Security expert: User education is pointless

MONTREAL--Forget about teaching computer users how to be safe online.

Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.

That's the reality, Stefan Gorling, a doctoral student at the Royal Institute of Technology in Stockholm, Sweden, said in a talk at the Virus Bulletin conference here Wednesday.

When things go wrong, users call help desks, either at their company or at a technology supplier, such as a PC maker, software maker, or an Internet access provider, which can cost a fortune. The solution, many technologists say, is to educate the user about online threats. But that doesn't work and is the wrong approach, Gorling said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users."

--Stefan Gorling, doctoral student, Royal Institute of Technology

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.

It isn't productive, for example, to ask users to detect e-mails that seek to con them into giving up personal e-mail, he said. "Phishing is too hard to detect, even for experts."

And even if people can be trained, they can't be trusted to be on guard all the time, he said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

Some examples of built-in security mentioned at Virus Bulletin include a phishing shield in Web browsers, virus filtering in e-mail services and programs, and protection as part of instant messaging services such as Microsoft's Windows Live Messenger.

[rcrusoe]

Gorling is 99% correct

99% of users are not only clueless, but most just don't give a <br />d@mn about security. They ignore policies and procedures and <br />expect the I.T. department to bail them out when they screw <br />things up - and so do their managers.<br /><br />Over they years we have developed policies to protect users <br />from themselves. On our Windows machines we lock IE on high <br />security, no cookies, etc. and install Mozilla. Windows users are <br />not allowed to send/receive over 40 types of file attachments. <br />And many are not allowed any access to the Internet. And from <br />the looks of things we are going to have to tighten up on them <br />even more.<br /><br />The handful of users that actually try to do things correctly are <br />treasured by our I.T. staff and are rewarded with more frequent <br />hardware updates, and whatever other perks we can give them.<br /><br />It's too bad we haven't been able to talk management into <br />switching all our desktops to Macs. The departments that use <br />them are never a problem - regardless of the attitude of their <br />users.

[timcoyote]

Treasure?

How do your employees get their jobs done with that much lock down or do you treasure them because they are able to follow the rules and still get their jobs done? <br /><br />Without cookies and IE security set at a minimum, our multi-million dollar corporate ERP will not work at all.<br /> <br />Without file attachments we can?t share information to our vendors and outsourced services. Today I got an internal email with embedded image(word doc converted to image) and an attached word doc with a calendar-macro executable embedded and when asked why would you do that, I got ?Oh, we have a cool software thing that we purchased that does that automatically for us..isn?t it cool?? (that happens whey you lock those departments down really tight to the point that they hire their own IT professional to learn how to work around your defences.)<br /><br />If you don?t have internet access, how do you look up what raison d?etre means? or translate the service request sent in Spanish? Try asking a research professional to only use Lexus Nexus and a printed copy of a newspaper to do his job, it just doesn?t work anymore here.

[suckerno1]

Computer Sucks

I think the biggest sucking think ever invented was the computer....<br /><br />And that is why we have so less time to other things.<br /><br />Computer and Internet Sucks.... <br /><br />Founder<br />www.searchsucker.com

[unigamer69]

A fox opens up a wormhole...

...and throws a troll back to the Stone Age. =:oP<br /><br />Talk about a hypocrite - writing anger about the Internet, over the Internet. =;o) Tee hee. =xoD

[ejevo]

Yeah, I guess

I agree the burden should be taken off of the end user, but the burden should be put back on the software vendors, and perhaps even the decision makers who control the various protocols we use as part of the Internet. IT would then have the burden of making sure the implementations and processes surrounding these secure products did nothing to hamper their security - that would be a job that would be manageable. To have each individual IT department of every company the sole implementor of a security solution has almost as much chance of working as does educating the user. It's time to throw out this version of the Internet and start over - and this time focus on security.<br /><br />One item did strike as incorrect: "Phishing is too hard to detect, even for experts." I don't necessarily agree with that. It's typically pretty easy to hover over a link and see from the URL that it's phishy. Seeing a ".kr" or ".ro" as a TLD is a pretty easy hint to pick up on.

[gdmaclew]

To What Extent?

