Slashdot Mirror
Security Alert
If it can communicate threats and solutions effectively to the average computer user, then we're making real progress. After all, even computer security professionals often fail to employ basic measures to protect themselves from typical attacks, we'll have to make sure this stuff is understandable by the general population. Not that they're the "great unwashed" -- hardly. They're just not focusing on this stuff. Hence, we have a challenge: make this stuff understandable by your mom if you want everyone to just get it.
Becky Worley is (was? I haven't watched TechTV in a while) a TechTV on-air personality. She's reported news and events for TechTV for a number of years, and has often done so clearly and at a level you'd expect for a general TV station devoted to technology issues. So, you'd think she'd be a in a great position to collect information and know how to present it. Sadly, Worley's book doesn't fit that niche; it's not going to educate the large masses. In putting myself in the shoes of an average computer user, I found it fails in a number of ways.
The first and foremost failure of the book is right from the beginning. Worley opens up by saying that you're not a target of hackers, yet the rest of the book goes on to discuss how you are. While you're probably not going to be attacked by the same people who try and break in to Pentagon computer networks, virus writers and con artists fall into the same category for most purposes. All of these sorts of people, and what they can do, is described in chapter 1.
There's no discussion of phishing in the chapter on identity theft, which is chapter 2. Identity theft is a large, complicated subject, yet Worley only focuses on credit card number theft. While she talks about social security numbers, she doesn't demonstrate how they have been used to destroy victims' lives. Some advice is given as to how to react to credit card theft, but little information is given here about how to protect yourself to begin with, aside from being careful about whom you give your SSN to.
The book repeats itself often, covering similar material in several places. Chapter 3, which covers online purchasing, covers credit card info theft and email scams again. What it doesn't cover very well is how to spot a legitimate website, how to really use an escrow service, if and how you can get eBay or a shipper to help you out of a scam auction, and the like. Useful information about verifying who owns a certificate for an SSL server, or even making sure you're using an SSL server, is not given. Examples of false websites and auctions would have been useful. After all, after telling us how scammers operate and look so legitimate, illustrating the points about how to spot them would be valuable.
The book is full of anecdotes but few useful pieces of information are placed where they need to be. Chapter 4, which covers viruses, is one of these examples. It spends most of its time covering typical viruses and the usual, but doesn't get into anything beyond "use antivirus software." Never mind that the biggest threat in recent years has been from automated worms and that personal firewalls are useful; that's covered later. We hope you remember the quick tutorial on viruses from before.
The book's organization is poor, with material scattered throughout the book in a fashion that doesn't progress well or develop the information seamlessly. More virus and scam information is placd in Chapter 5, along with virus hoaxes. Several websites are refered to, but little in the way of really spotting a virus hoax or the common scam. Since they still abound, and people still fall prey to them, couldn't a better job have been done to describe what people are looking at have been offered?
In short, the book is a decent collection of links and material but is so poorly organized or so thinly presented it's hard to get what's going on. Take chapters 6 and 7, "Safe and Sane Online Interactions" and "Protecting the Family." Lots of information, somewhat poorly organized, and very skimpy on content. It seems to me that worrying about who is pestering my kids is more important than hearing about someone's EverQuest addiction, so that was a wasted page.
Finally, Chapters 8 and 9 should have been moved up front more. The topic of chapter 8, "Privacy," is perfect for the topics in chapter 2, where worley talks about identity theft. The topics covered here, including spyware and key loggers, are far more germane to the threat against your privacy and bank account information, and have been a growing trend for at least a couple of years. Chapter 9, differentiating being safe and being paranoid, should have been placed up front to help temper the arguments given in the rest of the book. It does a decent job of articulating the threats, what's to fear, and what's at stake.
The book is laden with plenty of anecdotes about online activitis gone awry. What's missing are solid examples of how to do it right, how to use your credit card on trusted sites safely and ensure that you're using services you know are worthwhile. While the book has some useful information in it, it's buried under poor organization, unclear language and presentation, and finally repetition in all the wrong places.
