Joe Average User Is In Trouble

Where's my security blanket?

Opinion One of the many hats I wear here in St. Louis is that of college instructor, writes SecurityFocus columnist Scott Granneman. I teach courses in technology at Washington University, recently ranked the ninth best overall college in the nation by U.S. News & World Report, and at St. Louis Community College at Florissant Valley, one of the better community colleges in the area. I teach smart people at both locations. One is composed of folks who can pay the high prices for an education at a nationally-ranked university, and the other has people who work during the day and want to improve their skills at a good public school while keeping their costs low.

In other words, I see a pretty good cross-section of the computer users in our area.

Oh sure, some of my students are what we'd call "computer people," who work professionally programming or administering various systems or developing Web sites. But those are few and far between. Most of my students are office workers, or writers, or homemakers. Almost all of them run Windows at home and at work, usually ME or XP. They all know how to "use" their computers, which means that they can write papers, read email, use the Web, and even install software (as long as it's not packaged as a ZIP file: most of them have no idea what a ZIP file is or how to use it). In other words, your typical American computer user.

I'm here to tell the security pros reading this that we are in deeeeeep trouble when it comes to securing the computers of these people.

Security is just not a concept that "normal" folks focus on. It's not even on the radar screen. It's just not thought about at all.

The problem

"Do you update your anti-virus software regularly?" I'll ask them. Most look at me as though I'd just asked them if they refloozle their hossenblobbets with tinklewickets. A few will tentatively volunteer a timid, "I ... think so?" Some are willing to admit that they don't even have anti-virus software. At least they're sure.

"Do you run Windows Update regularly?" I'll ask next. Hmmm ... those hossenblobbets really do need refloozling. Some state that yes, they do run Windows Update, but they have no idea what it is doing to their computer, so they just agree to everything and assume it's all good. Most say they've never done it once, if they even know what it is.

"Do you have DSL or a cable modem at home?" is my next question. Ah, finally! A question they can all answer. They know the answer to this one! About half usually have some sort of broadband connection, and they are enthusiastic in their answers: "Yes, I do! You betcha! Love it!"

"Great!" I continue. "Do you have personal firewall software running on your computer? Do you have a router/firewall so your Windows machine isn't directly connected to the Internet? Did you remember to turn off file and printer sharing if your Windows machine is directly connected to the Internet?" A pause ... and we're right back to hossenblobbets and tinklewickets.

It's enough to make someone who cares about security throw up his hands in frustration and just give up.

Especially when we look at the unending stream of patches that has been flooding from Redmond, Washington over the past couple of days ... uh, weeks ... uh, months ... oh, the heck with it: years. Just last week Microsoft announced a mega-patch for five security vulnerabilities deemed "critical". Windows Server 2003, which Microsoft promised would be its most secure OS yet, has already had nine security bulletins issued for it. Windows XP, the flagship desktop OS for home and business users, has released patch after patch after patch, as a search at the SecurityFocus Vulnerability Database will disclose. To top things off, some of Microsoft's patches are themselves buggy, requiring further patches and updates to fix these patches.

It is a huge - and growing - problem for IT professionals at businesses to keep up with all the patches Microsoft issues. How, then, are non-professionals supposed to deal with the problem? More importantly, how are security pros supposed to deal with the bigger problem: that non-pros don't deal with the problem?


We can't just ignore the problems with insecurity that our non-IT friends, family, co-workers and acquaintances have with their computers. If their machines are compromised, we feel the effects, whether we realize it or not.

We feel the effects when we end up spending several hours each week doing pro bono IT work at the homes of the people we know (I've tried sending my Mom a bill, but she never pays, the deadbeat).

We feel the effects when the Internet slows to a crawl due to a sudden explosion of traffic caused by a particularly-virulent virus or worm.

We feel the effects when we get even more spam, sent from compromised zombies to everyone else on the Net, or when those zombies are used in DDOS attacks on anti-spam Web sites.

We feel the effects when zombies owned by our unknowing friends and family are used to secretly host scams, or porn sites ... or worse.

In my angrier moods, I sometimes think that we should require licenses to operate computers, just like we require licenses to drive automobilies. I know that such a plan would never work in the real world, but it's a pleasant fantasy all the same.

So what can be done? First of all, Microsoft desperately needs to improve the underlying security of their products. As I talked about in my last column, there are fundamental problems with the way that Microsoft designs its systems. Email programs that contain embedded Web browsers that are themselves embedded into the operating system are disasters waiting to happen. Microsoft makes it too easy for people to do stupid things with its software, and it needs to remedy that.