Ok. So we take the burden off Users.<br />We tell them to open up any and all e-mail that they receive and we'll deal with the consequences.<br />Go to any Web site you want and click on any old damn thing you want and we'll pick up the pieces.<br />Might as well tell them that they should go home and open their door to anyone who wants to come in, or better yet, just don't lock your door.<br />Then let the police handle the crime that ensues...right?<br />Nonsense!<br />Just give Users 2 simple rules...<br />1. Don't go to Web Sites that aren't job-related.<br />2. Don't open e-mails you don't recognize.<br /><br /><br />Period.<br /><br />IT protects them from the big stuff.<br />They have to protect them from themselves.

[Vegaman_Dan]

No excuse for ignorance

We can't keep protecting people from themselves if they aren't willing to learn some rather basic things. We're not talking about rocket science, nuclear physics or even trying to repair a Mac. It's simple things anyone online should know. Being ignorant simply isn't a valid excuse anymore. <br /><br />Doctors go to schools before they are allowed to operate. I wouldn't expect the maker of the surgical equipment to tell the doctors how to operate- hey doc, don't forget to suture up that artery or they may bleed to death. <br /><br />User education would eliminate most of the problems with computers today. It won't happen, but we can all dream.

[jbondo]

huh

"they write down passwords and give them out to strangers in <br />exchange for treats"<br /><br />what the hell does that mean? when has anyone ever witnessed <br />this?

[rcrusoe]

Re: give them out to strangers . .

Goring may be kidding about the "for treats" part (or not) but he <br />is not about users giving away their passwords to strangers.<br /><br />Kevin Mitnick performed some of his most famous hacks not <br />through his computer skills, but rather through "social <br />engineering". In other words he conned people into giving him <br />passwords, modem phone numbers, etc.<br /><br />I've called users at remote sites who didn't know me, asked them <br />for their passwords to "check out their computers" and had them <br />give them to me without question. <br /><br />I didn't even need "treats".

[jabbotts]

it's analogy with some artistic expression

Users are not really trading password for candy but they may as well be.<br /><br />Users pick poor passwords then write them down on paper or post-it. paper get's handed to someone next to them or someone who smooses them well over the phone (you crazy phreaks you). Post-it's get left on the monitor of the machine that a wood-be criminal simply read as they login.<br /><br />The allusion is too public anouncement adds from years ago about talking to your kids about strangers. Don't talk to strangers, don't take candy from strangers.<br /><br />Now the adults (in computer terms) are finally reaching the point where they are meeting strangers and the first thing they do is answer back and look for opertunities to hand out there passwords and information.

[dcongrav]

It's happening as we speak

At this moment there is a phishing scheme going on with a purported Walmart email where you are offered $35.00 if you answer a "survey" and then give out your card information for a "deposit" ("treat")

[CBS Orchestra]

It Was Actually Done

I can't quite recall where I saw it, but a couple of years ago, there was an article about an experiment of sorts. Somebody hung around outside some business and offered passersby candy in return for their user passwords. A statistically significant number of them coughed up the passwords in return for the treats -- and the researcher was able to verify that most of the passwords were correct.<br /><br />Needless to say, it didn't go over too well with the security folks at that establishment.

[unigamer69]

Yes, I have.

The treats were called "free games and apps." =:oD<br /><br />This is a wickedly common tactic for a Trojan horse. Of course, if you can get that in there, why bother getting just one password? You can get them all! =xoD

[technewsjunkie]

Don't blame users!!! Security has become far too complex.

Defending users from IT blame has been a constant battle <br />throughout my experience in desktop support.<br /><br />People use computers to do a task. These People already have a <br />job, or profession, that they are well trained to do. They should <br />not be overly burdoned with<br />the enormous, convoluted facits of security! That's for IT <br />professionals, but more importantly *software vendors* to take <br />responsibility for! <br /><br />In what other business are customers BLAMED for merely using a <br />product for a task while the product become damaged just by <br />using it?

[technewsjunkie]

No money for training, let alone exponential security breaches

Who's going to pay for this?

[rapier1]

Part of the problem

Is that security often reduces a user to a choice of <br />fast, easy, secure - pick any two.<br /><br />Anything that gets in the way of the user experience will <br />eventually be circumvented. As such security has to be easy and <br />intuitive to use, it can't noticibly impact the user experience, and <br />it has to be truly secure. The user can't be given the option of <br />easily disabling the security features. If the user can disable or <br />circumvent the features it should either result in a locked down <br />system or a significantly crippled level of functionality.

