Joe Average User is Trouble

[Peachy]

Another interesting commentary with respect to the average computer user, security and Microsoft.

[nlinecomputers]

We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.

Would somebody explain to me just how you are supposed to explain security issues without talking technical? Even the simple stuff like Start Programs Windows Update is more then most users want to hear about. To them it is a TV and it should run as such. We don't have to patch our TVs why do we need to patch our computers. End users are NEVER going to grok this. Especially at the prices that they paid for the computer. $500-700 is cheap. Who wants to spend $60-$100 a month or quarter trying to get a pro in to look at the system?The only way to solve this problem is by securing the internet not the end users computers. The first is possible but expensive the second is never going to happen.

[Guest LilBambi]

How should the Internet be secured? And at what cost? (Are we looking for a Gatekeeper here?). Education is key for day to day computer use.However, it will always be that there some who do not have the time or desire to learn and they will continue to take their cars to the repair shop, their computer to computer techs, etc.It happens. Some things can't be 100% fixed by control, nor should it.

[Dave PCPitstop]

There's no reason to bash Microsoft in particular. When one company has 95% market share the hackers and spammers are going to target that product and not the other 5%. You can bet that if Mozilla or Opera or Linux had overwhelming market share then the hackers and spammers would spend the time to infiltrate and corrupt them too. Nearly all the recent exploits have been of the "social engineering" type, as long as you can sucker a user into running an attachment then you can control their system.I totally agree that education is important, users need to know what to look out for. The problem is that new scams (or variations on the scams) are coming out every day. PCs need to give users the tools to defend themselves against some of this.For example, you can now buy a hardware firewall for about $100 with built-in wireless. I have the Netgear WGR614 and I love it. However, it is far too easy to set up the box as an open access point (no encryption) and leave your internal network wide open to your neighbors and anyone cruising through the neighborhood. As long as the courts rule that a click-wrap license can legally enforce the kind of clauses in a Gator or WhenU agreement, users are also going to need education about the dangers of clicking "I agree" or even "OK" for that matter. I think the disclosure in these things is far too subtle but the courts haven't found that...yet.

[Guest LilBambi]

Dave,Boy, is that the truth! And as far as the Gators and WhenUs go ... that's something that could be done. There is certainly no reason folks should have to play Russian Roulette (pun intended) with their computer's security and privacy due to a bunch of money grubbing ... ... oh, you know!

[Stonegiant]

We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.

Would somebody explain to me just how you are supposed to explain security issues without talking technical? Even the simple stuff like Start Programs Windows Update is more then most users want to hear about. To them it is a TV and it should run as such. We don't have to patch our TVs why do we need to patch our computers. End users are NEVER going to grok this. Especially at the prices that they paid for the computer. $500-700 is cheap. Who wants to spend $60-$100 a month or quarter trying to get a pro in to look at the system?The only way to solve this problem is by securing the internet not the end users computers. The first is possible but expensive the second is never going to happen.

I agree wholeheartedly. And I grok you grok, too.

[nlinecomputers]

How should the Internet be secured? And at what cost? (Are we looking for a Gatekeeper here?).

Yes we are. The internet is the only network where one person can cause so much trouble. The interent was a private network that had no real restrictions because it's members were expected to police themselves. And they did because abuse of that could loose them the right to use it. This openness has been abused by software makers and end users and hackers. If I tried to use my telephone to disrupt phone sevice I'd be cut off in seconds. Even gaining access to phones is protected underwire tap laws. Any email that goes into my server I'm free to read, leagally. The average user doesn't know that. End users don't need every port open and shouldn't be provided that for the saftey of the interent. Any more then I'm allowed to tap into a gas pipeline with out an inspection. The internet is now a utility and should be regulated as such, just as phones, electric, gas, water, sewer, and other such networks are.Spam could be solved be replacing the SMTP system with challenge reponse system with digital keys. The system now if fully open because it was designed to be used on a private network not a public one.

[epp_b]

Wow! Thanks for the link Peachy! Great article, full of many (sad) truths.

In my angrier moods, I sometimes think that we should require licenses to operate computers, just like we require licenses to drive automobilies. I know that such a plan would never work in the real world, but it's a pleasant fantasy all the same.

Yes, this is a fantasy all to it's own, and a very unrealistic one at that. A lisence to use the Internet, now that...never mind, still a fantasy ;)I agree, blaming Microsoft just because it has 95% of the market share is not accurate. Malicious users aren't going to target the 5% minority. BUT, Microsoft does need to start implementing two basic options for their operating systems... auto-configure...all security options switched ON, automatic Windows updates are downloaded and installed, firewall is ON, remote services switched OFF, other extra services that Joe User will never need (or know how to use) switched OFF, etc, etc, etc...custom install...NOTHING is switched on or off without the explicit consent of the user, because in this case, the user actually knows what they're doing. (Hey Microsoft, take some tips from the Linux community: tech users want options coming out of the yin-yang!!)

