Today's ISC Handler's Diary Is Partially Right, and Then Completely Wrong

I read the following in today's Internet Storm Center Handler's Diary:

"Pay attention, you’re about to read something vitally important: COMPUTERS ARE NOT APPLIANCES. THEY ARE TOOLS. Tools require that their user be skilled. Tools require education and training to use. Tools require a level of involvement beyond that of an appliance because 'tool use' carries with it an inherent danger...

[O]ver the past decade, the computer industry has deliberately ignored the nature of its product. It has attempted to grind off the sharp edges, to put padding on the corners, and to make a 'consumer safe' appliance from these inherently dangerous tools. The current state of security on the Internet is simply reaping the seeds we have sown...

We don’t allow untrained and inexperienced drivers onto our streets, but any yokel with $9.95 a month can get on the Internet...

The time has come for change. Users cannot continue to proxy the responsibility for their security to others. If they’re going to use this tool, they need to be trained or they need to pull the plug (or have the plug pulled for them).

What can you do? Teach.

Organize a community 'adult ed' class to teach people security basics. Sit Aunt Sophie down and make sure that she has (and, more importantly, understands why she needs) a firewall and virus scan. Check with your local School District and make sure that while they’re teaching the impressionable young ‘uns how to create a graph using Excel, that they’re also teaching them safe computing habits. Scout your neighborhood over the next week, looking for discarded Christmas computer boxes, and knock on the door and offer your services.

We’ll all be glad you did."

The correct part is the statement that "computers are not appliances." Everything else is completely unrealistic. I sympathize with the Incident Handler who posted this advice, but I disagree with his proposed remedies.

According to Internet World Stats, as of October 2004, the United States had almost 200 million Internet users -- over 2/3 of the population. If 97% of of those users were taught to behave "properly" or "safely" on the Internet, that would still leave 6 million "risks." Why did I choose 97%? That's the United States literacy rate. (Forget about those who are "functionally illiterate"; that makes the situation even grimmer.) If we can't even get every American to read, how can we teach everyone to be "safe" on the Internet?
The Incident Handler mentioned drivers in his report, so consider this angle. A mid-2003 story based on Bureau of Transportation Statistics data reports there were "204 million vehicles and 191 million drivers" in the United States. That's about the same population size as our Internet user base.

I am one of those 191 million drivers, and I am not an automobile aficionado. I like to watch Pimp My Ride and Monster Garage, but I have zero interest in making any of those modifications myself. My car is transportation, period.

Consider how my vendor takes care of me, and the role I play in my car's operation. I receive recall notices from the manufacturer that entitle me to return the vehicle for free-of-charge repairs if my safety is affected. My only maintenance involves regular oil changes, fluid changes, and regular wear-and-tear part replacements (tires, belts, etc.) I take the car to the mechanic periodically and I pass my state emissions and safety inspections. For all intents and purposes, my car is an appliance, like my water heater, HVAC, and vacuum cleaner.

The problem with personal computers is that vendors and too many security pundits expect users to be experts. They expect users to have the same level of interest in their PC that an automobile enthusiast has in his or her car. Whose fault is that? I put the blame on the vendors and security pundits who propose "security awareness" and blame users for security problems.

Here's the real wake-up call: 90% or more of the population doesn't care at all about how their PC works. The vast majority treat their PCs like I treat my car. All they want is to check their email, browse the Web, pay their bills, order goodies from online vendors, and play games. A freakishly small proportion of Internet users mod their PC cases, run non-Windows operating systems, overclock and watercool their CPUs, and know what an IP address, port or protocol is.

The bottom line is simple: we can't expect people to care about their computers any more than they care about their cars, or TVs, or microwaves, or other appliances. We need vendors to sell more appliances (like thin clients connected to supportive ISPs) and less general purpose personal computers. The burden must be on the vendor and perhaps the ISP to provide a general-audience-safe appliance, not a ticking time bomb with a five minute fuse.

(Incidentally, I am a vehemently anti-socialist libertarian who believes people should take care of themselves. Using the Handler's "tool" analogy, I don't think vendors should be allowed to sell wood saws without guards, that shatter and disperse metal fragments from poorly-built blades, or that can only be used safely by master craftsmen with years of training.)
Consider a final angle. Why is TiVo so popular? TiVo puts a powerful capability into a simple package. You don't have to be a "TV expert" or receive "training" to record shows with your TiVo or pause and rewind live television. TiVo wins because it doesn't expect its users to go to the lengths necessary to support the personal computer. (Power users can still modify their TiVo if they like.)

I think vendors should take a closer look at the evolution of the automobile and the success of the TiVo, then reconsider the products they sell. Some smart ISP is going to make a lot of money renting or giving away thin client technology paired with subscription-based broadband Internet access. Add in centralized, anywhere-Web-accessible data storage, backed by local USB token storage, and you have an incredible, powerful, centrally-protected and managed computing platform for the 90% of the population that doesn't care. Appliances are the answer for the vast majority who doesn't want to tinker with their technology, and we need vendors to sell and support them.

Comments

Anonymous said…
You mention emissions tests, how about some of the major ISPs (ahem-AOL,comcast), have minimum patch levels for PCs... if you dont meet em, the only site you can visit is microsoft update?

Btw, not sure if you are interested but I sent ITConversations.com an email today, stating that I would be interested in hearing how you think. :)
Anonymous said…
While I completely see the point you've made, I'm curious as to how you treat this issue...licensing. You said that there are 191 million drivers, and in the US, most (if not all) of them should be licensed. Considering that some of the drivers, even a small percentage, are going to have an additional level of licensing...limo drivers, CDL drivers, etc.

I'm sure not all of these drivers are going to be "experts", as you describe. Most aren't going to know how to take a wrench, screwdriver, and soldering iron under the hood to make mods to the improve performance, but what they are going to have is a common, basic level of knowledge...through education. Is this education feasible for everyone? I don't know...but it seems to be feasible for drivers...giving them a basic understanding of rules, signs, and procedures.

I was at a friend's house recently, and listened to some of the folks who are parents talking about their kids and computers and IM...one father stated that he'd found 400 images of an unsavory nature on his daughter's computer. He suspected that her system had been infected and used as a repository...but he didn't have anything other than speculation to back it up. My point is that if his car had had some trouble, he wouldn't be sitting around gabbing to his friends about it.

What's the answer? To be honest, I think I'd start with educating the admins and IT managers. I see posts on public lists every day from supposed admins who seem to lack even rudimentary troubleshooting skills, and basic knowledge of the tools they're using. By educating those folks first, you can create a critical mass, and perhaps change the whole "user = luser" attitude.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
Anonymous said…
To get a bit more milage out of the car analogy (pun intended): the handler also makes the false assumption that everyone with a drivers license is polite, ignoring that many (most?) speed, litter, tailgate, change lanes with no signal, do 45 in the left-hand lane, etc. I don't know what equates (digitally) to that but it's not good.

My grandmother was a very well-read and religious woman. However, at age 80, she could not wrap her head around e-mail, even when numerous grandchildren tried to explain it to her. She firmly believed in hand-written letters (and hated postcards). She never would have "got" why it's unsafe to open unsolicited e-mail.

-joat
pleasedconsumer said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics