Tim is right on this one, and here is why. We are supposed to be security professionals, Joe Six Pack is not, nor is he likely to become one. This is because Joe Six Pack is not interested in security, stopping spyware, malware, viruses and the like. The only thing he is concerned about is that his (or her) computer works when they want it to.

The average computer user does not see any value in software and hardware updates in order to make their machine run faster, better, or more securely. So they plug along with their "swiss cheese" machine until something catastrophic happens, which for many people they may never know, or care. As long as someone is not running up thousands of dollars on bogus charges on their credit cards, they simply don't care.

Case in point, the mother of one of my daughter's friends called me and asked if I could take a look at her computer. She said a nine year old that was visiting had installed some software and the computer wasn't running right. I came over and started with TCPView and saw several established connections to the Internet with no browser running. I pointed this out and said "you need a firewall". Then I ran AdAware and found 335 objercts including 10 running processes. The scan took over an hour to complete, including a reboot! Then I followed it up with SwatIt!. I told her she needed to upgrade to an OS with better security (Windows 2000 or XP) and to purchase a hardware firewall (I don't care for the software based ones).

Well she has done neither, I understand that for some money is tight. But until something really bad happens, the vast majority of people will do nothing. And even then some will continue to do nothing.

Another example, one of my daughter's friends sends her a virus hoax. My daughter brings it to my attention, so I respond to the message with a link to Symantec's virus hoax page. I get a nasty response from the girl's aunt about my message and that the little girl did "the right thing" and I was wrong! I wonder if she would feel that way if the message she was sending told people to delete files from their computers.

Obviously nothing bad has happened to Mr. Mossberg, because if it did I am sure that he would be screaming from the top of the mountain about why the "security professionals" didn't save him from his problems.

One of the things I learned very quickly about this business is that it is a "moving target". Everybody, including Joe Six Pack has to move with it and that is where the problem lies. Systems will never be totally secure because you will always have the person who "just doesn't get it", or never will.

Maybe Mr. Mossberg should walk a mile in our shoes before proclaiming we are "part of the problem".

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/236/26011#26011