We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.

While I agree that people should put a little more effort into keeping their systems secure -- because, by being ignorant of security, they're putting not only themselves, but everyone else, at risk -- I also must concur with nlinecomputers: to "normal" users, computers are nothing more than a simple form of entertainment or work tool. They don't see the necessity of Windows update patches, virus definitions, etc., nor do most of them care.Sometimes, it's almost pathetic, really. I recall one time that I spent almost an hour on the phone trying to talk some guy to install some simple game from a CD-ROM ("Go to 'My Computer'" "How am I supposed to do that...your computer is at your house!"....sigh...).While I agree that education is the key, it's just not going to happen. (Optional) Automation, probably the next best thing, needs to be implemented.

[nlinecomputers]

Yes, this is a fantasy all to it's own, and a very unrealistic one at that. A lisence to use the Internet, now that...never mind, still a fantasy

A friend of mine is a HAM radio geek and he STRONGLY advocates that all internet users should be required to be licensed. Even the "everybody allready has one arguement" doesn't hold water with him. "Radios like computers or autos, or airplanes, came before the regulations on there use. It was the misuse that led to the regulation. All it is going to take for computers and ISPs to be regulated is one big virus that does major damaged to systems. A wide spread virus that damages files or causes critical systems to fail." I not sure that I totally agree with that but he may be correct. Such things come into play after major problems occur.

[nlinecomputers]

Another column with a like minded POV : Full Disclosure by Stephen Manes

[Rons]

Thanks Peachy - great article. I also teach beginning computer classes as part of the community education program at our local JC. And as the writer stated in the article, these folks haven't got a clue about the importance of securing their systems or of keeping their anti-virus programs updated. More alarming is the fact that over half of the students either do not have a anti-virus program installed or have not kept it updated. To further complicate matters, most new PC's come only with a 90 day demo version of a anti-virus program. And there is normally little or no documentation included with the system to inform the user of this fact nor to provide the user with information on how to update Windows.I tell my students that little documentation is provided with a new PC since the expectation is that everyone knows how to use them. But this is not always the case.I wish I had a solution.

[Guest ThunderRiver]

It is expected that in Windows XP Service Pack 2, Microsoft will include an improved version of Firewall system, which will also be used in Windows Longhorn. Obviously, this time, Microsoft will enable the firewall by default, but I am afraid that users will start complaining for lacking obvious graphical user interface. You have to understand that even average joe probably doesn't know how to configure firewall, especially outbound connection. A lot of times, when a dialogue comes up, a user just clicks yes without even knowing what it is about. Microsoft PC Satisfaction Trial has been in development for a long time. The underlying firewall engine is Tiny Personal Firewall, and Microsoft periodically includes a list of programs that could gain access to outbound connection as well as blocking certain inbound connections. However, if we let Microsoft takes in control, it will be Open Source's loss. Mozilla Thunderbird may not be able to access secure IMAP because of the firewall setting from Microsoft. Still, I can imagine that older generations are generally more careless about security than younger generations. My friends normally updating their parents' computer, and their parents normally are too busy to care about security updates. There is really no easy solutions to fix it. It all takes time, and of course education is the key. Sadly, computer security courses are normally not taught in elementary, not even in most colleges. Perhaps, to make average joe's life more miserable, Microsoft will move on and set new users as "Users" by default, instead of "Administrator." My girlfriend's friend asked me one day why she can't install Microsoft Offices. She went on and said "It just pops up a dialogue, which says you don't have Administrator status to perform such action...". So then I asked her "Do you remember your Administrator password?" .. she went to silence. As you can see, it is really hard to bring up security level without leaving people behind.At this moment, however, if you install Windows Longhorn, you are still automatically receiving Administrator status.

[Cluttermagnet]

A friend of mine is a HAM radio geek and he STRONGLY advocates that all internet users should be required to be licensed.  Even the "everybody allready has one arguement" doesn't hold water with him.  "Radios like computers or autos, or airplanes,  came before the regulations on there use.  It was the misuse that led to the regulation.  All it is going to take for computers and ISPs to be regulated is one big virus that does major damaged to systems.  A wide spread virus that damages files or causes critical systems to fail."  I not sure that I totally agree with that but he may be correct.  Such things come into play after major problems occur.

