“Security is a thing of the past”

I recently talked to my friend, a nice guy but with limited computer skills, and what he told me quite amazed me:

I stopped caring about security, I no longer install Microsoft patches unless they install themselves automatically, I don’t upgrade my antivirus, antimalware or any other protection mechanism, I simply can’t spend the time doing it – my work is not my computer – the computer is a tool for me you can’t expect me to be an enigneer and fix my car right? so why is this expected from me with my computer?

Why was he talking like that? well simply put he is tired, he is tired of worrying about his computer security, about whether his antivirus is the latest, whether his malware prevention works, whether the patches are needed or not.

Security has become such a burden on the simple people that they are no longer caring about it.

And don’t get him wrong, he is a good guy, he even recently upgraded his hardware to accommodate his new OS installation of Vista – this because he was “promised” that Vista resolved all the security issues and that everything will be seamless – security wise – but of course it isn’t.

Vista is no different from previous OSes, XP promised and failed and I don’t see how the next OS will be able to deliver on its promise of secure OS.

Before you jump and say move to Linux, my friend here hasn’t the option to move to Linux as he needs several programs critical to his job that aren’t available for Linux – of course there are alternatives to them, but he is a professor not a kid, he has work to do with these programs and he can’t now just switch to a different OS and different programs, he has jobs to hand in, and research to do.

I am not sure what I can do for him – beside comfort him :)

Share
  • wesley

    OSX + parallelization software to have access to the windows programs you need. Problem solved.

  • wesley

    I meant virtualization, I was thinking of parallels:

    http://www.parallels.com/

  • adam.sellers

    Linux with XP VM for those programs you ‘can’t live without’ would be my advice. This would then handle the problems he has with not bothering to keep everything patched and updated… if something does sneak into his windows VM then just hose that and reinstate a clean machine..

  • Nick

    Didn’t you tell your friend that windows updates, antivirus updates, and so on can all run unattended so he doesn’t have to do anything manually (aside of renewing a yearly subscribtion or similar actions) ?

  • Rob

    So this guy is a non-tech person and all the comments are telling him he should run VMs? That would just make 2 systems he needs to patch instead of 1.

    And if he wants things to “just work” then why the hell would you recommend Linux? Device support generally good, but it is not always plug and play, like windows…

  • http://gr33ndata.blogspot.com Tarek

    So, why don’t you tell your friend to stop locking the door of his home when he is out, as he is not expected to be a security expert to lock his home everyday.

  • http://www.BeyondSecurity.com noam

    Nick:
    You are right that is what he is doing at the moment, but no single antivirus catches all incoming viruses. There are quite a few viruses that aren’t, and he has been infected by a malware which he got off an ad which his antivirus didn’t catch – so he installed an anti-malware which caught it – but this brought him more frustration

    He is renewing his subscription, but you pretty much know this isn’t always 100% problem solving as adobe flash, adobe acrobat, photoshop, quicktime, etc aren’t covered here – and they are being abused by bad people

    Tarek:
    Locking your door is a very SIMPLE thing – you do it throughout the year, and always the same, nothing more nothing less, even if someone breaks into your house, you don’t usually do more than replace the key or put another one.

    If computers were compared here, I would be adding layers and layers of security to my house and still people would get in – computers have become too security complex for you to expect the guy sitting on the other end to fix

  • Jason

    Turn on the auto-update features on the OS and the anti-X programs.

    Install Secunia PSI to handle everything else. It won’t auto fix things, but it provides a relatively easy to understand interface that shows you all the stuff that is outdated, end-of-lifed, and otherwise risky.

  • Jim

    Yeah it’s a sorry state of affairs we are finding ourselves in. Some saw it coming, albeit in a larger context of software. In the ’60 it was identified as the Software Crisis, present state of software security is an extension of this problem. But industry did not care and here we are.

    You can tell your friend to hang in there and that he’s not alone. With practice he’ll get better. It’s taken me years, but I am still hanging in there. Simply because there’s no other option but to stay on top of the game.