Further than that, Microsoft needs to improve the way that its operating systems are updated and patched. A recent decision to consolidate patches into a monthly release is not, however, the way to go. Sure, on the one hand it makes things easier for the security pro who now only has to download and apply a mega-patch once a month. But, on the other hand, do you really feel like waiting three weeks until the next mega-patch comes out, hoping and trusting that you don't get bit in the meantime? And do you think your grandmother is going to remember to install that monthly patch? I can just see it now: "Hi, Grandma. Yeah, I'm doing fine, and so's the dog. Sure, cookies would be great! Hey, did you remember to install your Microsoft mega-patch yesterday?"

To counter the immense problem of the millions of people who never install personal firewall software, Microsoft bundled an extremely simplistic "Internet Connection Firewall", or ICF, with Windows XP. Unfortunately, ICF is turned off by default, and it's hard for users to find if they do want to enable it. Even worse, ICF only blocks incoming traffic, so Trojans that try to phone home are in the clear. Evidently Microsoft is going to improve ICF in future versions of Windows, including future shipping copies of XP (which is good, considering that the next major version of Windows, code-named Longhorn, isn't going to see the light of day until 2005 at the earliest). It's going to be enabled by default, which is a good start, but there's no word about blocking outbound traffic at this point.

To counter the immense problem of the millions of people who never install or update anti-virus software, Microsoft recently purchased GeCAD, a small Romanian anti-virus software company. Microsoft hasn't made it clear how deeply it intends to get into the anti-virus business, and analysts are divided, with some sure that Microsoft will eventually challenge Symantec and McAfee and the other large AV vendors, and others arguing that Microsoft just intends to get a better handle on improving the security of the Windows platform. I suspect that Microsoft hasn't yet decided what it wants to do on this front. Forcing AV software onto end users is a good thing, but I would really hate to see Microsoft destroy another software market by bundling new capabilities into the OS (the same concern applies to personal firewalls in the previous paragraph).

To counter the immense problem of the millions of people who still do carelesss things with their email, like open attachments they weren't expecting, Microsoft is making changes to the way its corporate email program Outlook behaves (including, however, the addition of odious DRM (digital rights management) features that will cause more problems than they solve). These are good changes, but let's see what happens once Outlook has been in the real world for a few months. I hope that the days of constant security issues with Outlook are over, but I'm taking a skeptical wait and see attitude, an attitude that seems entirely justified, based on one bizarre "feature" that the brand new program displays. Oh, by the way: if you or someone else you know uses the the free Outlook Express, you're out of luck. Microsoft has no plans to improve it any further. If you know someone using Outlook Express, get them onto something else ASAP, like Mozilla Thunderbird.

To counter the immense problem of the millions of people who never run Windows Update (or Office Update, for that matter), Microsoft will probably install patches and updates automatically, by default. This makes me nervous, to say the least, since Microsoft has a history of releasing patches that don't work, or cause new problems, or require updates for the patches themselves. And personally, I don't like anything automatically installed on my machines. I want to be in control. But for the great mass of computer users out there, I think it's a solution that is unfortunately necessary. If people won't do it themselves, then it needs to be done for them. Let's just hope it works smoothly.

An unrequested but necessary responsibility

Microsoft can do a lot, but its still the folks in the trenches who are left with the hard work and the dirty jobs. Yeah, I'm talking to you, the security professional reading this column. You and I have a lot left to do. We bear some of the blame for this mess by both mistaken actions and inactions but, more importantly, and more unfortunately, we bear most of the burden. Even if we don't want to, we're going to have to work with the people around us to help improve this pretty awful situation.

I know a lot of you are already performing what feel like the labors of Hercules. You're providing the free tech support that I mentioned above. You're spending hours downloading and installing patches, and cleaning up for folks when their computers become bewitched, bothered, and bewildered. You're the one driving out to CompUSA to buy a router/firewall when your parents get that new DSL connection. And you're the one patiently explaining yet again to yet another person why they need to install anti-virus software.

But we can do more. No, we must do more.

Because like or not, Windows ain't going away for a while. Probably not ever, totally (calm down, Linux and Mac OS X users - I'm on your side, but let's be realistic here).

We've got to do more, because who else is going to do it? Microsoft claims it's working as hard as it can to improve the security of its products, but the success of that claim is, to put it politely, debatable. Besides, as we all know security is one big chain that is only as strong as its weakest link, and the weakest link is always ... the people. Microsoft can work and struggle to give its software a secure foundation, the same strong foundation that much open source software already has, but as long as it makes it easy for smart people to do dumb things, we're always going to have a problem. So it's up to us, the people reading this column, the smart people who try to do smart things, to help the great mass of computer users.

And what's the greatest help we can offer them? It's simple, really: education.

We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.

Going back to my classes at Washington University in St. Louis and St. Louis Community College, I always spend time with my students educating them about various issues in security. I try to impress upon them the importance of anti-virus software, and Windows Update, and firewalls, both hardware- and software-based. If they have a broadband connection, I take some time to talk about the advantages it brings, but also about the dangers, and how they can protect themselves against those dangers. And you know what? My students are genuinely interested in what I can tell them, and most of them think about what I've said and actually act on it.