[Steve Jordan]

No education? That's just nuts.

If you want to go get lunch, all you want to worry about is getting a sandwich. That doesn't mean I need a cop to help me across every street! I was taught how to mind the lights and look both ways, and I do that every single time.<br /><br />Education is not pointless, it's essential. The people who refuse to be educated will be the people who get run down in the middle of the intersection.

[jabbotts]

if only they blamed themselves not the car

Education is absalutely essential however the current problem is that those users who don't look both ways before crossing the street blame the car that hit them.<br /><br />The stupid computer ate my harddrive! (after vising six questionable sites and clicking on every link that got emailed to me)

[J_Satch]

The problem is...

...the notoriously short attention spans of most users. My favorite quote in the article is "I have seen a spike in the number of incidents reported by our internal users". What this person does NOT go on to say is that just like a spike, it has a leading edge and a trailing edge. From the top of the spike, it's right back down again.

[mrico2]

I disagree.

For one thing, although some users will never get it, many will and that does make a difference. Also, it is important to let them know what the policies are and that is part of the education process.

[technewsjunkie]

Don't blame users!!! Security has become far too complex.

Defending users from IT blame has been a constant battle <br />throughout my experience in desktop support.<br /><br />People use computers to do a task. These People already have a <br />job, or profession, that they are well trained to do. They should <br />not be overly burdoned with<br />the enormous, convoluted facits of security! That's for IT <br />professionals, but more importantly *software vendors* to take <br />responsibility for! <br /><br />In what other business are customers BLAMED for merely using a <br />product for a task while the product become damaged just by <br />using it?

[schubb]

How about driving a car

Driving has become too complex obviously, why don't we make the auto manufactures protect us from each other? There are pedals, switches, knobs, lights, buttons, looking before merging, speed limits, lights, signs, etc. Good god, why doesn't the damned car drive itself, this is too complex? I am paid for my computer skills, not to drive, why should I learn this au-to-mo-bile thingy?<br /><br />Oh that's right, it is part of my job to travel to work. Just like it is part of my job to follow the policies laid out for computer usage, plain and simple.

[jabbotts]

your advocating users leave there cars unlocked?

IT is primarily responsible for security and as such, they need to know the intimate details of potential threats.<br /><br />The user does not need that level of detail but they need to accept some responsability and at least get a basic understanding of what they are doing.<br /><br />To absolve the user of all responsability is like telling them "it's ok, you needn't lock your car, that's for someone else to worry about" then be surprised when they are angry that there car got stollen.<br /><br />But then, people in general need to stop repeating a few key frases; I Know My Rights, Someone Else is to Blame and I'm a Victim.

[Vegaman_Dan]

Because end users are stupid

It doesn't matter what sort of protection you put in place if a person is ignorant or stupid enough to click on fairly obvious attempts to steal information, passwords, etc. By now, how many people still click on Paypal password reset emails? People need to be suspicious online and paranoid about such things. Is it the bank's fault that someone is sending out fake bank notices in email to people in hopes of stealing their identity and money? Phishing doesn't rely on IT departments or operating systems or anything beyond an end user being gullible enough to buy into an attempt to deceive them.<br /><br />Most viruses spread because someone clicked on a link "See stupid pictures of your boss naked" or something. It's not terribly difficult to educate people about this sort of thing and I certainly wouldn't blame an IT department for it.

[jones_8099]

To answer you question?

In the Military you are expect to learn everything about you job to <br />include security. That goes for everything from a convoy mission to <br />operating a computer. Its not to much to ask computer users to be <br />more aware of security risks when operating a computer. The <br />problem is the users don't have the right motivation to learn what <br />security risks are. The correct motivation would be after a few <br />security classes fire a few people who break the rules, let it be <br />known why they were fired, and your other employees will start <br />paying attention to security more.

