Slashdot Mirror
Most Home PC Users Lack Security
Ant writes "CNET News.com and MSNBC report that a survey of home personal computer (P.C.) users found 81 percent lacked at least one of three critical types of security. However, the number of consumers using firewalls and updated antivirus software is improving, according to a report released Wednesday. The vast majority of consumers surveyed were found to lack at least one of three types of critical security--a firewall, updated antivirus software or anti-spyware protection, according to a report by America Online and the National Cyber Security Alliance. Of this group, 56 percent had no antivirus software, or had not updated it within a week, while 44 percent did not have a firewall properly configured, according to the report. Meanwhile, 38 percent of survey respondents lacked spyware protection..."
Whatya mean? I got my blanket right here...
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
After witnessing how easily most consumer firewalls were abused by Sony's DRM I'd say that firewalls are no longer an indicator of computer security. At least on the Windows platform.
fast as fast can be. you'll never catch me.
Yeah, since they care more about podcasting than rootkits, what did you expect...
giel.y contains 2 shift/reduce conflicts
They're missing the most important type of security; a browser which is not Internet Explorer.
I thought most of us slashdotters were taking care of our home PCs... and mom's... and dad's... and grandma's...
Your survey is useless. Have a cookie.
Yes, I know I can google this - no shit. However, interested in the opinions here. I'm tired of paying for Norton A/V, so what's the best freeware A/V scanner for Windows? Shell/app integration is not needed, just a standalone app with good and frequent def updates would be nice.
xoxo,
boomgopher
Your hybrid is not saving the environment. Its purpose is to make you feel good about buying something.
"Well Duhhhh!!!!!" category?
Patrick
The worst part of being athiest.... You don't have anyone to talk to during orgasm!
National Cyber Security Alliance? Couldn't they at least have picked a different acronym than one that's been used in the computer field for a really long time?
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
We KNOW home users don't have security. Windows has been brought kicking and screaming from a single user insulated space into the big wide internet world.
Home computing has evolved just like personal motoring has.
Seat belts and safety features in cars used to be an addon luxury that not many people had or used, now every car comes with them and airbags and strengthening supports as standard.
Spyware protection is a new tact, and should really be dealt with in the same malicious software category viruses fall into - it basically uses the same engine, and its only the AV companies themselves who made a distinguisher between installed with vague permission and none whatsoever.
liqbase
Everyone gets mad at Microsoft for bundling more products together, but it's obvious most people are too lazy/uneducated to install this type of s/w.
By those metrics, Linux, BSD, OSX, well anything that isn't Microsoft is an insecure platform...
Antivirus, antispyware ? What do you mean ? Is that only in the New Oxford American Dictionary ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
You shouldn't need an external firewall to protect your machine from hostile incoming connections -- your machine shouldn't be listening on ports it doesn't need to, and when it does listen, it shouldn't be possible for incoming connections to subvert it. You shouldn't need add-on antivirus software -- your machine should have a basic "immune system" of its own and shouldn't be vulnerable to the effects of running untrusted external code.
It is possible to design operating systems that are inherently secure in these ways. One of the larger crimes committed by the designers of the currently-popular consumer-grade operating systems is to have convinced large swaths of the population, via ubiquitous, crashing mediocrity, that it's somehow an "impossible" problem. It was largely a solved problem 20 years ago, if anyone had listened.
Normal computer users shouldn't have to cope with all this stuff.
Why should they need a firewall? The OS simply shouldn't have dozens of unneeded services that listen on the network on by default.
The sad fact is that the OS most people are using lacks basic security out of the box. Acting as if it was the users falt won't make this simple fact go away.
Frankly this subject has been one of the biggest problems I've had to deal wit hback when I was the service manager at a computer store that serviced retail users. The complete and utter lack of security. This fell into three catagories:
Lack of Anti-Virus
Most of the time I tried to hammer it into thier heads that spending $40 now would save them a ton of heartache later. If I was EXTREMLY lucky, I could persuade them to go out and buy the software from Staples, bring it back to us, and we'd install it on thier new machine before it ever left our store and it's own defenses. Most of the time however I'd install the trial version of norton or mcafee, inform them that THEY MUST get the full version before the trial period is over, and STILL see the goddamn thing within two months, loaded with enough viruses to call it the PC version of Typhoid Mary.
The part that sucked was that inspite of a verbal warning, a piece of paper taped to the computer and the monitor warning them that they NEED anti-virus programs, they still came to me with "Well why the @#$% didn't you tell me about this?"
Firewall
Actually this is no longer as much of a problem as it used to be now that we're seeing broadband and multiple computers in a house becoming the norm. We used to sell Linksys routers and that became a strong defense. Myself personally I run Norton Internet Security behind my Symantec Firewall/VPN appliance for a two pronged defense and so far I've yet to be broken into (although I've logged a ton of port sniffing attack attempts).
The third problem is Spyware.
At least this one is easy to fix. I usually install Spyware Doctor on the system that came into my shop and clean out the system (then uninstalling it unless the customer wanted to buy a license from PC Tools), then I'd install the free programs out there (Ad-Aware and Spybot Search and Destroy) to protect them in the future.
Spyware has never been too much of an issue for my customers because I could install a free program and if they ever had a problem I could talk them through the programs over the phone. For the most part that was all they needed so it wasn't too bad of a problem.
It's nice to see that more and more people are getting concerned about security. Just a little effort and a small investment and your computer can be safe with a minimum of fuss.
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
Amazing... now who was surveyed? Are Linux and Mac users concerned by the survey? Or they aren't worthy of the title "home PC users"? That's like 10% of the home PC userbase that would probably answer "no" to all three types of security. But wait, the report is carried by MSNBC ? Ah, all makes sense now.
Bah, methinks the whole article is shameless self-promotion, marketing bullsh*t if you will:
The improvements were attributed to the default firewall that is installed with Windows XP Service Pack 2, according to the survey.
When you purchase a PC, you should have the option of installing freeware that might help you in the incessant barrage of spam, viruses, spyware, adware, bots and phishing emails. It might also help to have a short tutorial on how your PC becomes infected/compromised/used to propogate malicious code. Maybe then Windows would be a better and safer O/S?
d ucts/znalm/freeDownload.jsp (Zone Alarm firewall)
a milyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displa ylang=en (MS Anti-Spyware adware/spyware detection)
For those who need some free help:
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (AVG anti virus)
http://www.zonelabs.com/store/content/company/pro
http://www.lavasoftusa.com/software/adaware/ (Ad-Aware adware/spyware detection)
http://www.safer-networking.org/en/download/ (SpyBot S&D adware/spyware detection)
http://www.microsoft.com/downloads/details.aspx?F
He who knows best knows how little he knows. - Thomas Jefferson
Did they include the people using Norton/Symantec stuff in the protected or unprotected category?
lol no its not a virus
Teenagers. The worst people that can just make a pc worse. They just love them stupid smilies that they download, and they don't even know what spyware is. They also, download viruses from IM's, since they are the most used communications at that age range.
I agree. Consumer anti-virus,firewalls, and anti-spyware are not a good metric of security. Most people can't stand blocking and unblocking programs for their outgoing firewall all day. And really, the average consumer doesn't know what's safe and unsafe. Incoming protection is pretty pointless too since so many computers are behind a nat router. Anti-virus provides protection for old viruses, but the 0-day mass speading ones generally beat anti-virus anyway. Anti-virus provides retroactive protection of viruses already written. It doesn't generally provide a means of stopping a suspected virus. I've seen some that can, but the general home user anti-virus doesn't or requires training from users not skilled enough to train it. On top of that, there's so much political bullshit that goes on within the ranks that something could be malicious to your computer, but the supplying company complained it was legit and they let it through anyway. Also! They generally provide little/no spyware protection. So you've got a bloated piece of crap anti virus program that slows down your computer almost as much as the virus itself that doesn't really work all that well.
The only retroactive solution I think is worthwhile these days is spyware scanning your box once a week. And rotate which scanner you use.
On the other hand, there is A LOT you can do not to get spyware and viruses in the first place. First, DON'T USE IE. All the fanboys will cry foul here, but it's true. I don't care if alternative browsers are just as hackable but they aren't being exploited blah blah blah... We'll cross that river when we get to it. For now, using almost anything besides IE will stop the bulk of your spyware. Also, in whatever browser you use, don't allow in browser media to be played. Flash, movies, music, etc etc. Or at the very least, make sure it prompts you first so you have the choice to only do so from websites you trust. Also, don't go to sketch sites. Plain and simple. Let's see... don't use outlook, EVER. In your MUA make sure it it either doesn't display html or prompts you to do so. Don't open attachments. It's stupid. It's so incredibly easy to spoof who you are via email that you can really never fully trust an email. Don't use AIM. There are AIM viruses left and right nowadays. Use an alternative like gaim or trillion and never accept to transfer files.
More than anything, just be smart about where you go and what you do. Understand that the internet really isn't a safe place. Security isn't a product, it's a process. I can't stress this enough. Doing certain things yourself will keep you safer than any anti-virus ever could.
If an officer ever threatens to taze you, say you have a pacemaker.
