Joe Average User Is In Trouble

One of the many hats I wear here in St. Louis is that of college instructor, writes SecurityFocus columnist Scott Granneman. I teach courses in technology at Washington University, recently ranked the ninth best overall college in the nation by U.S. News & World Report, and at St. Louis Community College at Florissant Valley, one of the better community colleges in the area. I teach smart people at both locations. One is composed of folks who can pay the high prices for an education at a nationally-ranked university, and the other has people who work during the day and want to improve their skills at a good public school while keeping their costs low.

In other words, I see a pretty good cross-section of the computer users in our area.

Oh sure, some of my students are what we'd call "computer people," who work professionally programming or administering various systems or developing Web sites. But those are few and far between. Most of my students are office workers, or writers, or homemakers. Almost all of them run Windows at home and at work, usually ME or XP. They all know how to "use" their computers, which means that they can write papers, read email, use the Web, and even install software (as long as it's not packaged as a ZIP file: most of them have no idea what a ZIP file is or how to use it). In other words, your typical American computer user.

I'm here to tell the security pros reading this that we are in deeeeeep trouble when it comes to securing the computers of these people.

Security is just not a concept that "normal" folks focus on. It's not even on the radar screen. It's just not thought about at all.

"Do you update your anti-virus software regularly?" I'll ask them. Most look at me as though I'd just asked them if they refloozle their hossenblobbets with tinklewickets. A few will tentatively volunteer a timid, "I ... think so?" Some are willing to admit that they don't even have anti-virus software. At least they're sure.

"Do you run Windows Update regularly?" I'll ask next. Hmmm ... those hossenblobbets really do need refloozling. Some state that yes, they do run Windows Update, but they have no idea what it is doing to their computer, so they just agree to everything and assume it's all good. Most say they've never done it once, if they even know what it is.

"Do you have DSL or a cable modem at home?" is my next question. Ah, finally! A question they can all answer. They know the answer to this one! About half usually have some sort of broadband connection, and they are enthusiastic in their answers: "Yes, I do! You betcha! Love it!"

"Great!" I continue. "Do you have personal firewall software running on your computer? Do you have a router/firewall so your Windows machine isn't directly connected to the Internet? Did you remember to turn off file and printer sharing if your Windows machine is directly connected to the Internet?" A pause ... and we're right back to hossenblobbets and tinklewickets.

It's enough to make someone who cares about security throw up his hands in frustration and just give up.

Especially when we look at the unending stream of patches that has been flooding from Redmond, Washington over the past couple of days ... uh, weeks ... uh, months ... oh, the heck with it: years. Just last week Microsoft announced a mega-patch for five security vulnerabilities deemed "critical". Windows Server 2003, which Microsoft promised would be its most secure OS yet, has already had nine security bulletins issued for it. Windows XP, the flagship desktop OS for home and business users, has released patch after patch after patch, as a search at the SecurityFocus Vulnerability Database will disclose. To top things off, some of Microsoft's patches are themselves buggy, requiring further patches and updates to fix these patches.

It is a huge - and growing - problem for IT professionals at businesses to keep up with all the patches Microsoft issues. How, then, are non-professionals supposed to deal with the problem? More importantly, how are security pros supposed to deal with the bigger problem: that non-pros don't deal with the problem?

We can't just ignore the problems with insecurity that our non-IT friends, family, co-workers and acquaintances have with their computers. If their machines are compromised, we feel the effects, whether we realize it or not.

We feel the effects when we end up spending several hours each week doing pro bono IT work at the homes of the people we know (I've tried sending my Mom a bill, but she never pays, the deadbeat).

We feel the effects when the Internet slows to a crawl due to a sudden explosion of traffic caused by a particularly-virulent virus or worm.

We feel the effects when we get even more spam, sent from compromised zombies to everyone else on the Net, or when those zombies are used in DDOS attacks on anti-spam Web sites.

We feel the effects when zombies owned by our unknowing friends and family are used to secretly host scams, or porn sites ... or worse.

In my angrier moods, I sometimes think that we should require licenses to operate computers, just like we require licenses to drive automobilies. I know that such a plan would never work in the real world, but it's a pleasant fantasy all the same.

So what can be done? First of all, Microsoft desperately needs to improve the underlying security of their products. As I talked about in my last column, there are fundamental problems with the way that Microsoft designs its systems. Email programs that contain embedded Web browsers that are themselves embedded into the operating system are disasters waiting to happen. Microsoft makes it too easy for people to do stupid things with its software, and it needs to remedy that.