  • http://anti-virus-rants.blogspot.com kurt wismer

    “you can’t expect me to be an enigneer and fix my car right? so why is this expected from me with my computer?”

    people aren’t expected to FIX their own cars but they are expected to MAINTAIN their own cars and use them in a safe manner…

    likewise, the average person probably shouldn’t be expected to be able to do incident response for their computer but they should be expected to maintain their own computers (keep everything up to date) and use them in a secure manner….

    “Why was he talking like that? well simply put he is tired, he is tired of worrying about his computer security, about whether his antivirus is the latest, whether his malware prevention works, whether the patches are needed or not.”

    y’know what? i’m tired too… i’m tired of worrying about automotive safety, about whether i’m on the right side of the road, whether i’m going the proper speed, whether my seatbelt is done up, and whether my turn signals and break lights work, etc… a car is a tool, i just want to get from point A to point B, i shouldn’t have to worry about all that other nonsense…

    “I am not sure what I can do for him – beside comfort him ”

    maybe stop coddling him…

  • Eponymous

    Maybe he should track down the most ethical crime syndicate he can, and make an agreement with them that he will allow them to remote control his computer and use it to send spam, as long as they secure it against less ethical criminals. This is known as a “digital bugchaser.”

  • godking

    The auto update function of Windows and his virusscanner would solve 80 % of his whining

  • anonymous

    This is a good point. I have personally witnessed the same attitude many times when dealing with computer-illiterate people.

    Switching to Linux does nothing to the basic problem. If anything, you might even need more patching due to the nature of open source.

    Now I think that that the computer security community itself is very much part of the problem. Hysteria sells. We count vulnerabilities. Endless stream. We do very little to educate the common men. And any kind of self-criticism is completely out of the question in our community / industry.

  • Eth

    A car is not an extension of your conciousness. The allagory, is really comparible. You can’t send instruction to your car to deliver your shopping, pay your bills, it’s just not the same. Security is what? it is not just security for itself, its own sake. Patching, solves bad programming errors, AV/IDS/IPS/AM etc stops malicious activity/software.

    There are no simple answers, appart from don’t use your computer. Get rid of it, don’t bother. I couldn’t the world is not falling in around my ears. Manage the problem or it will manage you, like anything else.

  • Mark

    Suggesting the move to linux, or osx is only useful in the short term. Exploits are there for _every_ system. And as more people jump ship from windows to other systems the market for malicious code in those systems grows. The reason there aren’t as many OSX exploits floating around isn’t because it’s any more difficult, but because the economics of it don’t make it worth it. If you want to get information, or crash networks, you want something that will affect the most systems with the least amount of work. But the problems run far deeper than just the OS.

    The real problem here is that software more and more assumes that the user has time, money, and knowledge to spend on keeping it up to date. Security software needs to be designed for the least competent user, so that bugs are patched and exploits harder to create.

  • TG1964

    With any “tool” of this importance, you’re expected to do standard maintenance. Using the car example, you must do routine oil changes, put gas in it, air the tires. Wanna just stop doing those things and see how long your car runs? Same with a PC… there are simple things everyone can do to be more secure. Furthermore, I’ll go as far as to say paying attention to security isn’t only required, it’s an obligation! Each one of us can potentially affect thousands of other computer users if we don’t pay attention to the security of our devices. Turn on autoupdates… it ain’t brain surgery.

  • TG1964

    P.S. – Ask your friend how much he’ll care about his computer’s security when his identity or other important personal or work -related documents are stolen from it.

  • http://n/a SteveB

    I can’t believe I’m about to suggest this, but with Windows OneCare it pretty much handles everything security & backup related that this tired old IT guy and your average user doesn’t have the time or patience to deal with anymore. I used to use several different apps for spware, a/v, backup, etc, but now with OneCare I don’t worry about it any more. The “tired” factor is really true; I have better things to do with my time than updating definitions almost daily, checking logs and a/v, etc. With OneCare I can just set it and go. Nice not to have that piece of the puzzle to deal with all the time. :) OS updates, well that’s another story: I still won’t install those (XP, Vista, Server 2k3, Server 2k8) without paying ver close attention… ;-)

    SteveB