October 12, 2006 10:00 AM PDT

Security expert: User education is pointless

MONTREAL--Forget about teaching computer users how to be safe online.

Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.

That's the reality, Stefan Gorling, a doctoral student at the Royal Institute of Technology in Stockholm, Sweden, said in a talk at the Virus Bulletin conference here Wednesday.

When things go wrong, users call help desks, either at their company or at a technology supplier, such as a PC maker, software maker, or an Internet access provider, which can cost a fortune. The solution, many technologists say, is to educate the user about online threats. But that doesn't work and is the wrong approach, Gorling said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users."
--Stefan Gorling, doctoral student, Royal Institute of Technology

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.

It isn't productive, for example, to ask users to detect e-mails that seek to con them into giving up personal e-mail, he said. "Phishing is too hard to detect, even for experts."

And even if people can be trained, they can't be trusted to be on guard all the time, he said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

Some examples of built-in security mentioned at Virus Bulletin include a phishing shield in Web browsers, virus filtering in e-mail services and programs, and protection as part of instant messaging services such as Microsoft's Windows Live Messenger.

CONTINUED: Gorling's fans and adversaries…
Page 1 | 2

See more CNET content tagged:
phishing, computer security, security, goal, information technology

104 comments

Join the conversation!
Add your comment
Gorling is 99% correct
99% of users are not only clueless, but most just don't give a
d@mn about security. They ignore policies and procedures and
expect the I.T. department to bail them out when they screw
things up - and so do their managers.

Over they years we have developed policies to protect users
from themselves. On our Windows machines we lock IE on high
security, no cookies, etc. and install Mozilla. Windows users are
not allowed to send/receive over 40 types of file attachments.
And many are not allowed any access to the Internet. And from
the looks of things we are going to have to tighten up on them
even more.

The handful of users that actually try to do things correctly are
treasured by our I.T. staff and are rewarded with more frequent
hardware updates, and whatever other perks we can give them.

It's too bad we haven't been able to talk management into
switching all our desktops to Macs. The departments that use
them are never a problem - regardless of the attitude of their
users.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Treasure?
How do your employees get their jobs done with that much lock down or do you treasure them because they are able to follow the rules and still get their jobs done?

Without cookies and IE security set at a minimum, our multi-million dollar corporate ERP will not work at all.

Without file attachments we cant share information to our vendors and outsourced services. Today I got an internal email with embedded image(word doc converted to image) and an attached word doc with a calendar-macro executable embedded and when asked why would you do that, I got Oh, we have a cool software thing that we purchased that does that automatically for us..isnt it cool? (that happens whey you lock those departments down really tight to the point that they hire their own IT professional to learn how to work around your defences.)

If you dont have internet access, how do you look up what raison detre means? or translate the service request sent in Spanish? Try asking a research professional to only use Lexus Nexus and a printed copy of a newspaper to do his job, it just doesnt work anymore here.
Posted by timcoyote (56 comments )
Link Flag
Computer Sucks
I think the biggest sucking think ever invented was the computer....

And that is why we have so less time to other things.

Computer and Internet Sucks....

Founder
www.searchsucker.com
Posted by suckerno1 (3 comments )
Reply Link Flag
A fox opens up a wormhole...
...and throws a troll back to the Stone Age. =:oP

Talk about a hypocrite - writing anger about the Internet, over the Internet. =;o) Tee hee. =xoD
Posted by unigamer69 (75 comments )
Link Flag
Yeah, I guess
I agree the burden should be taken off of the end user, but the burden should be put back on the software vendors, and perhaps even the decision makers who control the various protocols we use as part of the Internet. IT would then have the burden of making sure the implementations and processes surrounding these secure products did nothing to hamper their security - that would be a job that would be manageable. To have each individual IT department of every company the sole implementor of a security solution has almost as much chance of working as does educating the user. It's time to throw out this version of the Internet and start over - and this time focus on security.