Further than that, Microsoft needs to improve the way that its operating systems are updated and patched. A recent decision to consolidate patches into a monthly release is not, however, the way to go. Sure, on the one hand it makes things easier for the security pro who now only has to download and apply a mega-patch once a month. But, on the other hand, do you really feel like waiting three weeks until the next mega-patch comes out, hoping and trusting that you don't get bit in the meantime? And do you think your grandmother is going to remember to install that monthly patch? I can just see it now: "Hi, Grandma. Yeah, I'm doing fine, and so's the dog. Sure, cookies would be great! Hey, did you remember to install your Microsoft mega-patch yesterday?"

To counter the immense problem of the millions of people who never install personal firewall software, Microsoft bundled an extremely simplistic "Internet Connection Firewall", or ICF, with Windows XP. Unfortunately, ICF is turned off by default, and it's hard for users to find if they do want to enable it. Even worse, ICF only blocks incoming traffic, so Trojans that try to phone home are in the clear. Evidently Microsoft is going to improve ICF in future versions of Windows, including future shipping copies of XP (which is good, considering that the next major version of Windows, code-named Longhorn, isn't going to see the light of day until 2005 at the earliest). It's going to be enabled by default, which is a good start, but there's no word about blocking outbound traffic at this point.

To counter the immense problem of the millions of people who never install or update anti-virus software, Microsoft recently purchased GeCAD, a small Romanian anti-virus software company. Microsoft hasn't made it clear how deeply it intends to get into the anti-virus business, and analysts are divided, with some sure that Microsoft will eventually challenge Symantec and McAfee and the other large AV vendors, and others arguing that Microsoft just intends to get a better handle on improving the security of the Windows platform. I suspect that Microsoft hasn't yet decided what it wants to do on this front. Forcing AV software onto end users is a good thing, but I would really hate to see Microsoft destroy another software market by bundling new capabilities into the OS (the same concern applies to personal firewalls in the previous paragraph).

To counter the immense problem of the millions of people who still do carelesss things with their email, like open attachments they weren't expecting, Microsoft is making changes to the way its corporate email program Outlook behaves (including, however, the addition of odious DRM (digital rights management) features that will cause more problems than they solve). These are good changes, but let's see what happens once Outlook has been in the real world for a few months. I hope that the days of constant security issues with Outlook are over, but I'm taking a skeptical wait and see attitude, an attitude that seems entirely justified, based on one bizarre "feature" that the brand new program displays. Oh, by the way: if you or someone else you know uses the the free Outlook Express, you're out of luck. Microsoft has no plans to improve it any further. If you know someone using Outlook Express, get them onto something else ASAP, like Mozilla Thunderbird.

To counter the immense problem of the millions of people who never run Windows Update (or Office Update, for that matter), Microsoft will probably install patches and updates automatically, by default. This makes me nervous, to say the least, since Microsoft has a history of releasing patches that don't work, or cause new problems, or require updates for the patches themselves. And personally, I don't like anything automatically installed on my machines. I want to be in control. But for the great mass of computer users out there, I think it's a solution that is unfortunately necessary. If people won't do it themselves, then it needs to be done for them. Let's just hope it works smoothly.

Microsoft can do a lot, but its still the folks in the trenches who are left with the hard work and the dirty jobs. Yeah, I'm talking to you, the security professional reading this column. You and I have a lot left to do. We bear some of the blame for this mess by both mistaken actions and inactions but, more importantly, and more unfortunately, we bear most of the burden. Even if we don't want to, we're going to have to work with the people around us to help improve this pretty awful situation.

I know a lot of you are already performing what feel like the labors of Hercules. You're providing the free tech support that I mentioned above. You're spending hours downloading and installing patches, and cleaning up for folks when their computers become bewitched, bothered, and bewildered. You're the one driving out to CompUSA to buy a router/firewall when your parents get that new DSL connection. And you're the one patiently explaining yet again to yet another person why they need to install anti-virus software.

Because like or not, Windows ain't going away for a while. Probably not ever, totally (calm down, Linux and Mac OS X users - I'm on your side, but let's be realistic here).

We've got to do more, because who else is going to do it? Microsoft claims it's working as hard as it can to improve the security of its products, but the success of that claim is, to put it politely, debatable. Besides, as we all know security is one big chain that is only as strong as its weakest link, and the weakest link is always ... the people. Microsoft can work and struggle to give its software a secure foundation, the same strong foundation that much open source software already has, but as long as it makes it easy for smart people to do dumb things, we're always going to have a problem. So it's up to us, the people reading this column, the smart people who try to do smart things, to help the great mass of computer users.

We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.

Going back to my classes at Washington University in St. Louis and St. Louis Community College, I always spend time with my students educating them about various issues in security. I try to impress upon them the importance of anti-virus software, and Windows Update, and firewalls, both hardware- and software-based. If they have a broadband connection, I take some time to talk about the advantages it brings, but also about the dangers, and how they can protect themselves against those dangers. And you know what? My students are genuinely interested in what I can tell them, and most of them think about what I've said and actually act on it.