I think that the questions are skewed to make things appear worse than they are, presumably because the survey is done by AOL and the National Cyber Security Alliance, who presumably have an interest in scaring people into their products and services. Aside from the obvious Linux/Mac issues described by other posters, "properly configured" firewall is a pretty strong definition and I expect many quite adequate firewalls could be classified as "improperly configured" even though they were effective against the bulk of the current attacks. Similarly, only counting anti-virus software if it has been updated in the last week is going to skew things- there is a big difference between having no AV at all and having AV that is running but has definitions that are two weeks or a month old, and the metric chosen groups those two cases together.
It's psychosomatic. You need a lobotomy. I'll get a saw.
from the news-at-eleven dept.
Bug writes "CNN and Al Jazerra reported in a joint statement that a survey of slashdot articles found that 81% of them lacked at least on of the three critical contents of a newsworthy report. However, the number of dupes has been recently improving, according to a report released yesterday."
Ok, really. Everyone with even the slightest interest in computer security knows that there's not much that's easier than taking over a dozen or so home PCs. Why else, do you think, do prices for botnets range in the cents-per-machine range? Because it takes maybe one cent of effort to break into the average home machine, otherwise those selling the botnets wouldn't be turning a profit. It's probably more expensive keeping other botnet harvesters out than getting in in the first place.
Assorted stuff I do sometimes: Lemuria.org
I had another client this week whose PC was infested with spyware and viruses. Took me HOURS just to get it working *somewhat* normal. (Of course, he was using a pirated version of XP, so I couldn't do the easy thing and just re-install.....) The idiot hooked his PC up to a cable modem with NO anti-virus or spyware protection. We all know that PCs are hit within minutes of connecting to a high speed line. I've never seen so many instances of a virus in my life. And the spyware he had was NASTY. I hope some day to meet the guy who developed SurfSideKick so I can kick him in the balls repeatedly. (if you are reading this you bastard, I hope you meet a painful death very soon)
Anyway, I'd say 95% of my PC clients have problems with spyware. They have no clue what it is or what to do about it. I think these ISPs should do a better job of educating these people when they sign up. They should also install spyware/virus firewalls. Hell, we have no problems at my office with that kind of thing.
Cheap pr0n!
I guess that's why I could quit my IT job and bring in twice the dough removing spyware from people's computers. Now I'm going to say something extremely controversial that many of you people here will not like. The cause of 97% of these spyware infections is surfing internet pr0n. It's true. We don't like to admit it, but somehow we just lose our regular reasoning senses when we start "surfing w/ one hand" if you know what I mean. You probably wouldn't click on that suspicious looking link, but damnit, you've never seen that done with a barnyard chicken before and you're curious! Additionally, no one is going to talk because no one wants to admit that they accidently installed a keylogger when they clicked on a link to "dirty lesbians lick each other's brown-rings". Therefore, all of our spyware becomes our dirty little secret of personal computing insecurity. Therefore, I say, ban ALL internet pr0n and the problem will take care of itself!
Look at you correcting made-up words. Slang nazi.
When the Fear mechanism is activated, particularly when there is no actual critical event occurring, (like running from a tiger), for which the fear drug pumping through our veins is preparing us to deal with. . , when we buy into the fear and there is no release, we end up in a perpetual state where we are much more open to certain suggestions which lack rational grounding.
"We're going to take your rights away and allow police searches in your living room. Okay? Terrorists! Viruses! Crackheads with guns!"
As has been pointed out, it's interesting that this story comes from MSNBC.
As an aside. . . My computer runs clean and sweet with just a simple little fire-wall. (And what an overly dramatic name is 'Firewall' for a program which asks me if I want to allow things access to my modem). I don't need any of that other junk; Virus scanners are for people who run Windows 2K and up and who open email attachments, which I don't. And Anti-Spyware is for people who run Kazaa and Google tool bars and other nonsense programs.
I mean, come on.
The Voice of Authority telling us that we home users need to run around like panicking headless chickens looking for 'security' on our writing desks?
Silly.
-FL
I believe that the ISP's could do more to protect their users.
At least here in the UK there is a trend for ISP's to bundle USB DSL Adapters with their packages. These devices require that the computer they connect to use the public IP address instead of allowing the host computer to run from a private NAT address. Exposing the computers real public IP address puts the responsibility on the user to install and maintain firewall software. Needless to say many don't know how to do this or simply allow their security software subscriptions to laps.
The argument for this practice this is that many home users do not have Ethernet ports making Ethernet based NAT, Firewalled routers harder to support as the user will have to install a NIC card. This may have had some truth 6 years ago when broadband first appeared in the UK and it was mandated by the incumbent Telco which USB modem must be supplied with the service.
These days every PC and Laptop sold has at least an Ethernet port and in many cases WIFI as well, some routers also support USB. This means the only reason to continue this practice is cost saving.
