I can’t stand the attitude of “there’s nothing important on my computer, so I don’t care about whether it is secure or not”. The simple fact of the matter is that any infected computer connected to the internet is probably at the mercy of a malicious third party. Even if you don’t care about the impact of your computer being infected, your lazy attitude is affecting innocent other people’s computers, potentially in the form of sending mass spam and attacking unwitting websites.
Computer security is hard and very complex.
How we explain computer security and insecurity to average computer users, non-geeks if you will, is really important. And I really think that we are taking the wrong approach at the moment.
We teach computer users that in order to keep their computer secure and clean, they must have:
- An anti-virus program
- A firewall
- Up-to-date software
- … and other practical, simple steps
While these are all very important steps to encourage (especially keeping software up-to-date, in my mind), I think that we are making this advice a bit too practical. We’re ignoring complexity and only ever offering the most basic practical steps.
In my mind, a lot of computer security comes down to a model of trust. For example, I feel confident that a conversation with my internet bank is secure because:
- I trust the integrity of the SSL connection for the purposes of keeping my information private and untampered with as it goes across the internet
- I trust my local machine to be ‘clean’
- I trust the remote machine at the bank is genuine and set up properly
All three of those things must be in place for me to have that ‘safe’ feeling. A safe SSL connection to your bank is meaningless if there’s nasty software on your local machine sending your keystrokes to a third party.
I’d like to see this model of trust be encouraged amongst all computer users. It maybe does take a little bit more time and effort to understand the basic principles of what is going on, but looking at security this way round, rather than from an entirely practical viewpoint, allows people to make informed security decisions, rather than blindly trusting some ‘security’ software to do everything.
Social engineering is a very easy way to get some nasty inside someone’s computer. It’s disappointing, but oftentimes you can trick the human into deliberately giving permission to something more easily than you can find a hole in software to do the same thing. Instead of relying on ‘last resort’ antivirus programs to catch known malicious programs running at the last minute, we should encourage people to ask questions:
- Why am I being asked to run this software?
- Where did it come from? Do I trust the group of people that wrote this program?
- Is there anything suspicious or unusual about this? Is it really coming from who it says it is?
Obviously, you need to combine this with practical advice and some knowledge to enable people to spot things that are ‘out of place’. But I think if we did, people would be in a much better position to make sensible informed decisions and to understand better what is actually going on.
This rant only really covers one aspect of computer security. As I said at the start, computer security is really complex and really hard to get right. So this approach isn’t necessarily the answer and it isn’t going to be applicable everywhere. There are going to be groups of people for whom this will be too complex, and groups of people that ‘won’t care’. But I’d like to see it done more often.
Photo is Secure. by Wysz from Flickr. Licensed under Creative Commons BY-NC.
I agree with you on this matter. However, when I bought my mac I set the security settings. That was all I did. When I owned a PC I purchased security software because my PC was always crashing. This was done in hopes this would solve the problem. It did not. My mac does not crash. Also the software I bought was said to be “cheap” and “unreliable” for the purpose. I did always have to update it. It often got in the way of simple site browsing. It seems like “geeks” dont want to tell people what security software to download for free or what the best product is to buy. So again the end user is stuck.
What is a good firewall for non-geeks? – especially one that blocks OUTgoing content to prevent your PC being zombied?
I recently installed Zone Alarm and ran into problems with some apps not working unless I turned off Zone Alarm, but also not logging anything in ZA’s log! I started a couple of threads on their discussion forum that turned real geeky, real fast! Unless I’m willing to talk ports and filtering that’s a no-starter!
But non-geeks can’t talk ports and filtering.
The biggest problem in PC’s today is that security software like malware-/virus- checkers and firewalls STILL require too much geekiness for Aunt Martha and Uncle Ned, so they don’t do them, and thus there are vast armies of zombied PC’s speading trouble!
peter nelson,
I think the best defence against getting a PC ‘zombied’ is to install as little software as possible on it (only trusted software from trusted sources), keep it up-to-date and to avoid accessing anything you don’t trust. Once some bad software is on your machine, it’s essentially game over. Yes, a software firewall at that point might be able to prevent other machines getting infected, but it really is too late.
But having said that, I accept that this is an ‘ideal world’ sort of scenario I’m asking for. In the real world, with non-technical users, it might be difficult to enforce those conditions.
I personally tend to rely on the built-in Windows Firewall on the Windows machines that I run and are responsible for, in combination with a firewall at the router level. Again, though, I make sure those machines don’t do anything ‘dodgy’, so I trust the software installed there.
So to actually answer your question – I’m not really looking at that type of product for the stuff I do, so I’m not sure what to recommend. This list of recommended firewalls at Lifehacker might be something to look at, though. Again, as I say, I haven’t looked at this type of product, so I can’t personally vouch for any of them.