[GlennAl]

User training

"User education" hasn't changed much in most places since the Middle Ages; it's still primarily OJT. Nowadays the typical user is expected to know certain basics things about using computers; unfortunately there are a large number of people who don't know what they need to and are capable of doing unintentional harm both to their own machines and perhaps to complete systems affecting millions of other users. Computers are designed for people to use; security has usually been an after-thought from after-market vendors. It's getting better, but there's a long way to go. User training can be helpful, but no amount of user training will overcome flawed designs.<br /><br />However, at worst, user training won't hurt; at best, it will help.

[bw94382]

You have got to be kidding

Every week a new exploit is released that allows malicious code to run under Windows with no action on the part of the user, and security is the users fault??? And Microsoft releases hack after hack after hack that fails to solve the underlying problem. In fact, Microsoft's model for distributing updates to users practically guarantees that Windows will be vulnerable to third parties who want to install malicious software. And the process for patching computers keeps getting worse, not better (remember how simple it was to download and apply a service pack to all computers on the network?) Government is unable or unwilling to implement and enforce legislation that fights spammers and hackers. And during it all this blundering behemoth, whose sole skill appears to be winning lawsuits and driving better software vendors out of business, has the audacity to call this 'innovation'??? Good God perople, when are we as consumers finally going to wake up and stop defending Microsoft? If this company sold aircraft, they would have been sued out of existence long ago.

[roger.d.miller]

Good God perople

If this commenter wrote business correspondence for a living, he would have been fired long ago.

[Vegaman_Dan]

Wrong article

I think you meant to be posting on one of the Microsoft bashing stories instead of the User Education story. The point being made here is that there are suggestions that user education is a waste of time in preventing all the social engineered exploits such as phishing and IM links. I don't agree with this and trying to blame the IT departments for not preventing someone from clicking on a link in an email marked 'Click here for free porn!' is just silly. <br /><br />Of course you need to educate the end user. If they didn't do something stupid (because of ignorance) and wreck their system, then there would be a great reduction in these situations.

[jcanker]

Many of you are missing the point....

Many of you are up in arms because you think that the speaker is blaming the end users for our security woes. Reread the article--what he is saying is that we have spent too much wasted time and energy relying on end users to be a major part of the security scheme. He never said that it's the users' fault--you're implying that. His real message is that we have tried to educate end users and it has failed. As IT professionals it's time for us to take accountability ourselves and not rely on the weakest link in the security chain to provide important security functions such as content filtering.<br /><br />EVERY successful scam, whether or not it is Internet related, relies on people making bad decisions. One scam researcher once posed as a district manager who "showed up unannounced in order to investigate a cash drawer shortage that store had been having over the past week." He walked out with the filled cash drawers from several of the registers. Now, should that store's security have spent time training every new employee what to do if someone claiming to be a district manager shows up and wants to count the drawer, or should the guy manning the camera have been smarter and more alert about a stranger poking his fingers in the drawers without the store manager being present at the register?

[unigamer69]

The "wonder" of Zero-Day Wednesdays

You gotta love the idea of "Patch Tuesdays" - and the even better idea (from a pressure point of view) of "Zero-Day Wednesdays."<br /><br />Here's a fictional scenario of an "ideal Trojan" using every black-hat technique I've heard of to date - including anti-forensics:<br /><br />2:00PM PST, Second Tuesday "of da Month": A hailstorm of patches is released.<br /><br />3:00PM PST - "The Second Hour:" One zero-day vulnerability is publically released and will become known within a day or two - 3 more will be used by custom-made Trojan horses for quite some time before being discovered.<br /><br />8:00PM PST: Brand X, Inc.'s system adminstrators (understandably) see system utilization fall to a reasonable enough level to justify rebooting 2,000 PCs.<br /><br />9:00AM PST, the Friday after Patch Tuesday: A user at Brand X receives an email with a custom-written Trojan horse, using one of the three unknown holes. Being custom-written, the mail gateways miss it in their virus screening.<br /><br />9:00AM and 1 second: The user opens that file.<br /><br />9:05AM: The Trojan horse contained a worm, and has spread to hundreds of machines in Brand X, Inc., including machines used by those with highly sensitive information - the target, which was the reason this Trojan was commissioned in the first place (by someone in Brand Y, Inc.)<br /><br />11:00AM: The Trojan has gathered enough proprietary information to bring Brand X to its knees. It compresses and encrypts this info, uses a botnet to hide the destination, and sends the info to the writer.<br /><br />5:00PM: The virus writer shows the results to the guy in Brand Y which commissioned the Trojan. They come to the consensus that it's a plenty.<br /><br />6:00PM: The virus writer issues a command to the copy of the Trojan which "phoned home" - decrypted and translated into plain English, it means, "Mission accomplished: Initiate self-destruct."<br /><br />6:00PM and 30 seconds: Another cascade through the network is well underway, as the "self-destruct" command propogates. When copies receive the command, they uninstall themselves and run a Gutmann-style shred on their files and traces, making later forensic analysis difficult, if not impossible.<br /><br />6:10PM: 60% of all evidence destroyed.<br /><br />6:30PM: 95% of all evidence destroyed.<br /><br />6:45PM: All copies are uninstalled and wiped - almost 100% of all the evidence is destroyed.<br /><br />7:00PM: Brand X's IT staff is none the wiser!