I am also one of those 'ham radio' geeks. I probably qualify as an 'intermediate' level Windows user by now. I'm very security conscious and always have been, even back in my Win95 days. But I am probably atypical in that regard.Since the regulation topic has been brought up, and reference made to ham radio as having been previously unregulated, I will make a few brief comments about that. The radio geeks were in effect the computer geeks of an earlier era during the development of industrialization in general and the communications game in particular. All of electronics as we have it today is an outgrowth of wire telegraphy and then the radio art itself. All this was happening about 100 years ago, plus/ minus.Hams ran into trouble with both commercial and government interests early on, and it is really somewhat of a miracle that they actually survived. The Navy was almost successful in driving them from the airwaves right after the turn of the (20th) century. The hams were also silenced during both World Wars I and II. It was a bit dicey as to whether they would be permitted to return to the airwaves after both, especially after WW I. But the hams did come back, and one of the main reasons was their demonstrated technical proficiency and their demonstrated ability to amass a large pool of highly skilled radio techs- very useful to the nation in time of war. In fact, some of the most interesting, technical, and challenging incidents during WW II had hams in the middle of the action as the allies worked at decryption, designing countermeasures for devastatingly effective, state-of-the-art radar navigation systems, radiolocation of enemy assets, and lots more. So in effect, certain individual hams made significant contributions to the successful conclusion of the war.The vast and growing pool of skilled computerists today strongly parallels those situations of a century ago. Computer-types are the mainstream 'geeks' of today's world. And that is just too much of a talent pool to ever allow them to get 'locked out'. For a variety of reasons, that is highly unlikely. So where our advanced geeks can really help us is in resolving the vulnerability issues of the internet. I do agree, however, that it is probably going to take a devastatingly effective attack on the net to finally get things going. I would have to say that proficiency exams and licensing are not totally ridiculous concepts to me. They might even need to happen. All I can tell you is that such testing and licensing proved essential early on in the radio world of a century ago. Again, there is a striking parallel. Because of the physics of radio propagation, one single transmitter can cause a heck of a lot of trouble on one specific frequency (you can think 'channel' here for discussion purposes only). We should best avoid the topic of 'jamming' transmitters here, as those can be viewed as instruments of 'war', more or less. Their use is rare, but not unprecedented.The unskilled computer owner can indeed do damage, even if it is unintentionally catching a virus, etc. And one malicious operator can produce tremendous carnage with a single hostile act. We do need to work on how to lessen the impact of the reality that some of our hackers are 'black hats', not 'white hats'. There is no sure cure, however. I think the fixes that some propose are often far worse than the the 'disease'. Think of it this way- cars can still become lethal weapons in the wrong hands, whether it is a crime of negligence, suicide, or homicide. We must allow for the possibility of this, or else entirely give up driving cars. I think that we will just have to live with some degree of risk, but let's work to try to negate most of the damage Joe Average can do right now. We can only improve the odds. We can never make the world totally, unconditionally safe. There is risk in everything, even simply getting out of bed in the morning.

[epp_b]

At this moment, however, if you install Windows Longhorn, you are still automatically receiving Administrator status.

This is a problem....but, what are people going to think when they fire up their brand new PC with Longhorn, log in as Users, try to install their first program, and it doesn't work?"This stupid piece of junk won't even let me install my program! This is all the computer store's fault, I'm returning it!"Obviously, that makes no sense, but how is Joe User supposed to know any better if he isn't educated?I think Microsoft needs to be more intuitive as well. "You don't have administrator priveledges" isn't enough for the average user to know what to do. Perhaps, instead of some useless dialogue with a geek-jargon message, a login box could popup with directions and a reason why it just popped up."In order to install a program, you must must prove that you are the owner and administrator of this computer. Please fill out the username and password below to match the the administrator's username and password. If you do not know the administrator's username and password, but you are the owner of this computer, please click here to view the Windows help file, which will tell you the default administrator username and password, and will also give you an opportunity to change it. If you are not the owner the computer, please contact the owner so that s/he can assist you with a username and password, so that you can complete the installation.Yes, it's long winded, it's untechnical and ungeeky. But I think that even my grandmother would probably be able to understand it way.Since you should always reboot after installing anything (another thing that most software products don't stress enough), Windows would default login to users, not administrator, regardless of the last user logged in.