I can't teach my students everything, but I try to teach them something. Every security professional needs to do the same. We're at the forefront, like it or not, and it's up to us to help lessen the myriad of problems we see around us. Like it or not, we need to become educators - permanent educators - or we may find ourselves refloozling those hossenblobbets with tinklewickets one too many times.

Copyright © SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Other stories you might like

  • Chip shortage forces temporary Raspberry Pi 4 price rise for the first time

    Ten-buck increase for 2GB model 'not here to stay' says Upton

    The price of a 2GB Raspberry Pi 4 single-board computer is going up $10, and its supply is expected to be capped at seven million devices this year due to the ongoing global chip shortage.

    Demand for components is outstripping manufacturing capacity at the moment; pre-pandemic, assembly lines were being red-lined as cloud giants and others snapped up parts fresh out of the fabs, and the COVID-19 coronavirus outbreak really threw a spanner in the works, so to speak, exacerbating the situation.

    Everything from cars to smartphones have been affected by semiconductor supply constraints, including Raspberry Pis, it appears. Stock is especially tight for the Raspberry Pi Zero and the 2GB Raspberry Pi 4 models, we're told. As the semiconductor crunch shows no signs of letting up, the Raspberry Pi project is going to bump up the price for one particular model.

    Continue reading
  • Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls

    Surveillance tech faces trade limits as America syncs policy with treaty obligations

    More than six years after proposing export restrictions on "intrusion software," the US Commerce Department's Bureau of Industry and Security (BIS) has formulated a rule that it believes balances the latitude required to investigate cyber threats with the need to limit dangerous code.

    The BIS on Wednesday announced an interim final rule that defines when an export license will be required to distribute what is basically commercial spyware, in order to align US policy with the 1996 Wassenaar Arrangement, an international arms control regime.

    The rule [PDF] – which spans 65 pages – aims to prevent the distribution of surveillance tools, like NSO Group's Pegasus, to countries subject to arms controls, like China and Russia, while allowing legitimate security research and transactions to continue. Made available for public comment over the next 45 days, the rule is scheduled to be finalized in 90 days.

    Continue reading
  • Global IT spending to hit $4.5 trillion in 2022, says Gartner

    The future's bright, and expensive

    Corporate technology soothsayer Gartner is forecasting worldwide IT spending will hit $4.5tr in 2022, up 5.5 per cent from 2021.

    The strongest growth is set to come from enterprise software, which the analyst firm expects to increase by 11.5 per cent in 2022 to reach a global spending level of £670bn. Growth has fallen slightly, though. In 2021 it was 13.6 per cent for this market segment. The increase was driven by infrastructure software spending, which outpaced application software spending.

    The largest chunk of IT spending is set to remain communication services, which will reach £1.48tr next year, after modest growth of 2.1 per cent. The next largest category is IT services, which is set to grow by 8.9 per cent to reach $1.29tr over the next year, according to the analysts.

    Continue reading
  • Memory maker Micron moots $150bn mega manufacturing moneybag

    AI and 5G to fuel demand for new plants and R&D

    Chip giant Micron has announced a $150bn global investment plan designed to support manufacturing and research over the next decade.

    The memory maker said it would include expansion of its fabrication facilities to help meet demand.

    As well as chip shortages due to COVID-19 disruption, the $21bn-revenue company said it wanted to take advantage of the fact memory and storage accounts for around 30 per cent of the global semiconductor industry today.

    Continue reading
  • China to allow overseas investment in VPNs but Beijing keeps control of the generally discouraged tech

    Foreign ownership capped at 50%

    After years of restricting the use and ownership of VPNs, Beijing has agreed to let foreign entities hold up to a 50 per cent stake in domestic VPN companies.

    China has simultaneously a huge market and strict rules for VPNs as the country's Great Firewall attempts to keep its residents out of what it deems undesirable content and influence, such as Facebook or international news outlets.

    And while VPN technology is not illegal per se (it's just not practical for multinationals and other entities), users need a licence to operate one.

    Continue reading
  • Microsoft unveils Android apps for Windows 11 (for US users only)

    Windows Insiders get their hands on the Windows Subsystem for Android

    Microsoft has further teased the arrival of the Windows Subsystem for Android by detailing how the platform will work via a newly published document for Windows Insiders.

    The document, spotted by inveterate Microsoft prodder "WalkingCat" makes for interesting reading for developers keen to make their applications work in the Windows Subsystem for Android (WSA).

    WSA itself comprises the Android OS based on the Android Open Source Project 1.1 and, like the Windows Subsystem for Linux, runs in a virtual machine.

    Continue reading
  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading

Biting the hand that feeds IT © 1998–2021