One item did strike as incorrect: "Phishing is too hard to detect, even for experts." I don't necessarily agree with that. It's typically pretty easy to hover over a link and see from the URL that it's phishy. Seeing a ".kr" or ".ro" as a TLD is a pretty easy hint to pick up on.
Posted by ejevo (134 comments )
Reply Link Flag
To What Extent?
Ok. So we take the burden off Users.
We tell them to open up any and all e-mail that they receive and we'll deal with the consequences.
Go to any Web site you want and click on any old damn thing you want and we'll pick up the pieces.
Might as well tell them that they should go home and open their door to anyone who wants to come in, or better yet, just don't lock your door.
Then let the police handle the crime that ensues...right?
Nonsense!
Just give Users 2 simple rules...
1. Don't go to Web Sites that aren't job-related.
2. Don't open e-mails you don't recognize.


Period.

IT protects them from the big stuff.
They have to protect them from themselves.
Posted by gdmaclew (158 comments )
Link Flag
No excuse for ignorance
We can't keep protecting people from themselves if they aren't willing to learn some rather basic things. We're not talking about rocket science, nuclear physics or even trying to repair a Mac. It's simple things anyone online should know. Being ignorant simply isn't a valid excuse anymore.

Doctors go to schools before they are allowed to operate. I wouldn't expect the maker of the surgical equipment to tell the doctors how to operate- hey doc, don't forget to suture up that artery or they may bleed to death.

User education would eliminate most of the problems with computers today. It won't happen, but we can all dream.
Posted by Vegaman_Dan (6683 comments )
Link Flag
huh
"they write down passwords and give them out to strangers in
exchange for treats"

what the hell does that mean? when has anyone ever witnessed
this?
Posted by jbondo (26 comments )
Reply Link Flag
Re: give them out to strangers . .
Goring may be kidding about the "for treats" part (or not) but he
is not about users giving away their passwords to strangers.

Kevin Mitnick performed some of his most famous hacks not
through his computer skills, but rather through "social
engineering". In other words he conned people into giving him
passwords, modem phone numbers, etc.

I've called users at remote sites who didn't know me, asked them
for their passwords to "check out their computers" and had them
give them to me without question.

I didn't even need "treats".
Posted by rcrusoe (1305 comments )
Link Flag
it's analogy with some artistic expression
Users are not really trading password for candy but they may as well be.

Users pick poor passwords then write them down on paper or post-it. paper get's handed to someone next to them or someone who smooses them well over the phone (you crazy phreaks you). Post-it's get left on the monitor of the machine that a wood-be criminal simply read as they login.

The allusion is too public anouncement adds from years ago about talking to your kids about strangers. Don't talk to strangers, don't take candy from strangers.

Now the adults (in computer terms) are finally reaching the point where they are meeting strangers and the first thing they do is answer back and look for opertunities to hand out there passwords and information.
Posted by jabbotts (492 comments )
Link Flag
It's happening as we speak
At this moment there is a phishing scheme going on with a purported Walmart email where you are offered $35.00 if you answer a "survey" and then give out your card information for a "deposit" ("treat")
Posted by dcongrav (12 comments )
Link Flag
It Was Actually Done
I can't quite recall where I saw it, but a couple of years ago, there was an article about an experiment of sorts. Somebody hung around outside some business and offered passersby candy in return for their user passwords. A statistically significant number of them coughed up the passwords in return for the treats -- and the researcher was able to verify that most of the passwords were correct.

Needless to say, it didn't go over too well with the security folks at that establishment.
Posted by CBS Orchestra (10 comments )
Link Flag
Yes, I have.
The treats were called "free games and apps." =:oD

This is a wickedly common tactic for a Trojan horse. Of course, if you can get that in there, why bother getting just one password? You can get them all! =xoD
Posted by unigamer69 (75 comments )
Link Flag
Don't blame users!!! Security has become far too complex.
Defending users from IT blame has been a constant battle
throughout my experience in desktop support.

People use computers to do a task. These People already have a
job, or profession, that they are well trained to do. They should
not be overly burdoned with
the enormous, convoluted facits of security! That's for IT
professionals, but more importantly *software vendors* to take
responsibility for!

In what other business are customers BLAMED for merely using a
product for a task while the product become damaged just by
using it?
Posted by technewsjunkie (1265 comments )
Reply Link Flag
No money for training, let alone exponential security breaches
Who's going to pay for this?
Posted by technewsjunkie (1265 comments )
Reply Link Flag
Part of the problem
Is that security often reduces a user to a choice of
fast, easy, secure - pick any two.