[nlinecomputers]

Epp,It would not work IMHO. One most users wouldn't read the dang thing. It it can't be explained it in 6 words or less it is ignored. Plenty of error messages and requests are put up in plain english an users DON'T read them.Two If a legit program can call up this mode then any virus or trojan could to. Most users have NO clue why the are being asked this information. NOR DO THEY CARE!!!!! It will pop up after some email has arrived and 9 out of 10 users would type in there password.Trying to secure the end users box FROM the end user is IMPOSSIBLE and it is foolish to try. Secure the internet and most of this crap would stop.They call it the information super highway. Yet it is a highway without traffic rules, no stop signs, or traffic lights, no marking on fhe pavement to control traffic. And you've got to build a super strong car to survive the constant pounding that your car takes from all the other cars bumping into you. It's Bumper cars at 90 MPH.Clutter,Nice post.

[Guest ThunderRiver]

Like nlinecomputers mentioend earlier..I brought up the exact same point before, and the problem is.. users will NOT spend that much time reading that long explanation. Even if they did, they probably would not even remember the Administrator password.On the other hand, there is no definite definition for "secure" Internet. Do you mean big brothers watching over the traffic? peeping into our private life? nay. I would not vote for it. It is simply close to no solution. Human error is prone to happen, not ever going to go away.

[nlinecomputers]

The internet is too open and cooporative in design. I would do only 3 things:1. Require ISPs to block most all ports. Only the basics for web browsing, email, and chat should be open. 2. Require anyone running an email server to have virus scanning or you can't have an email server.3. Replace SMTP with a more secure email standard. One that has built in required encryption and some kind of central register of email addresses and the public keys assoicated with them. To send email you would have to get the public key of the recipent and you would have to sign your mail with your key. (some kind of DNS like system could be built so that this is transparent to the end user) This would prevent spoofing and allow anyone to block mail they don't wish to receive by blocking the key. If you violate the rules your public key can be revoked.This would not solve all problems nor would it prevent some exploits but it would cut the signal to noise ratio way down and allow for some tracking.

[epp_b]

One most users wouldn't read the dang thing. It it can't be explained it in 6 words or less it is ignored. Plenty of error messages and requests are put up in plain english an users DON'T read them.

Oh, of course, I overlooked that...duh.Grrrr....I don't see how so many end-users can simply just not care Not keeping your patches or AV definitions up to date it like driving with your headlights off at 2:00 in the morning -- stupid, ignorant, irrisponsible...and deserving of a fine.I think a step towards higher security is automation. Otherwise, the user has to actaully THINK (*gasp*) about they're doing! No, this certainly isn't a rock-solid solution, and it sucks for educated users who have to go through a switch off all of the automation, but it's a step towards keeping things more secure.

[Guest ThunderRiver]

One most users wouldn't read the dang thing. It it can't be explained it in 6 words or less it is ignored. Plenty of error messages and requests are put up in plain english an users DON'T read them.

Oh, of course, I overlooked that...duh.Grrrr....I don't see how so many end-users can simply just not care Not keeping your patches or AV definitions up to date it like driving with your headlights off at 2:00 in the morning -- stupid, ignorant, irrisponsible...and deserving of a fine.I think a step towards higher security is automation. Otherwise, the user has to actaully THINK (*gasp*) about they're doing! No, this certainly isn't a rock-solid solution, and it sucks for educated users who have to go through a switch off all of the automation, but it's a step towards keeping things more secure.

Automation is not always good. I prefer a more adaptive artificial intelligence that learns your behavior and decides what to do next. Nonetheless, it is simply not possible to make it boost up security through automation, considering spyware companies can learn how to counter automation sooner than you create new sets of rules for your "automation" to follow

[Guest ThunderRiver]

The internet is too open and cooporative in design.  I would do only 3 things:1.  Require ISPs to block most all ports.  Only the basics for web browsing, email, and chat should be open.   2.  Require anyone running an email server to have virus scanning or you can't have an email server.3.  Replace SMTP with a more secure email standard.  One that has built in required encryption and some kind of central register of email addresses and the public keys assoicated with them.  To send email you would have to get the public key of the recipent and you would have to sign your mail with your key. (some kind of DNS like system could be built so that this is transparent to the end user) This would prevent spoofing and allow anyone to block mail they don't wish to receive by blocking the key.  If you violate the rules your public key can be revoked.This would not solve all problems nor would it prevent some exploits but it would cut the signal to noise ratio way down and allow for some tracking.

1) ISP doesn't know which ports to block. Some people want to be secure and choose different ports for FTP..so do you mean ISP should actually restrict people to what ports they can use? 2) First of all, people worry about privacy more than security. What if the virus scanner is more than a virus scan and what if it actually collects more information than just scanned result? It is a hard question. It is like opening someone's mail and making sure that person doesn't have a specific stuff in there? It is against people's privacy.3) Secure SMTP has been around for a long time, but most ISP doesn't really think it is a good idea to implement it mainly because a) they prefer ip address based SMTP (if you belong to certain IP address family, you will be granted access to send email.. otherwise, reject). b ) average joe doesn't know how to setup their email account properly to send out emails.

