Slashdot Mirror
Security Alert
If it can communicate threats and solutions effectively to the average computer user, then we're making real progress. After all, even computer security professionals often fail to employ basic measures to protect themselves from typical attacks, we'll have to make sure this stuff is understandable by the general population. Not that they're the "great unwashed" -- hardly. They're just not focusing on this stuff. Hence, we have a challenge: make this stuff understandable by your mom if you want everyone to just get it.
Becky Worley is (was? I haven't watched TechTV in a while) a TechTV on-air personality. She's reported news and events for TechTV for a number of years, and has often done so clearly and at a level you'd expect for a general TV station devoted to technology issues. So, you'd think she'd be a in a great position to collect information and know how to present it. Sadly, Worley's book doesn't fit that niche; it's not going to educate the large masses. In putting myself in the shoes of an average computer user, I found it fails in a number of ways.
The first and foremost failure of the book is right from the beginning. Worley opens up by saying that you're not a target of hackers, yet the rest of the book goes on to discuss how you are. While you're probably not going to be attacked by the same people who try and break in to Pentagon computer networks, virus writers and con artists fall into the same category for most purposes. All of these sorts of people, and what they can do, is described in chapter 1.
There's no discussion of phishing in the chapter on identity theft, which is chapter 2. Identity theft is a large, complicated subject, yet Worley only focuses on credit card number theft. While she talks about social security numbers, she doesn't demonstrate how they have been used to destroy victims' lives. Some advice is given as to how to react to credit card theft, but little information is given here about how to protect yourself to begin with, aside from being careful about whom you give your SSN to.
The book repeats itself often, covering similar material in several places. Chapter 3, which covers online purchasing, covers credit card info theft and email scams again. What it doesn't cover very well is how to spot a legitimate website, how to really use an escrow service, if and how you can get eBay or a shipper to help you out of a scam auction, and the like. Useful information about verifying who owns a certificate for an SSL server, or even making sure you're using an SSL server, is not given. Examples of false websites and auctions would have been useful. After all, after telling us how scammers operate and look so legitimate, illustrating the points about how to spot them would be valuable.
The book is full of anecdotes but few useful pieces of information are placed where they need to be. Chapter 4, which covers viruses, is one of these examples. It spends most of its time covering typical viruses and the usual, but doesn't get into anything beyond "use antivirus software." Never mind that the biggest threat in recent years has been from automated worms and that personal firewalls are useful; that's covered later. We hope you remember the quick tutorial on viruses from before.
The book's organization is poor, with material scattered throughout the book in a fashion that doesn't progress well or develop the information seamlessly. More virus and scam information is placd in Chapter 5, along with virus hoaxes. Several websites are refered to, but little in the way of really spotting a virus hoax or the common scam. Since they still abound, and people still fall prey to them, couldn't a better job have been done to describe what people are looking at have been offered?
In short, the book is a decent collection of links and material but is so poorly organized or so thinly presented it's hard to get what's going on. Take chapters 6 and 7, "Safe and Sane Online Interactions" and "Protecting the Family." Lots of information, somewhat poorly organized, and very skimpy on content. It seems to me that worrying about who is pestering my kids is more important than hearing about someone's EverQuest addiction, so that was a wasted page.
Finally, Chapters 8 and 9 should have been moved up front more. The topic of chapter 8, "Privacy," is perfect for the topics in chapter 2, where worley talks about identity theft. The topics covered here, including spyware and key loggers, are far more germane to the threat against your privacy and bank account information, and have been a growing trend for at least a couple of years. Chapter 9, differentiating being safe and being paranoid, should have been placed up front to help temper the arguments given in the rest of the book. It does a decent job of articulating the threats, what's to fear, and what's at stake.
The book is laden with plenty of anecdotes about online activitis gone awry. What's missing are solid examples of how to do it right, how to use your credit card on trusted sites safely and ensure that you're using services you know are worthwhile. While the book has some useful information in it, it's buried under poor organization, unclear language and presentation, and finally repetition in all the wrong places.
While the world needs a book or two to help every day people understand online security, this isn't the one. If you're looking for something for your kids, your spouse, or your parents, keep looking. This book wont help them make sense of what's going on. I don't think that's too much to ask for, especially from an organization like TechTV which has access to lots of material, people, and motive to produce a solid book.
You can purchase Security Alert: Stories of Real People Protecting Themselves from Identity Theft, Scams and Viruses from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
under Book Reviews?
Getting people informed before their machine is infected with something is the hard part.
I find they are a whole lot more interested in learning about security as soon as they start getting pornography popups.
I am a firm believer that if you own a car, you should be able to change a tire, and change the oil. Basic matinence.
Same with a computer. If you own a computer, you should be able to upgrade its security, and install a virus protector (minimum!)
I dont understand why people spend thousands of dollars on a new device, then simply dont bother to learn anything about it. A computer, like a car, is a serious investment. Learn how to use it properly.
Of course, my theory goes to shit as many people dont know how to change a tire or oil. Oh well.
Unfortunately the folks who need the help the most are the the least likely to read. It is like a law: Those who need to RTFM are least likely to RTFM.