Anything that gets in the way of the user experience will
eventually be circumvented. As such security has to be easy and
intuitive to use, it can't noticibly impact the user experience, and
it has to be truly secure. The user can't be given the option of
easily disabling the security features. If the user can disable or
circumvent the features it should either result in a locked down
system or a significantly crippled level of functionality.
Posted by rapier1 (2722 comments )
Reply Link Flag
No education? That's just nuts.
If you want to go get lunch, all you want to worry about is getting a sandwich. That doesn't mean I need a cop to help me across every street! I was taught how to mind the lights and look both ways, and I do that every single time.

Education is not pointless, it's essential. The people who refuse to be educated will be the people who get run down in the middle of the intersection.
Posted by Steve Jordan (126 comments )
Reply Link Flag
if only they blamed themselves not the car
Education is absalutely essential however the current problem is that those users who don't look both ways before crossing the street blame the car that hit them.

The stupid computer ate my harddrive! (after vising six questionable sites and clicking on every link that got emailed to me)
Posted by jabbotts (492 comments )
Link Flag
The problem is...
...the notoriously short attention spans of most users. My favorite quote in the article is "I have seen a spike in the number of incidents reported by our internal users". What this person does NOT go on to say is that just like a spike, it has a leading edge and a trailing edge. From the top of the spike, it's right back down again.
Posted by J_Satch (571 comments )
Link Flag
I disagree.
For one thing, although some users will never get it, many will and that does make a difference. Also, it is important to let them know what the policies are and that is part of the education process.
Posted by mrico2 (1 comment )
Reply Link Flag
Don't blame users!!! Security has become far too complex.
Defending users from IT blame has been a constant battle
throughout my experience in desktop support.

People use computers to do a task. These People already have a
job, or profession, that they are well trained to do. They should
not be overly burdoned with
the enormous, convoluted facits of security! That's for IT
professionals, but more importantly *software vendors* to take
responsibility for!

In what other business are customers BLAMED for merely using a
product for a task while the product become damaged just by
using it?
Posted by technewsjunkie (1265 comments )
Reply Link Flag
How about driving a car
Driving has become too complex obviously, why don't we make the auto manufactures protect us from each other? There are pedals, switches, knobs, lights, buttons, looking before merging, speed limits, lights, signs, etc. Good god, why doesn't the damned car drive itself, this is too complex? I am paid for my computer skills, not to drive, why should I learn this au-to-mo-bile thingy?

Oh that's right, it is part of my job to travel to work. Just like it is part of my job to follow the policies laid out for computer usage, plain and simple.
Posted by schubb (202 comments )
Link Flag
your advocating users leave there cars unlocked?
IT is primarily responsible for security and as such, they need to know the intimate details of potential threats.

The user does not need that level of detail but they need to accept some responsability and at least get a basic understanding of what they are doing.

To absolve the user of all responsability is like telling them "it's ok, you needn't lock your car, that's for someone else to worry about" then be surprised when they are angry that there car got stollen.

But then, people in general need to stop repeating a few key frases; I Know My Rights, Someone Else is to Blame and I'm a Victim.
Posted by jabbotts (492 comments )
Link Flag
Because end users are stupid
It doesn't matter what sort of protection you put in place if a person is ignorant or stupid enough to click on fairly obvious attempts to steal information, passwords, etc. By now, how many people still click on Paypal password reset emails? People need to be suspicious online and paranoid about such things. Is it the bank's fault that someone is sending out fake bank notices in email to people in hopes of stealing their identity and money? Phishing doesn't rely on IT departments or operating systems or anything beyond an end user being gullible enough to buy into an attempt to deceive them.

