Mad As Hell: Metaphor 1.42

Security Awareness for Ma, Pa and the Corporate Clueless ^ | 5/30/2005 | JX Bell

[Swordmaker]

The comments on the Blog are interesting too... especially the clueless Windows users.

[Swordmaker]

More in the Mad as Hell series... Metaphore 1.42...

If you want on or off the Mac Ping List, Freepmail me.

[Jet Jaguar]

Thanks for the ping.

[MaryFromMichigan]

Gotta make sure hubby sees this one!
Thanks.

[Tribune7]

The best summation I've seen on the issue.

[rockrr]

Borrowing his analogy, I appreciate the irony that "users" (non-admins) can't wash the windows (say, view TCP/IP settings), but can blast a hole in the wall and install a picture window (D/L malware & let it go to work).

And all the little admins scurry around shouting, "We've got to reign in these end users! They're killing us!"

[avenir]

"Somewhere in town, a bird chirped."

What. A. Dork.

This "good town" reminds me of the good towns in horror films that wind up being bathed in a bloodbath.

Lock your front doors, little ones, and whatever you do don't let this mad-man in.

[Turbopilot]

Geez, that was quite a rant. Here ya go:

XP SP2 (free upgrade if you already have XP) Mozilla Firefox
Norton Internet Security (or other software firewall and antivirus)
Lavasoft Ad-Aware SE
Spybot
Hardware firewall (in your home network router or wireless router)
WPA-PSK (if you're using wireless)

Auto-run and auto-update the above (scheduled when you're not home)

Most of these are free (Norton's not but you can get free alternatives that are about as good) and all take zero time and effort once installed since they can be set up to automatically run and update themselves when you're away. Viruses and malware don't propagate because Windows machines can't be secured; they propagate because people don't avail themselves of the massive amounts of security available to them.

[Terpfen]

The difference is, that security isn't available out of the box.

And by the way, Norton products suck. All of them. Get NOD32 or Kaspersky AV, and grab the WPA2 patch from Microsoft so that you can upgrade your wireless security recommendation.

You also left out SpywareBlaster and an actual physical firewall of some sort--ideally a separate box, but in most cases a router would do. Software firewalls are bogus.

Using the configuration of XP SP2, Firefox, Kaspersky, Spywareblaster, and a router, I've had precisely zero malware infections of any type.

[Swordmaker]

Viruses and malware don't propagate because Windows machines can't be secured; they propagate because people don't avail themselves of the massive amounts of security available to them.

Gee, Turbo, you're right, if it wasn't for those darn users not knowing what to do immediately when they get their new Windows computers to safely surf the internet, everything would be peachy keen. Why not just get rid of those, oh, so ignorant, users? Then the problems will go away...

Or... maybe, just maybe... it might be better to use an operating system that is secure when you first turn it on after you take it out of the box???

From SecurityFocus' Scott Granneman:
. . . The Slammer worm did most of its dirty work in under ten minutes. A half an hour is all it took for Nimda to spread worldwide. The Witty worm took an almost leisurely 45 minutes - but in that time it managed to infect every possible machine in its threat portfolio. And the slowpoke of the bunch is Version 2 of the Code Red worm, which worked for almost 14 hours to infect 359,000 machines, but at one point it was taking over 2,000 new computers every minute, which ain't bad (be sure to check out the cool animations demonstrating the rapacious spread of the worm).

"If a user isn't educated enough to know how to open up a port he needs to run a particular program that needs a hole punched in the firewall, then that user shouldn't have unfettered access to the Net anyway."

Let's add a new time frame for computing disaster to the list above, one that every security pro should know: 20 minutes. . . . that's how long your average unprotected PC running Windows XP will last once it's connected to the Internet ... before it's compromised and effectively owned. . . .

The SANS Institute Internet Storm Center released those eye-opening numbers a few days ago [Aug. 18, 2004 - Swordmaker]. Go take a look at their graph, and you'll note that the current time of 20 minutes is half that of what it was a year ago, although, to be fair, the average has been both higher and lower - over an hour last Christmas and only about 15 minutes in the spring. That hour at Christmas seems like an aberration, and the overall trend has definitely been downward, towards far shorter times before your Windows box is not really yours any longer. [Some pundits are now claiming less than 4 minutes - Swordmaker].

As the SANS Institute notes, 20 minutes is not long enough to update your Windows PC before it is too late. If you take a new PC out of the box, plug it in to the Internet, and power it on, most people (most people? OK - a lot of people. Uh, alright - some people. Erm ... *sigh*. A few people. Happy?) know enough to immediately hie thee over to Windows Update and get the latest patches from Microsoft. Then reboot. And get more patches. And reboot. Ad infinitum. Oh, and don't leave out the latest anti-virus updates either. Gotta have those. Oh oh oh - don't forget Windows XP Service Pack 2, the gotta-have update from Microsoft, which "may be as small as 70 megabytes (MB) or as large as 260 MB". And users are supposed to download all this in less than 20 minutes?