While the world needs a book or two to help every day people understand online security, this isn't the one. If you're looking for something for your kids, your spouse, or your parents, keep looking. This book wont help them make sense of what's going on. I don't think that's too much to ask for, especially from an organization like TechTV which has access to lots of material, people, and motive to produce a solid book.
You can purchase Security Alert: Stories of Real People Protecting Themselves from Identity Theft, Scams and Viruses from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Why don't you demonstrate security flaws instead of just explaining them? Show your board or whoever actuall real-time exploits and flaws so they understand what the consequences are. If not you could always use a crayon and paper... it's how I taught my mother to use email. :)
The best way to predict the future is to invent it. -Alan Kay
I'm *not* being serious.
:->
Although, it sure would be nice on the one hand to have a well written security book for the masses, its equally important on the other to stress that using a professional is a great way to achieve the goals of protection and understanding.
Maybe I'm just trying to create more job security for myself.
Most people, present and future, will probably remain ignorant forever. No book will solve the problem of internet/computer security for the masses. The computer needs to solve it. People just aren't interested.
It always amazes me that geeks think that everyone should know how a computer works. Why? Does a automechanic or plumber or electrician expect the same? I hire a guy to fix my brakes, change the oil, install a new heater and air conditioner in my house, and, frankly, I don't want to know how they do what they do.
Before you drop into identity theft and such, how many people don't even know what they're credit score is? And you don't even need a computer to find that out.
Some people have a way with words, others not have way.
That's why I think it's somewhat our responsibility to help our friends and families (to whatever extent possible) to keep them out of computer trouble. I carry a copy of Spybot S&D and AVG Antivirus with me when I visit family members, just because I know they don't have what it takes to keep themselves safe. Some can't even be bothered to run Spybot without prompting (however, whenever a house has nieces or nephews aged 10-12 I find they are the ones to catch on really quickly, and I also find their families' computers are much less likely to have spyware.)
Yeah, I might spend half an hour away from people while I clean things up for them, but it's always, always appreciated. And I know there are at least a dozen computers out there that *aren't* acting as zombies.
John
I have not read the book, but based on the description, it sounds like it will be seen as most effective by people who already know what they are doing. With large numbers of anecdotes and not enough focus, it falls firmly under the heading of preaching to the choir; the only people who will probably slog through this book will be people who understand its importance before even opening it up. I've got friends who not only use easy-to-guess PIN numbers and passwords, but when participating in a conversation about the importance of security, they'll even announce their information proudly, as if it's some sort of joke. You don't change those sorts of attitudes with a textbook.
Maybe security philosophy would be better spread through viral means such as a really funny movie (think the original South Park Xmas Jesus vs. Santa video), or a bunch of jokes that people tell. Here's one that would work on an old friend of mine: Q- What do you get when you take the area code away from your phone number? A- Your ETrade password!
The CB App. What's your 20?
The tower case is the 'hard drive', the monitor is the 'computer', and even after being repeatedly told and shown what the correct terms are, it's gone in an hour.
My dad is a perfect example. One of the first things he would do on my infrequent visits home, is take off his digital watch and have me adjust it for daylight savings time.
"Hey, Pops - let me show you how to do this. It's easy."
"Don't bother, I will never remember. Just set it."
Ahhhrg. People don't remember, because they don't *want* to. I am constantly amazed at the lengths people will go to in order *not* to learn something.
If you want someone to be free of security problems, have them get a Mac. It's the easiest solution. If anyone here can tell me of an instance of a Mac getting hacked in the last 2 years, tell me and I shall be humbled. On another note, someone has hacked into my XP box and is using it to watch hamsterdance.com 24/7. It's really eating into my connection...anyone know how to ward off an 8-year-old?
I am a firm believer that if you own a car, you should be able to change a tire, and change the oil. Basic matinence.
That's what CAA is for. If you own a computer you should be able to turn it on and use the programs on it. If you need anything else, you should have the phone number to a really good/inexpensive techie. I never ever waste time with installs or anything like that. A guy I know does all that for $20-flat, so I can do other stuff (like play PS2) and I get a superb/secure setup for cheap.
The dangers of knowledge trigger emotional distress in human beings.
Kind of offtopic, but it really is true the the terms memory and hard drive don't mean anything to most people, and it took me quite a while to realize it. People are always asking me to fix thier computers when they have spyware problems, and are all worried because they have a couple games and mp3s on thier 80 gig hard drive, and think they have filled all the "memory." I have a hell of a time convincing everyone that having used 5 gigs of that 80 gig drive is no big deal and they don't have to delete everything to improve performance, though at the same time I have a hard time convincing them to turn off all the useless apps they have running in the system tray.
"From a security perspective, "computers these days" are like a nuclear reactor, or a rocket, or the tax code. They're just not manageable by the average person"
Well Windows' security might not be managable by a normal computer, but there seem to be a whole lot of people surviving just fine with an OS that was designed to be secure and easily usable...
many people dont know how to change a tire or oil.
Clearly, what is needed is a network of retail shops, call them 'Jiffy Comp' or something, for people to pop in and have their computers scanned and upgraded while they wait in the lobby watching CNN. After 20 minutes or so a jumpsuited tech would come in and say, "Mrs Pauley? We found two worms, installed service pack II and updated the virus defs. Everything is ok now but be sure to bring it back every 30 Gigabytes or 3 months. That'll be $24.95 + tax"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
IMHO; All operating systems should have an option that can be selected where ALL security options and ALL network configuration is set by the OS, basically saying to the OS "I know nothing about computers. Take care of me." Only if you actively choose to turn this off would you be asked to set anything yourself.
He does it on volume through his business. The rate is always less than $30-flat for whatever, be it installs of hardware, software, OS reinstall with ghost drives and full software installs. No matter how many you do at once it's always less than $30 CAD.
What you might fail to realize is that this company took all the business away from the rest of the competitors by doing this, so whenever I use him I know my system is gone for about four days because of the long line of customers they have.
They are really good too, because so far I haven't needed their services for about a year and a half.
The dangers of knowledge trigger emotional distress in human beings.
No.
You don't need to lie to people to inform them about spyware and adware. Hackers AREN'T trying to take over their computer, worms and ads are. If you tell them that they're going to be hacked, they'll go out and buy random "anti-hacker" shit from the nearest "security" company. Tell them the truth. If they have spyware, tell them what it is, how it caused their problem, and direct them to a good anti-spyware utility (don't just tell them to search for one as they'll hit fake ones, show them the Ad-Aware website or the like).
PEOPLE AREN'T STUPID. They just don't use computers as much as we do.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Computers haven't always been under a grand. It's a fairly recent trend, last few years. Before that, they were usually very expensive, and people STILL didn't learn how to use them.
I believe in the parent's arguement. You should learn how to use a computer if you're going to own one. It's not rocket surgery. With modern point and click updates and easy to read instructions, there's no excuse.
It doesn't end up working that way but I really don't feel too bad when someone can't figure out their computer. The information you need is right in front of you.
And yes, I believe you should know how to change a tire on your car. Most people know how to do it.
- It's not the Macs I hate. It's Digg users. -
> a lot of people couldn't change a tire if there life depended on it.
And many couldn't spell if their life depended on it. But that only reinforces my idea: you don't have to know how to do something exactly right to be able to use it at all. Everyone (I hope) understood your sentence, despite the word switch. And people can use a computer despite not knowing any basics.
Computers simply do not have the life-and-death situations that are present in a car. Many jerks bring up the "it could spread a a virus to a hospital PC and kill someone" theory, which is complete B.S. Almost any hospital equipment that could kill someone either does not run a MS OS, or (more likely) is not connected to a network. If it is, that is te fault of the idiot installing the equipment, not someone hundreds of miles away. This does not apply to PCs inside the hospital network -- those should be locked down tighter than Fort Knox.
Even if that weren't a spurious argument, there is inherent risk EVERY TIME you start a car. A PC that could even remotely hurt someone (barring electrocution, carpal tunnel, or eye problems) is, literally, one in hundreds of millions.