Most viruses spread because someone clicked on a link "See stupid pictures of your boss naked" or something. It's not terribly difficult to educate people about this sort of thing and I certainly wouldn't blame an IT department for it.
Posted by Vegaman_Dan (6683 comments )
Link Flag
To answer you question&
In the Military you are expect to learn everything about you job to
include security. That goes for everything from a convoy mission to
operating a computer. Its not to much to ask computer users to be
more aware of security risks when operating a computer. The
problem is the users don't have the right motivation to learn what
security risks are. The correct motivation would be after a few
security classes fire a few people who break the rules, let it be
known why they were fired, and your other employees will start
paying attention to security more.
Posted by jones_8099 (177 comments )
Link Flag
User training
"User education" hasn't changed much in most places since the Middle Ages; it's still primarily OJT. Nowadays the typical user is expected to know certain basics things about using computers; unfortunately there are a large number of people who don't know what they need to and are capable of doing unintentional harm both to their own machines and perhaps to complete systems affecting millions of other users. Computers are designed for people to use; security has usually been an after-thought from after-market vendors. It's getting better, but there's a long way to go. User training can be helpful, but no amount of user training will overcome flawed designs.

However, at worst, user training won't hurt; at best, it will help.
Posted by GlennAl (25 comments )
Reply Link Flag
You have got to be kidding
Every week a new exploit is released that allows malicious code to run under Windows with no action on the part of the user, and security is the users fault??? And Microsoft releases hack after hack after hack that fails to solve the underlying problem. In fact, Microsoft's model for distributing updates to users practically guarantees that Windows will be vulnerable to third parties who want to install malicious software. And the process for patching computers keeps getting worse, not better (remember how simple it was to download and apply a service pack to all computers on the network?) Government is unable or unwilling to implement and enforce legislation that fights spammers and hackers. And during it all this blundering behemoth, whose sole skill appears to be winning lawsuits and driving better software vendors out of business, has the audacity to call this 'innovation'??? Good God perople, when are we as consumers finally going to wake up and stop defending Microsoft? If this company sold aircraft, they would have been sued out of existence long ago.
Posted by bw94382 (24 comments )
Reply Link Flag
Good God perople
If this commenter wrote business correspondence for a living, he would have been fired long ago.
Posted by roger.d.miller (41 comments )
Link Flag
Wrong article
I think you meant to be posting on one of the Microsoft bashing stories instead of the User Education story. The point being made here is that there are suggestions that user education is a waste of time in preventing all the social engineered exploits such as phishing and IM links. I don't agree with this and trying to blame the IT departments for not preventing someone from clicking on a link in an email marked 'Click here for free porn!' is just silly.

Of course you need to educate the end user. If they didn't do something stupid (because of ignorance) and wreck their system, then there would be a great reduction in these situations.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Many of you are missing the point....
Many of you are up in arms because you think that the speaker is blaming the end users for our security woes. Reread the article--what he is saying is that we have spent too much wasted time and energy relying on end users to be a major part of the security scheme. He never said that it's the users' fault--you're implying that. His real message is that we have tried to educate end users and it has failed. As IT professionals it's time for us to take accountability ourselves and not rely on the weakest link in the security chain to provide important security functions such as content filtering.

EVERY successful scam, whether or not it is Internet related, relies on people making bad decisions. One scam researcher once posed as a district manager who "showed up unannounced in order to investigate a cash drawer shortage that store had been having over the past week." He walked out with the filled cash drawers from several of the registers. Now, should that store's security have spent time training every new employee what to do if someone claiming to be a district manager shows up and wants to count the drawer, or should the guy manning the camera have been smarter and more alert about a stranger poking his fingers in the drawers without the store manager being present at the register?
Posted by jcanker (7 comments )
Link Flag
The "wonder" of Zero-Day Wednesdays
You gotta love the idea of "Patch Tuesdays" - and the even better idea (from a pressure point of view) of "Zero-Day Wednesdays."

Here's a fictional scenario of an "ideal Trojan" using every black-hat technique I've heard of to date - including anti-forensics:

2:00PM PST, Second Tuesday "of da Month": A hailstorm of patches is released.

3:00PM PST - "The Second Hour:" One zero-day vulnerability is publically released and will become known within a day or two - 3 more will be used by custom-made Trojan horses for quite some time before being discovered.

8:00PM PST: Brand X, Inc.'s system adminstrators (understandably) see system utilization fall to a reasonable enough level to justify rebooting 2,000 PCs.