[Turbopilot]

The difference is, that security isn't available out of the box.

No, but it's so easily and freely accessible that it's hardly worth complaining about.

And by the way, Norton products suck. All of them. Get NOD32 or Kaspersky AV, and grab the WPA2 patch from Microsoft so that you can upgrade your wireless security recommendation.

I've been happy with Norton's security, though it does take up a lot of system resources. I'll look around next time my update subscription runs out.

You also left out SpywareBlaster and an actual physical firewall of some sort--ideally a separate box, but in most cases a router would do. Software firewalls are bogus.

I haven't tried Spyware Blaster, though it's been recommended to me. And item #5 on my list was a hardware firewall.

Using the configuration of XP SP2, Firefox, Kaspersky, Spywareblaster, and a router, I've had precisely zero malware infections of any type.

Me neither, using my above recommendations.

[EGPWS]

... especially the clueless Windows users.

You don't like Bill Gates do you.

Look at the bright side, without his Billion dollar business, your chastising day's would be over.

That would lead you to frustration.

Or to become mad as hell....

[Turbopilot]

Gee, Turbo, you're right, if it wasn't for those darn users not knowing what to do immediately when they get their new Windows computers to safely surf the internet, everything would be peachy keen. Why not just get rid of those, oh, so ignorant, users? Then the problems will go away...

Be sarcastic about it if you want, but the fact remains that if you don't lock your car it's a lot easier for a criminal to break into it. You can blame the auto maker for not having automatically-locking doors...or you can just lock the doors when you park.

Or... maybe, just maybe... it might be better to use an operating system that is secure when you first turn it on after you take it out of the box???

Well, when I got my current system (pre-SP2) it included Norton's antivirus and firewall package. And now new systems should have SP2, which comes with the Windows firewall on by default. That's enough security to jump on and get the few small, free programs that will complete your protection. And if you don't expect a user to handle that simple task, how do you expect to convince him to learn a different operating system, software suite, etc.?

Windows isn't perfect, either, but it is better than ever, and there's no reason the average end user can't have a well-secured XP box. Ranting about security issues that either no longer exist or have easy fixes just makes the author look like a Mac partisan who's bitter that the world won't accept his alternate vision of computing utopia.

[Swordmaker]

Me: "... especially the clueless Windows users."

You: "You don't like Bill Gates do you."

What has the comments on the blog have to do with Bill Gates? The Windows users who, with no experience with Macs, made clueless commentary about the issues.

[Swordmaker]

...just makes the author look like a Mac partisan who's bitter that the world won't accept his alternate vision of computing utopia.

Have you read the other "Mad as Hell" articles? These guys are not Mac partisans, although I suspect they will be after a few weeks. They are and have been Windows partisans for over 20 years.

[EGPWS]

What has the comments on the blog have to do with Bill Gates?

I am at a loss for words.

My mistake, I thought Bill Gates had something to do with the windows operating system.

I'm just a happily clueless windows user....

[Turbopilot]

Have you read the other "Mad as Hell" articles? These guys are not Mac partisans, although I suspect they will be after a few weeks. They are and have been Windows partisans for over 20 years.

I haven't followed the blog but I've read the ones I've seen posted here (I believe two others; don't know how many I've missed).

In all honesty, I think the whole series of articles is fairly silly. This guy supposedly is an expert who runs a computer security firm, but he can't hack turning on a firewall? This series of articles may have made sense a year ago, or two years. But now, with SP2, Firefox, and the widespread availability of free security and anti-malware software, this guy is complaining about issues that have been resolved for those willing to take advantage of the solution. You'd think a computer security expert could handle that.

[Swordmaker]

I'm just a happily clueless windows user...

Do you post inanities and falsehoods about an operating system you have never used and know very little about? Do you repeat those inanities and falsehoods merely because you've heard them from other people just as ignorant of the subject? I haven't see you do that... so, while you may be a Windows user, you probably aren't clueless.

On the other hand, several people in the position to know, claim that 70-80% of Windows users ARE clueless about computer security on their chosen platform. It is these people that Winn's company address on his web page "Security Awareness for Ma, Pa and the Corporate Clueless" and who are his primary customers. Quite frankly, most of my clients are also clueless and depend on me to make their Windows computers secure.

The Windows users who come on the Blog and make comments such as "Windows is perfectly capable of being secured if you just...a,b,c,d, and e, after you start it up", just as you did, ignore the fact that most people who buy a computer to surf the net, get email, print a few photos, haven't the foggiest idea that they even NEED to do those things much less HOW.

[EGPWS]

What's a computer?

[Swordmaker]

What's a computer?

LOL.

Well, up until the 1950s it was defined as a person who manipulated numbers...