[unigamer69]

The "wonder" of Zero-Day Wednesdays

You gotta love the idea of "Patch Tuesdays" - and the even better idea (from a pressure point of view) of "Zero-Day Wednesdays."<br /><br />Here's a fictional scenario of an "ideal Trojan" using every black-hat technique I've heard of to date - including anti-forensics:<br /><br />2:00PM PST, Second Tuesday "of da Month": A hailstorm of patches is released.<br /><br />3:00PM PST - "The Second Hour:" One zero-day vulnerability is publically released and will become known within a day or two - 3 more will be used by custom-made Trojan horses for quite some time before being discovered.<br /><br />8:00PM PST: Brand X, Inc.'s system adminstrators (understandably) see system utilization fall to a reasonable enough level to justify rebooting 2,000 PCs.<br /><br />9:00AM PST, the Friday after Patch Tuesday: A user at Brand X receives an email with a custom-written Trojan horse, using one of the three unknown holes. Being custom-written, the mail gateways miss it in their virus screening.<br /><br />9:00AM and 1 second: The user opens that file.<br /><br />9:05AM: The Trojan horse contained a worm, and has spread to hundreds of machines in Brand X, Inc., including machines used by those with highly sensitive information - the target, which was the reason this Trojan was commissioned in the first place (by someone in Brand Y, Inc.)<br /><br />11:00AM: The Trojan has gathered enough proprietary information to bring Brand X to its knees. It compresses and encrypts this info, uses a botnet to hide the destination, and sends the info to the writer.<br /><br />5:00PM: The virus writer shows the results to the guy in Brand Y which commissioned the Trojan. They come to the consensus that it's a plenty.<br /><br />6:00PM: The virus writer issues a command to the copy of the Trojan which "phoned home" - decrypted and translated into plain English, it means, "Mission accomplished: Initiate self-destruct."<br /><br />6:00PM and 30 seconds: Another cascade through the network is well underway, as the "self-destruct" command propogates. When copies receive the command, they uninstall themselves and run a Gutmann-style shred on their files and traces, making later forensic analysis difficult, if not impossible.<br /><br />6:10PM: 60% of all evidence destroyed.<br /><br />6:30PM: 95% of all evidence destroyed.<br /><br />6:45PM: All copies are uninstalled and wiped - almost 100% of all the evidence is destroyed.<br /><br />7:00PM: Brand X's IT staff is none the wiser!

[Carion]

I totally agree (110%)

During more than ten year's work as a system administrator I have tried the following:<br />I have tried to motivate and even threaten users to behave and pay attention to security. Not a chance.. They just didn't care.<br />I tried restricting internet access. This was hell FOR ME. Maintaining the list of allowed sites was just too much.<br />Now I have something that seems to work.<br />Everybody has unrestricted access to the internet and email. But.... If a computer is infected by malware, the user responsible for the infection is put on a diet of restricted internet access for a month and a copy of every email received or sent by this person is automatically sent to management. After a month this person may file a request to have the sanctions lifted...<br />Now they have a self interest in security and I have had virtually no 'malware incidents' any more.

[jabbotts]

your lucky you hand management support

I've seen no end of businesses who leave there network open to rampant user's whims. (how many business manchiens have iTunes and Kaza installed?) but in these cases, management had been convinced (or not taken the tiem to consider) that it's better for the staff to have there toys.<br /><br />Your lucky you had or are management who could put such polocy into practice.