I can't teach my students everything, but I try to teach them something. Every security professional needs to do the same. We're at the forefront, like it or not, and it's up to us to help lessen the myriad of problems we see around us. Like it or not, we need to become educators - permanent educators - or we may find ourselves refloozling those hossenblobbets with tinklewickets one too many times.

I'm working on a PC protection CD that I can distribute to my friends & family.

AVG anti-virus freeware (www.grisoft.com)

Zonealarm freeware - firewall

Of course, the many toys at Gibson Research (www.grc.com)

Good article. I was "forced" into learning more about firewalls and security shortly after I started to use Linux. RH 7.2, IIRC. Was on a dilup, and some script kiddies found my IP address and were able to crash my system. About 2 weeks later I discovered the logs. My reaction was "Holy Cow!!!!, I better learn about this."

Anyway, my simple point being that security issues are not limited to MS. Now I sit behind a SOHO firewall (cable router). I'm impressed by the small footprint it shows the outside world. I think the "education" solution won't work. The concepts are tough enough, and implementation is even more difficult. Instead, I would suggest that widepread use of hardware firewalls will effectively reduce the rate of system compromize. I have to concede that dialup users have the chore of being more software savy.

1) Regular operating system updates.

2) Regular antivirus updates, weekly full system scans plus normal checking.

3) Hardware router so PC isn't directly connected to the Internet.

4) Personal firewall program to detect any Trojan Horse programs that might sneak in.

5) Spyware removers run bi-weekly. I use 2, Ad-Aware and Spybot Search and Destroy.

I agree - a good article. The best OS security scheme in the world is useless if people don't use it or don't understand it. There's something of a paradigm shift going on in the Windows world, wherein people are gradually moving from a totally insecure single-user operating system to a fundamentally more secure regime, but that's meaningless if people don't understand why it needs to be done, and don't get the education they need in order to implement it properly. Someone who doesn't do these things is not going to be protected by changing operating systems - a person who understands why system security is important, and takes responsibility for learning about it, is going to be reasonably safe regardless of operating system. Conversely, a person who does not understand why sometimes convenience must take a back seat to security, and does not make the effort to protect themselves, is not going to be safe, no matter what OS they use.

No OS in the world can really protect users from themselves in the long run - some can make it more difficult to shoot yourself in the foot, but eventually, a careless person will always get burned, no matter what. You could replace every single Windows desktop in the world with Linux tomorrow, and you'd still be faced with the problem of educating people about how and why they should protect themselves. Basic operating system security has to become a fundamental part of learning how to use a personal computer, in just the same way that knowing how to use a turn signal is a fundamental part of learning to drive a car.

There is a problem with routers for the low-tech user that you are ignoring, or hopefully doesn't exist with your ISP.

My ISP, Time Warner, apparently hates their customers to have routers. They want to sell more addresses. So they ping the routers all day and night long, and typically, service will be interrupted every once in a while. The fix is certainly no biggie ... Turn-off, Turn-on, or re-boot. But even this simple step is too much for many "users." To be frank, sometimes it gets a little sticky, requiring two or three goes.

So instead, they get frustrated hook up directly to their cable modem again and forget about it. Or maybe use Zone Alarm, if they can figure it out. When I am on the road, my spouse will typically try to re-engineer the router comnnection by going straight to the modem. Her computer, as a result is absolutely loaded with crap, requiring ferocious cleaning and maintenance.

I agree, Gibson Research does a very good job. But I'll wager that we both know computer users who would be perplexed even by a coherent explanation. Naturally, they'd nod in agreement and express understanding -- but ask them a few questions and you'll see that they don't really "get it." Most users need cookie cutter instructions at least the first time around, and sometimes in perpetuity ;-)

My ISP (Adelphia) pings the cable modem regularly, to maintain the lease on the IP addy. They don't care how many machines use the bandwidth. I don't know how they'd learn the IP address of the router on my local network, and the router has been instructed to discard PING (ICMP) packets.

I used to have to reboot the hardware router about once a week, but lately it's been solid (after a program update). I'm running a Netgear MR314, router plus wireless.

Which are better, Ford or Chevy pickups?

I think using either, with regular updates, is 1000000% better than nothing.

Actually, the infrastructure IT guys at a company I'm doing some work at, like Trend Micro the best. They are competent people that I respect. I use Norton/Symantec, as you can get it at a good price as part of Norton Systemworks. I like the WinDoctor registry groomer that comes with that package, as well as the disk optimizer.

The gradient of computer knowledge is tremendous. Perhaps 90% of the people I know look at me like I'm an expert, but our IT guys know stuff I have no clue about.

Sometimes I think they prefer the fully ignorant users, and not just for job-security reasons. Those of us who know what we're doing sometimes know enough to be dangerous. >:)

-Eric

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.