Wallowing in victimization
The solution is not some Deus ex Machina to magically solve all security issues. The solution is for the end user to start caring. Honestly, I continue to waver on whether or not this will ever happen, but I'm sure that if end users don't start taking some responsibility in learning Safe Surfing, that these problems (and others) will always exist. Windows 2003 offers tremendous security mechanisms; XP Service Pack 2 as well. Yet this is all ignored by those who pretend to understand the problem.
According to Mossberg, IT and security people like you and me - well, me for certain - are the problem, because we call the end user stupid for executing viruses. And even though the article outlines multiple warnings from multiple security mechanisms that the user must purposefully disregard in order to infect themselves, it is still our fault when they do so. And apparently, we are wrong for saying so. We're to blame because we say they are to blame.
Mossberg retorts with, "Well, I have a word for these contemptuous techies: Save your energy for solving the problem instead of blaming its victims. Mainstream users shouldn't have to be IT experts to operate their computers."
In a word? Um, that's 24 words. If that statement were computer code rather than consumer criticism, it would be... wait for it... a buffer overflow. Allocate one word and stuff it with 24. No boundary checking. Oh, the irony.
I've looked high and low to references from security people calling for the end user to be an IT expert to use their system, and I couldn't find one. You don't have to be a master chef in order to cook meats properly. You don't have to be a master mechanic to drive a car, nor do you have to be a NASCAR driver in order to buckle up and not drink and drive.
And you don't have to be a computer expert to load AV software and install a firewall.
We are not wasting energy blaming stupid users. We are calling for users to take a little time and to learn minimal skills before attaching their systems to the Internet. The time it takes for these innocents to wallow in victimization would be far better spent actually reading all those message boxes telling you that you are about to screw up your system before clicking OK. If I have to deal with people angered by being called "stupid" for doing so, yet help raise the overall level of security consciousness in the process, then that is a burden I am happy to accept.
SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.