[nlinecomputers]

By the numbers:1. If you're with it enough to know what ports to use then you can ask for extra ports to be opened for you. ISPs could even charge for the service to pay for the costs of blocking all the other ports.2. E-mail isn't secure now i can read, LEGALLY, any email that passes over my network. The only way to solve this is by encpytion and regulation of E-mail so that it falls under the same laws as snail mail. Either that or get it out of the courts as legal evidence. If you going to haul my email into a court then it better have the same protections that US MAIL has now.3. Too bad. If you want secure mail do it or violate the law. If this is the only way to get e-mail then users will learn the routine or not use it. Microsoft or others can make email software easier to setup. I would even accept keys that are created at the ISP and kept by the ISP with the encpryption occuring at that level. Much the same way SSL is used for secure web pages.

[Cluttermagnet]

Grrrr....I don't see how so many end-users can simply just not care Not keeping your patches or AV definitions up to date it like driving with your headlights off at 2:00 in the morning -- stupid, ignorant, irrisponsible...and deserving of a fine.I think a step towards higher security is automation.

This is surely a very difficult problem. There have been some great point/ counterpoint exchanges here. I could not help being struck by the unavoidable recognition that Joe Average users are indeed both ignorant and indifferent, many of them.To draw what can only be a very rough parallel, I might explain how things went from unregulated to regulated in the radio world. At the turn of the century, radio pioneers were using relatively low frequencies- I'm talking about the lower half of the AM broadcast band in the US today, which covers 535 to about 1700KHz. Even 1000KHz would have been considered a fairly 'high' frequency back then. The early operators also worked at frequencies well below that, as well. It was considered quite a feat to get a radio signal to travel much more than a few hundred miles. In those days, 'relaying' was in vogue. A bunch of ops all sat on the same frequency, and depending on the routing of a message, a station in that general direction picked it up and then immediately retransmitted it for others going in the same direction. Thus, through relaying, relatively puny stations could cooperate and have a message cross the country in just a few minutes. (sound anything like today's internet?) It was fairly revolutionary at the time. This is why today, the national organization for hams still calls itself the American Radio Relay League. Notice carefully that it took a fairly high skill level and a lot of cooperation between individuals to make all this happen.Here's the rub- in those days, the means of transmission on those lower frequencies was called 'spark', and such signals were as wide as the proverbial barn door in terms of frequency use. In effect, there were _at most_ only a few channels within the entire radio spectrum as they knew it in those days. If some guy fairly close to you was busy working on some frequency, you could do nothing but patiently stand by and wait your turn. This did not sit too well with the Navy, and they were fairly effective in persuading congress to effectively do away with the radio 'hams'. It was meant to be a death sentence. There are many good books on this subject. The hams got moved, kicking and screaming, up into the "useless short waves" above 200 meters wavelength. The hams took the lemon they were given and proceeded to make some very tasty lemonade. That's right, they were soon beating the pants off of the military and the commercial boys, getting really great transmission distance with fairly low power and small antennas. Turns out the short waves weren't all that useless after all, and eventually some more rule- making had to take place which established standards for testing and licensing of operators. This was absolutely essential, as an inept operator could cause a lot of problems for everyone. Not to mention that the military and commercial boys now wanted a piece of the action up on the short waves. By this time, more advanced radio techniques allowed radio signals to occupy a lot less bandwidth than spark, which soon became obsolete for obvious reasons- when a spark transmitter was on, it loused up pretty much 'the entire band' as we would think of frequency ranges today. For their trouble, the hams ended up getting some permanent assignments all across the spectrum with a number of specific 'bands', and the rest, as they say, is history.I'm thinking that there are some strong parallels to the internet today. We are in the wild west phase, and anything goes. That will probably have to change in time. Yet the present debate shows clearly that there are a lot of changes that are at strong cross- purposes here. None of this is going to be easy. That is why it makes sense that only after a particularly bad attack will folks really start getting serious about tightening up security. I was struck by another forum thread in the past day from a guy who sounds like he should know better, having been in computers for many years. And yet he missed the obvious detail of needing a firewall, and had his two new Win XP boxes immediately infected by Blaster. For gosh sakes, he really should know better, and he was no neophyte. That worm got him good! There ought to be a lesson in there somewhere. I can't quite put it to words. Someone else try.