9:00AM PST, the Friday after Patch Tuesday: A user at Brand X receives an email with a custom-written Trojan horse, using one of the three unknown holes. Being custom-written, the mail gateways miss it in their virus screening.

9:00AM and 1 second: The user opens that file.

9:05AM: The Trojan horse contained a worm, and has spread to hundreds of machines in Brand X, Inc., including machines used by those with highly sensitive information - the target, which was the reason this Trojan was commissioned in the first place (by someone in Brand Y, Inc.)

11:00AM: The Trojan has gathered enough proprietary information to bring Brand X to its knees. It compresses and encrypts this info, uses a botnet to hide the destination, and sends the info to the writer.

5:00PM: The virus writer shows the results to the guy in Brand Y which commissioned the Trojan. They come to the consensus that it's a plenty.

6:00PM: The virus writer issues a command to the copy of the Trojan which "phoned home" - decrypted and translated into plain English, it means, "Mission accomplished: Initiate self-destruct."

6:00PM and 30 seconds: Another cascade through the network is well underway, as the "self-destruct" command propogates. When copies receive the command, they uninstall themselves and run a Gutmann-style shred on their files and traces, making later forensic analysis difficult, if not impossible.

6:10PM: 60% of all evidence destroyed.

6:30PM: 95% of all evidence destroyed.

6:45PM: All copies are uninstalled and wiped - almost 100% of all the evidence is destroyed.

7:00PM: Brand X's IT staff is none the wiser!
Posted by unigamer69 (75 comments )
Link Flag
The "wonder" of Zero-Day Wednesdays
You gotta love the idea of "Patch Tuesdays" - and the even better idea (from a pressure point of view) of "Zero-Day Wednesdays."

Here's a fictional scenario of an "ideal Trojan" using every black-hat technique I've heard of to date - including anti-forensics:

2:00PM PST, Second Tuesday "of da Month": A hailstorm of patches is released.

3:00PM PST - "The Second Hour:" One zero-day vulnerability is publically released and will become known within a day or two - 3 more will be used by custom-made Trojan horses for quite some time before being discovered.

8:00PM PST: Brand X, Inc.'s system adminstrators (understandably) see system utilization fall to a reasonable enough level to justify rebooting 2,000 PCs.

9:00AM PST, the Friday after Patch Tuesday: A user at Brand X receives an email with a custom-written Trojan horse, using one of the three unknown holes. Being custom-written, the mail gateways miss it in their virus screening.

9:00AM and 1 second: The user opens that file.

9:05AM: The Trojan horse contained a worm, and has spread to hundreds of machines in Brand X, Inc., including machines used by those with highly sensitive information - the target, which was the reason this Trojan was commissioned in the first place (by someone in Brand Y, Inc.)

11:00AM: The Trojan has gathered enough proprietary information to bring Brand X to its knees. It compresses and encrypts this info, uses a botnet to hide the destination, and sends the info to the writer.

5:00PM: The virus writer shows the results to the guy in Brand Y which commissioned the Trojan. They come to the consensus that it's a plenty.

6:00PM: The virus writer issues a command to the copy of the Trojan which "phoned home" - decrypted and translated into plain English, it means, "Mission accomplished: Initiate self-destruct."

6:00PM and 30 seconds: Another cascade through the network is well underway, as the "self-destruct" command propogates. When copies receive the command, they uninstall themselves and run a Gutmann-style shred on their files and traces, making later forensic analysis difficult, if not impossible.

6:10PM: 60% of all evidence destroyed.

6:30PM: 95% of all evidence destroyed.

6:45PM: All copies are uninstalled and wiped - almost 100% of all the evidence is destroyed.