How to Download YouTube Videos
Every society develops certain universally-known rules of thumb about safety, from "Don't swim in the muddy water near that rivermouth!" to "Stay clear of the bar where all the tweaker bikers hang out!" Eventually, we'll have universal wisdom about being careful of email attachments and avoiding phishing schemes. But it'll have to happen through word of mouth and Oprah. No one is going to read a book like this.
What I'm listening to now on Pandora...
So let me get this straight:
I'm supposed to buy a book that I've never seen nor heard of before, judge it by it's cover and it's self-aggrandizing description, then open it and proceed to upload it into my brain without any virus scan for all the tinfoil-hat type text.
Then, this book will tell me that I shouldn't do on the internet, in email, etc. what they're absolutely counting on me doing in real life? I can't trust those emails and open those attachments and download the contents because it's unsafe?
I think I'm going to go write an antivirus book that everyone must buy before they read any more books, and sell a service where people can't read books unless I've read them first and deemed them safe. And oh, yeah, you'll have to buy the update to my book every few days as I read new books.
The systems of today are designed to be usable by the average Joe and Jane, but they aren't designed to be securable by that constituency.
From a security perspective, "computers these days" are like a nuclear reactor, or a rocket, or the tax code. They're just not manageable by the average person, and the bolt on shells of security that are offered only work to a point. Without a consumer-securable security model integrated from the ground up, you're going to have melt downs, misfires, and botched returns.
So, a book of anecdotes about "real people" and contemporary information security is almost going to be inherently uninformative. How could you possibly cover all the seams that todays severely limited security models leave open?
I suspect we will never have universal security in the computer world, as long as it takes any effort on the part of the end user. Which leads to several conclusions:
a) Social Engineering will ALWAYS succeed. Whatever engineers do to protect a computer, they can only protect the user from themselves up to a point. There's no cure for giving someone you think you trust your username and password, for example, and then having them rip of your confidential data. Or for that matter, keeping people from answering emails using information they shouldn't. It's a grim conclusion, but short of warning people not to be trusting nothing can be done.
b) The machine itself CAN be made much more secure by default. This usually comes at the cost of user-friendlyness, but the username/password/account idea seems to be virtually universal now. The key to making a user friendly secure machine for the average consumer is to set up rules that allow the machine to do everything the user is likely to want to do, and ONLY that. In other words, some form of Mandatory Access Control. This is a pain in the neck for those who want to do lots of complex things on their machine, but I suspect the average needs of the modern user are becoming well defined enough to achieve something. And if applications AS PART OF THE DEVELOPMENT PROCESS create rules for what their program needs to be allowed to do (which can be externally audited to keep them honest) we might achieve a situation where it's difficult to impossible for a computer to be cracked from the outside through technological means.
c) The bad news is, there's no market for b) and so it's unlikely it will ever happen. People have to be willing to pay the price for security, and I suspect up front cost of inconvenience (either to developers, end users, or both) will be seen as greater than the statistical potential of dangerous information theft. Whether that's true or not I don't know, certainly it varies on an individual level, but it takes herds of users to fund commercial software development and I suspect the average consumer response will be the immediate path of least inconvenience.
d) Open Source, being outside normal economic constraints, might produce something like b) eventually. But while individual projects might code to such standards, they are probably too high a median to set for casual, unpaid development. Success would require most of the open source community to be willing to do extensive testing and planning for running their software in a MAC environment, and that's not much fun to most non-security oriented developers.
e) So, in the end, matters will only improve when the costs of electronic theft and attack are so high they raise demand for secure systems to the economic minimum. Whether that will ever happen I don't know. My cynical guess is it won't - we'll just have to live with it. (Individual geeks of course can try to do better, but the internet has become a community. For better or worse.)
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
The advice I gave them is to never download anything from the Internet that seems "cool" or promises "this or that". Sure if you are downloading an update to software you already use, its okay. But you don't need this new cool search bar for IE, a search tool that promises to be intelligent and show (a.k.a. pop-ups) only ads you'd be interested in, and you don't need to keep up with the Jones with every "cool" spyware software.
Explaining how these things are dangerous has little affect on the "normal" computer user who doesn't know the difference between a DSL/cable router and a hub, who doesn't know how the Internet works (such as how TCP works, packets, routing).
I've found that simply telling them to not do it is the most effecitve thing I can do. Most users won't understand the technical details. But they will understand if you simply say to not download it because if you do it enough, your computer will become unusable.
Most Windows admins I know have the book "What you don't know can't hurt you", and they seem to follow that to the letter.
CB!
free ipod and free gmail!
However it seems like to me that the average computer user 10 years ago was more knowledgeable then one is today.
I too believe in the grand parents argument. People should have a minimum knowledge of a computer just as they have a minimum knowledge on how to run a car.
Actually a lot of people couldn't change a tire if there life depended on it. But they can look at a tire and note that it is low and they will have tires rotated and inspected on a regular basis. Something that computer users will not do.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
making a machine that won't get infected by all kinds of crap isn't all that hard; making a machine that won't get infected no matter what the user demands it do for them is impossible. and no user too stupid to take care of themselves is smart enough to accept being baby-sat by any mere machine.