USB Adapters are less expensive to give away than routers, if an ISP doesn't bundle connection equipment they fear loosing customers to their competitors.
I feel this is a false economy. NAT routers are not much more expensive than USB Adapters and from a support point of view are easier to set up now that Ethernet ports are common place. You just have to pre-configure the router with the customers log-in details and enable DHCP. Pretty much the only thing the customer has to do is plug it in. No drivers need to be installed and updated. Running behind NAT now means that it's a lot less unlikely a malicious attacker can take over a customers PC. Which makes everybodys life easier.
The GP wasn't referring to Vax or Unix machines of 20 years ago with regard to their simplicity. It referred to the fact that security was a solved problem on those machines. You yourself go on to say:
The thing really worth noting in your statement is that OS X uses a >20-year-old security system. It's using Unix permissions, straight from the BSD core of the system. The same BSD core used in the NeXTStep operating system a little under 20 years ago (albeit slightly upgraded since then).
Individual software packages, particularly those designed to listen for commands from the network and execute things locally (ssh, etc.) can have the sort of issues you decribe in your last paragraph; As they get more complex, the task of maintaining security does potentially also become more complex. But on an operating system level, there have been sufficient rules in effect for a long long time now. For instance, just saying "this can only be done with root privileges" and "root privileges can only be gained interactively, and on a one-shot basis" will cover a vast amount of potential issues, and is pretty much what OS X does, as you describe (albeit with slight timeouts to root privileges, rather than pure one-shot operation -- although that timeout is user-configurable).
At the end of the day, MS-DOS, QDOS, and such, left that out in the interests of expediency, size, and (maybe) end-user perceived complexity/ease-of-use. It then became a standard. I like to quote my boss on this one:
He tells me that, having worked with Unix/BSD/Vax -level machines in the late seventies, when the IBM PC came out, he and his cohorts were interested to see it. They took one look and put it down as a failure -- a joke, even -- because it lacked so much of what they saw in their current machines. Unfortunately, it became the standard, in the process setting back the state of the art by many years.
Not least is the point that Unix/Vax systems were inherently multi-user systems, and they needed a robust way of preventing one user from destroying another's data. So this was built in from the very start. MS-DOS and QDOS didn't have this capability, so the standard became that any program had full access to just about anything. The only high security implemented was in the CPU itself, where a system trap was needed to get access to 'Ring 0' (privileged) instructions. On top of this, the somewhat limited nature of the system itself led many programmers -- used to working on a more capable OS -- to make modifications to the core system, to help their stuff work. That required privileged access to the system, in order to install hooks, drivers, and so on.
Of course, once this became a standard, it was hard to change that behaviour, and it never was changed because 'backwards compatibility' was the highest goal. So when mutli-user functionality was built into Windows 9x/NT, privileged operation became the norm. People logged in as an administrator, because their programs were designed needing full access to the system, and little or no provision was made for interactive temporary privilege escalation within the OS itself. Unlike Unix/BSD, you couldn't just ask the user for an admin user & pass to get the privs needed to put some file somewhere special, and then lay down those privileges when you were done with them.
As a result, you get the horrible mess we're talking about: An IM program that can corrupt the core operating system and ultimately gain access to privileged-mode CPU cycles? WTF? A game that can modify the system kernel, or the boot sector of the hard disk? They can only do that because the system lets them, or because the system won't let them do some small operation without high privileges, and requires that the entire process runs with those privileges as a result.
-Q
I would be surprised if the aggressive adware/spyware programs agreed with your self-assessment. But, then, how would you know you had spyware without an automated scan?
Um, what about with a manual scan? I do much the same as the other guy: I run Win2k, and I don't keep any AV, anti-spyware, or firewall software running. Every once in a while, I download the latest version of Spybot or AVG and let it have a look. I've been doing this for years, and I can state with absolute certainty that unless it's happened within the last month, I have never been infected with any viruses or spyware.
Again, "ignorance is bliss" is not the same as "I know I have no problems."
Nor is paranoia. Why waste processor cycles on buggy and unstable "protection" software when safe practices are enough, and their success can be confirmed with occasional checkups?
Failing to catch a heart problem or cancer in time can be fatal, but I don't believe anyone has a private doctor who performs exploratory surgery on them every hour. And eating poisoned or infected food can be fatal, but I don't believe many people bother to send samples of every meal they eat to a lab for testing. If you don't take precautions like that when it's your life at stake, why do you think you need to do the equivalent for a mere computer?
Pretty much all of the users I've scrubbed machines for had the default free McAffe antivirus installed. They hadn't been updated, ever. No new virus defs downloaded, ever. Definition files were years old.
The users had no idea that they were supposed to be doing this. They don't read the instructions, they just see an antivirus program running, and figure they're protected.