7:00PM: Brand X's IT staff is none the wiser!
Posted by unigamer69 (75 comments )
Link Flag
I totally agree (110%)
During more than ten year's work as a system administrator I have tried the following:
I have tried to motivate and even threaten users to behave and pay attention to security. Not a chance.. They just didn't care.
I tried restricting internet access. This was hell FOR ME. Maintaining the list of allowed sites was just too much.
Now I have something that seems to work.
Everybody has unrestricted access to the internet and email. But.... If a computer is infected by malware, the user responsible for the infection is put on a diet of restricted internet access for a month and a copy of every email received or sent by this person is automatically sent to management. After a month this person may file a request to have the sanctions lifted...
Now they have a self interest in security and I have had virtually no 'malware incidents' any more.
Posted by Carion (30 comments )
Reply Link Flag
your lucky you hand management support
I've seen no end of businesses who leave there network open to rampant user's whims. (how many business manchiens have iTunes and Kaza installed?) but in these cases, management had been convinced (or not taken the tiem to consider) that it's better for the staff to have there toys.

Your lucky you had or are management who could put such polocy into practice.
Posted by jabbotts (492 comments )
Link Flag
User's shouldn't have to care very much
The IT industry needs to get it through their geeky brains that SOFTWARE IS WORTHLESS IF IT CAUSES MORE PROBLEMS THAT IT SOLVES. If security is done right, users will need minimal training. It doesn't matter if it is hard to do. It has to be done! Too many IT designers live in a dream world instead of the real world. Users want to get their jobs done. Spending hours, days, weeks becoming security experts is an unproductive use of user time. If IT folks were in charge of prisons, they would insist that the local population be trained to deal with daily prison escapes. 27 year IT veteran, MS in IT.
Posted by candlynn (5 comments )
Reply Link Flag
Wish it would work that way
The company policy we have: Users are not to download and install any software from the internet.

This doesn't require becoming a security expert and is a very simple insruction. Why is it every computer I have to fix had software downloaded from the internet and installed on the computer?
Posted by Seaspray0 (9714 comments )
Link Flag
Users are NOT all retarded
"It really is a nightmare. User education is a complete waste of time. It is about as much use as nailing jelly to a wall, ... They are not interested; they just want to do their job."

So, as an IT professional, I am not interested in calculating a budget, which is a function of accounting. I JUST WANT TO DO MY JOB!

Is this justification enough for my errant budget submission to the fiscal plans of C-Level Executives? Can I still expect to receive copious quantities of cash to batten down the hatches for the hairless apes that occupy my cube farm?

Give your head a shake, we can all stand the noise! Users must be prepared to exercise COMMON SENSE when crossing the road, and should exercise the same neural network when traversing the "Information Superhighway". IT should reduce and potentially eliminate the threats that it can with the money, tools and training allotted to it.

Cheers, and good luck with leading your untrained lemmings, Stefan Gorling. We will watch for you on the other side...

Mark
Posted by MadMark (7 comments )
Reply Link Flag
Don't hand him a butter knife
Stefan Gorling is just about as dangerous in his refusal to accept common sense as those users he is abandoning to their fates.

If you aren't using common sense or not willing to accept responsibility for your own actions, then you aren't responsible enough to be handed a butter knife without hurting yourself, let alone a networked computer.

By the way Stefan- the butter goes on top. I'm sorry that you buttered the bottom and then stuck it in your ear when you called Toast Support and complained that they hadn't configured the Butter for you in advance to avoid such a tragedy.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Get a Mac
See subject solve problem. Its easy and painless.
Posted by MacsInMinot (1 comment )
Reply Link Flag
Hahahahahahahahahahahahahaha!
Thanks, I needed a good laugh today.

Because obviously a Mac will make all your security problems magically disappear as if Windows were the only security threat on the net.

Please look up "phishing" and post back here how a Mac will help guard my users against that.
Posted by JustYourOpinion (24 comments )
Link Flag
Good Idea...
..if your a small company... but try letting the boss know you need 1200 of those Macs right away and he needs to cough up the cash for installation and training. Plus that user down the hall you get to inform that they have to learn a whole new computer when they already say all the time, "I just can't learn another new thing."

But keep trying, keep saying it, maybe someone will listen some day and you'll get your macs.
Posted by timcoyote (56 comments )
Link Flag
AreTard
Yea, because if I own a Mac i can give my password out to whoever I want....what a joke you guys are. You give us regular mac users a bad name...
Posted by ZeroJCF (51 comments )
Link Flag
Or even better, get Linux
Great solution, if you can persuade software providers to open their eyes and start developing for a basically much beter platform...
Mac could be an option, but I'm a bit claustrophobic (I fear confined spaces...)
Posted by Carion (30 comments )
Link Flag
Not exactly...
You see, ignorance is bliss.

