one remote hole in the default install in the last eight years, unlike Microsoft's seven exploits in one day.

Walter says "It's time somebody [shoulder the whole burden of protecting PCs]." People want computers to be as low-maintenance as a car. Microsoft created this problem because (as a monopoly), it's not profitable to fix bugs (it won't generate more sales) or make things secure (ditto). Yes, Tim, it is "wishful thinking" to expect the problem to be solved for free. But it is even more wishful thinking to expect the public to care about computers.

"OpenBSD", which he mentioned, is a free Unix operating system built with security as a top priority. The only reason I haven't recommended it is that my audience is normal people with other things to do. It's easier for a newbie to get someone to help with a Linux installation.