[candlynn]

User's shouldn't have to care very much

The IT industry needs to get it through their geeky brains that SOFTWARE IS WORTHLESS IF IT CAUSES MORE PROBLEMS THAT IT SOLVES. If security is done right, users will need minimal training. It doesn't matter if it is hard to do. It has to be done! Too many IT designers live in a dream world instead of the real world. Users want to get their jobs done. Spending hours, days, weeks becoming security experts is an unproductive use of user time. If IT folks were in charge of prisons, they would insist that the local population be trained to deal with daily prison escapes. 27 year IT veteran, MS in IT.

[Seaspray0]

Wish it would work that way

The company policy we have: Users are not to download and install any software from the internet.<br /><br />This doesn't require becoming a security expert and is a very simple insruction. Why is it every computer I have to fix had software downloaded from the internet and installed on the computer?

[MadMark]

Users are NOT all retarded

"It really is a nightmare. User education is a complete waste of time. It is about as much use as nailing jelly to a wall, ... They are not interested; they just want to do their job." <br /><br />So, as an IT professional, I am not interested in calculating a budget, which is a function of accounting. I JUST WANT TO DO MY JOB!<br /><br />Is this justification enough for my errant budget submission to the fiscal plans of C-Level Executives? Can I still expect to receive copious quantities of cash to batten down the hatches for the hairless apes that occupy my cube farm?<br /><br />Give your head a shake, we can all stand the noise! Users must be prepared to exercise COMMON SENSE when crossing the road, and should exercise the same neural network when traversing the "Information Superhighway". IT should reduce and potentially eliminate the threats that it can with the money, tools and training allotted to it.<br /><br />Cheers, and good luck with leading your untrained lemmings, Stefan Gorling. We will watch for you on the other side...<br /><br />Mark

[Vegaman_Dan]

Don't hand him a butter knife

Stefan Gorling is just about as dangerous in his refusal to accept common sense as those users he is abandoning to their fates. <br /><br />If you aren't using common sense or not willing to accept responsibility for your own actions, then you aren't responsible enough to be handed a butter knife without hurting yourself, let alone a networked computer.<br /><br />By the way Stefan- the butter goes on top. I'm sorry that you buttered the bottom and then stuck it in your ear when you called Toast Support and complained that they hadn't configured the Butter for you in advance to avoid such a tragedy.

[MacsInMinot]

Get a Mac

See subject solve problem. Its easy and painless.

[JustYourOpinion]

Hahahahahahahahahahahahahaha!

Thanks, I needed a good laugh today.<br /><br />Because obviously a Mac will make all your security problems magically disappear as if Windows were the only security threat on the net.<br /><br />Please look up "phishing" and post back here how a Mac will help guard my users against that.

[timcoyote]

Good Idea...

..if your a small company... but try letting the boss know you need 1200 of those Macs right away and he needs to cough up the cash for installation and training. Plus that user down the hall you get to inform that they have to learn a whole new computer when they already say all the time, "I just can't learn another new thing."<br /><br />But keep trying, keep saying it, maybe someone will listen some day and you'll get your macs.

[ZeroJCF]

AreTard

Yea, because if I own a Mac i can give my password out to whoever I want....what a joke you guys are. You give us regular mac users a bad name...

[Carion]

Or even better, get Linux

Great solution, if you can persuade software providers to open their eyes and start developing for a basically much beter platform...<br />Mac could be an option, but I'm a bit claustrophobic (I fear confined spaces...)

[Below Meigh]

Not exactly...

You see, ignorance is bliss.<br /><br />Users can be ignorant.<br />IT can be ignorant.<br />Accounting can be ignorant.<br />Management can be ignorant.<br />Corporate Executives can be ignorant.<br />Computer Salespeople can be ignorant.<br />Computing companies can be ignorant.<br />Design Engineers can be ignorant.<br />CNET news folks can be ignorant.<br />HP execs can be ignorant.<br />Government can be ignorant.<br /><br />The industry has created this mess. The internet was not designed for it's current use. The computer is still slow, and obsolete. The OS that runs on it is not superior, but inferior. The hardware is designed to be upgraded with costs.<br /><br />You want to blame the enduser; instead you should blame the industry for allowing such exploit.<br /><br />But you can't. A socially engineered system is based on the society that it mimicks. One that is flawed, will have flaws. So now, we put up walls both physical and virtual. Yet we still encourage the ignorance...