Users can be ignorant.
IT can be ignorant.
Accounting can be ignorant.
Management can be ignorant.
Corporate Executives can be ignorant.
Computer Salespeople can be ignorant.
Computing companies can be ignorant.
Design Engineers can be ignorant.
CNET news folks can be ignorant.
HP execs can be ignorant.
Government can be ignorant.

The industry has created this mess. The internet was not designed for it's current use. The computer is still slow, and obsolete. The OS that runs on it is not superior, but inferior. The hardware is designed to be upgraded with costs.

You want to blame the enduser; instead you should blame the industry for allowing such exploit.

But you can't. A socially engineered system is based on the society that it mimicks. One that is flawed, will have flaws. So now, we put up walls both physical and virtual. Yet we still encourage the ignorance...
Posted by Below Meigh (249 comments )
Reply Link Flag
Blame the industry
Yes, the Internet was not designed for its current use. Agreed. Its protocol suite and functionality should be replaced with one that has security at its very core. Authentication, Authorization, Accounting, Caller-ID, Encryption, all of those good things that prove you are who you say you are, and at the same time, protect your credentials from abuse.

If this was an easy thing to do, it would already have been done. There is no doubt that once the cost of doing business in the online swamp gets high enough, and the risk of staying connected gets bad enough (getting there now...) a tranisition will HAVE to take place.

Until that time, SOMEONE must be responsible and accountable for the safety and security of systems. Both at a high level (IT) and at a granular level (user).

The user is provided various services from IT. One of these services is security. When IT attempts to protect users from themselves by creating policies in Windows through GPO objects, ACL's or what have you, they are most often met with thunderous disapproval and the "you're taking my what away? You can restrict my access when you can pry my keyboard from my cold, dead hand..." attitude.

Until the Internet is tamed and properly controlled, it should be treated with the caution and consideration one would give any hostile environment. If you can't control yourself, then you should lose the ability to enter that environment. If you can't do your job because you can't get access, because you can't control yourself, you should be fired.

Cheers!
Mark
Posted by MadMark (7 comments )
Link Flag
This person is a doctoral candidate?
Stefan Gorling is a headline hound, not a student. It's a big, big world, so of course some people will fit his description. But most computer users are very alert to security issues.
Posted by Jane in KC (94 comments )
Reply Link Flag
BS
I do Dell warranty work. I go to dozens of people's homes/businesses ever week and I can tell you right now that that comment is a load of horse dung. I would say 1 in 10 people know anything about the computer they are using. Your average user knows squat about secure computing practices.
Posted by Jonathan (832 comments )
Link Flag
Been with Windows for years---not a single virus
It just takes some common sense on the users part.

1. Use some kind of anti-virus

2. Do not open email from unknown users and do not open any attachments you are not aware of the source. This includes phishing scams. Always anything you are not 100% sure of. Should I click this link, should I open this file, can you get it from the official web site or maybe give a phone call to verify.

3. Unknown web sites. Why click on anything if you are not sure what you are looking at is trustworthy.

Never been sliped poison.
Posted by Stan Johnson (322 comments )
Reply Link Flag
Or you can use something else and never have to think about it
nt
Posted by qwerty75 (1164 comments )
Link Flag
the Holy Quad.
1. Firewall
2. Antivirus
3. Firefox
4. Good Spam Filter.

OK so there should have been 5...... Windows Update Once in a while. (I generally do it about once every 6 months.)

I'm in the same boat. I had a single virus back on 3.11. Was called NYB. Nice boot sector virus. Since then nothing. For one reason...I use the above methodology when I work with my computer.
Posted by Jonathan (832 comments )
Link Flag
Users are stupid and that needs to be the starting point
... for software developers.

Most places do not do this and we are all paying the price.

There are many things you can do to protect your software from idiots and they aren't being done. Yes, you can't protect them from everything, but many things can be stopped before the end-user even gets close to your software.