[MadMark]

Blame the industry

Yes, the Internet was not designed for its current use. Agreed. Its protocol suite and functionality should be replaced with one that has security at its very core. Authentication, Authorization, Accounting, Caller-ID, Encryption, all of those good things that prove you are who you say you are, and at the same time, protect your credentials from abuse.<br /><br />If this was an easy thing to do, it would already have been done. There is no doubt that once the cost of doing business in the online swamp gets high enough, and the risk of staying connected gets bad enough (getting there now...) a tranisition will HAVE to take place. <br /><br />Until that time, SOMEONE must be responsible and accountable for the safety and security of systems. Both at a high level (IT) and at a granular level (user).<br /><br />The user is provided various services from IT. One of these services is security. When IT attempts to protect users from themselves by creating policies in Windows through GPO objects, ACL's or what have you, they are most often met with thunderous disapproval and the "you're taking my what away? You can restrict my access when you can pry my keyboard from my cold, dead hand..." attitude. <br /><br />Until the Internet is tamed and properly controlled, it should be treated with the caution and consideration one would give any hostile environment. If you can't control yourself, then you should lose the ability to enter that environment. If you can't do your job because you can't get access, because you can't control yourself, you should be fired.<br /><br />Cheers!<br />Mark

[Jane in KC]

This person is a doctoral candidate?

Stefan Gorling is a headline hound, not a student. It's a big, big world, so of course some people will fit his description. But most computer users are very alert to security issues.

[Jonathan]

BS

I do Dell warranty work. I go to dozens of people's homes/businesses ever week and I can tell you right now that that comment is a load of horse dung. I would say 1 in 10 people know anything about the computer they are using. Your average user knows squat about secure computing practices.

[Stan Johnson]

Been with Windows for years---not a single virus

It just takes some common sense on the users part.<br /><br />1. Use some kind of anti-virus<br /><br />2. Do not open email from unknown users and do not open any attachments you are not aware of the source. This includes phishing scams. Always anything you are not 100% sure of. Should I click this link, should I open this file, can you get it from the official web site or maybe give a phone call to verify.<br /><br />3. Unknown web sites. Why click on anything if you are not sure what you are looking at is trustworthy.<br /><br />Never been sliped poison.

[qwerty75]

Or you can use something else and never have to think about it

nt

[Jonathan]

the Holy Quad.

1. Firewall<br />2. Antivirus<br />3. Firefox<br />4. Good Spam Filter.<br /><br />OK so there should have been 5...... Windows Update Once in a while. (I generally do it about once every 6 months.)<br /><br />I'm in the same boat. I had a single virus back on 3.11. Was called NYB. Nice boot sector virus. Since then nothing. For one reason...I use the above methodology when I work with my computer.

[qwerty75]

Users are stupid and that needs to be the starting point

... for software developers.<br /><br />Most places do not do this and we are all paying the price.<br /><br />There are many things you can do to protect your software from idiots and they aren't being done. Yes, you can't protect them from everything, but many things can be stopped before the end-user even gets close to your software.<br /><br />Car makers spend billions to help protect its customers for theirs and other stupidity. Places like MS spend little and what they do implement is half-assed at best. No car makers can't stop stupidity and accidents, but they can reduce the damages caused by them and even prevent many accidents from happening.<br /><br />The software industry as a whole(and MS specifically) need to do this as well.

[qwerty75]

also

As another example of where developers drop the ball, look at the documentation that comes with XP. Next to no docs printed, the system help is rarely correct and the best docs are stupidly online, so if someone can't get their networking to function, they are SOL.<br /><br />Buy a Linux distro and see what kind of documentation is normally available before you even install it. If you don't buy a retail box, the in-system documentation is absolutely outstanding. <br /><br />It is funny how often free software beats the pants off the richest software corporation. Too bad MS has no ethics and only run on marketing hype, maybe then the software world wouldbe where it should be.<br /><br />Of course, MS isn't the only offender, only the most flagrant.