Car makers spend billions to help protect its customers for theirs and other stupidity. Places like MS spend little and what they do implement is half-assed at best. No car makers can't stop stupidity and accidents, but they can reduce the damages caused by them and even prevent many accidents from happening.

The software industry as a whole(and MS specifically) need to do this as well.
Posted by qwerty75 (1164 comments )
Reply Link Flag
also
As another example of where developers drop the ball, look at the documentation that comes with XP. Next to no docs printed, the system help is rarely correct and the best docs are stupidly online, so if someone can't get their networking to function, they are SOL.

Buy a Linux distro and see what kind of documentation is normally available before you even install it. If you don't buy a retail box, the in-system documentation is absolutely outstanding.

It is funny how often free software beats the pants off the richest software corporation. Too bad MS has no ethics and only run on marketing hype, maybe then the software world wouldbe where it should be.

Of course, MS isn't the only offender, only the most flagrant.
Posted by qwerty75 (1164 comments )
Link Flag
This article is pointless....
While I agree that users are stupid, that is because they choose to be so.

CNET and countless other websites offer free PC advice to keep users safe. It's not that they don't know or don't understand (I mean, really, how hard can it be to understand "don't take candy from strangers"?), it's that they don't give a damn.

Users want what they want, when they want it...like little children. And, like little children, they will make bad choices that get themselves hurt from time to time.

Does that mean that we revert to green screen mainframe apps with absolutely no access to anything but the company apps?

Well, you could - at a cost of reduced productivity and innovation versus your competition. Or, you could just fire those that refuse to abide by the simple rule "don't take candy from strangers".

In all probability, if they are too simple-minded to follow this rule, they are a danger to you, your staff and your company.

Fire them now.
Posted by Jim Hubbard (326 comments )
Reply Link Flag
Computers are like cars
Sure, it's not my job to know everything about the inner workings of the car. That's what mechanics are for. It is my responsibility to take basic care of the car.

Clicking every link sent to you, visiting every porn site, not checking for suspicious files as you download them, not using antivirus software, installing random 'free' crap (such as 'free' msn smilies, etc) is akin to neglecting your car's needs. If the consumer takes a sludgehammer to their car, doesn't get a regular oil change, hits speed bumps at 70kph, floors the pedal on a cold engine all the time, and urinates in the gas tank, the car will eventually stop working properly, and it's the owner's fault for abusing it. However, when people do the same to their computers, it's the IT department/software vendor's fault? Come on people, seriously.

Yes, it's the IT peoples' job to do the regular maintenance and repairs. However if the person using the machine abuses it, it's going to fail no matter how good your security setup is. The sooner people know how to take basic care of their machines, the better.
Posted by ademers (1 comment )
Reply Link Flag
Follow the $$$
Part of the problem is simply that companies are unwilling to spend money on training. The former company I worked for they started downsizing IT. One of the first people to get the ax was the training department. The last being my job as network admin. When I left you could ask someone to go into their file browser and you would get a blank look. Amazing what 4 years without someone to train your people will accomplish. I'm sure that a good custom made virus distributed via social engineering could bring this company to their knees all because they won't spend money on educating their employees.
Posted by Jonathan (832 comments )
Reply Link Flag
What if doctors were like users?
What if your doctor refused to read the manuals about that new surgical laser because he had a backlog of patients to cut into?

What if your pharmacist refused to educate him/herself on the drug interactions of medications that you were taking?

What if your doctor just dodn't have the time to go to "Open Heart Surgery 101", but was about to cut you open and repair your damaged ticker?

I admit it, these are all extreme cases. But, should an office worker NOT be required to educate themselves before using thier equipment also?

The doctors get basic training (at thier expense) BEFORE they enter residency at a hospital. You should only hire workser who have done the same.

It's not the workers fault. It's your for hiring them.
Posted by Jim Hubbard (326 comments )
Reply Link Flag
IT Attitude Adjustment Needed
One programmer to another, "I'm going to make this really user friendly. Even more user friendly than control+alt+delete!"

Seriously, as an educator I can understand the frustrations of trying to teach but an attitude of condescension toward the learner is not a good start.
Posted by oconnmic (28 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.