Practices, policies and user education

(Status of the text: currently the unmodified rant, should perhaps be made a bit more academic)

Intro
Imagine that starting from tomorrow, there will be no need for driving licenses. Everyone with enough money can buy a Ferrari - no tests, no medical examination. Money to me, a car to you. Traffic police will not test people for drunk driving anymore and speed limits are removed.

On that day, we will have the Internet on Earth.

Personal computers have become affordable for nearly everyone, the broadband connections allow for rapid change of information, and there is a well-known, easily used operating system - has the information society finally arrived? Not quite. Instead, we have huge volumes of junk mail, dangerous viruses and Internet attacks. The weakest link in the chain is unfortunately the human.

Gone in 20 minutes: the grim reality
Time for a reality check. According to the SecurityFocus 2004 report, a PC with default Windows XP install will have an average lifespan of whopping 20 minutes before hijacked by crackers. 20 minutes is not enough even for installing all the upgrades and reinforcements - therefore it is strongly recommended to install the system in a secure environment and connect to the network only after it has been hardened as much as possible (which unfortunately may also prove to be inadequate). Until Service Pack 2, Windows XP did not even have firewall turned on by default - this was probably deemed an unnecessary inconvenience. It is quite amazing that throughout all these years of virus threat for Microsoft products, they have found no time to provide an antivirus for their system, relying solely on third party products. Even a junk mail filter is touted as a novel addition to the system... Nobody's child - the ordinary home user

One of the roots of the problem is in the fact that while home users are increasingly a major source of income both for PC manufacturers and resellers, software companies and network providers, none of them would bother themselves with educating the users. A default, general user manual and in some cases telephone support (which has a bittersweet history of anecdotal cases where it is hard to decide whether to laugh or cry) are deemed adequate for them. The more computer-savvy minority will probably seek out hacker communities in the Net, and will through efforts (which can at first be rewarded only by snide remarks and arrogancy from some members of the community) finally obtain enough knowledge to take good care of their computers. The rest, however, will remain unaware.

Let's meet Joe, a car salesman by trade, who plans to buy a new computer. After checking and comparing different offers, he will pick the one which promises to include a printer and a scanner in the deal. The computer has an operating system preinstalled, so he does not have to worry about software - the shop also added MS Works for his office needs. Another visit to a local office of a big national telecom firm gives him a deal on broadband Internet - on the next day a technician visits him and sets everything up. Joe can browse the Web now, and he is quite content. But neither the computer salesman, the telecom officer or the technician told him anything about how to manage his brand-new machine.

After some days, Joe's machine starts acting weird. He receives tons of junk mail, the computers slows unexpectedly down and some unknown files appear. His machine is cracked - someone from the Internet has found a way into his computer. Joe is not alone - he shares the same fate with lots and lots of people in the Net.

But... Why Joe? Whom should a car salesman's computer attract? In many movies, a killer says before pulling the trigger: "Nothing personal." The same here - Joe's computer was not invaded because of Joe's person. It was hijacked because it did not have any protection.

There was a time when computer cracking, although as illegal as in our days, was sort of a testament to one's prowess. Sometimes it was even pictured as a duel between the intruder and the defender or the system administrator, where the best man won. These days are gone. A majority of network criminals of today are script kiddies - as cracking tools have evolved into easy, point-and-click packages, their use does not imply large brain capacity. Most of the kiddies lack it quite clearly. There was a case lately when a chimpanzee succeeded in cracking a program, using one of these simple tools (fortunately enough, most chimpanzees seem to have higher level of ethics than kiddies).

Therefore, most attacks are untargeted - a big portion of network is scanned for a specific vulnerability, the positive results are then fed into another program which tries to exploit these. Once in, the cracker will usually warrant his access for latter times by installing a special cover-up software (often known as the rootkit).

A regrettably typical attitude of ignorant users is: OK, I got cracked. So what? I do not have anything important in my computer anyway! Well - sometimes also very innocent details can hurt someone quite a lot. Maybe it is just a phone number in your addressbook. Maybe you forgot that you had to work on the company's budget last week and a copy of it is still on that CD in the machine.

But maybe you really did not have anything notable. In this case, your future can bring along one of the following scenarios:


 * Your network connection will slow down due to numerous visitors to the hugely popular porn archive in your machine. Wait - you say you did not know about it? Luckily for you, it was just "ordinary" porn, not child pornography - otherwise you would have been in a deep, deep stuff.
 * You get a phone call (or a raid, depending on where you live) from the Business Software Alliance. You will be shocked to know that there were all fresh versions of Adobe Photoshop, AutoCAD, and MS Office on your brand new hard disk. Illegally, of course. No one will accept the excuses that someone just "borrowed" your disk space to store his not-so-legal software.
 * You have to explain to the court that it was not actually you (Again! Whom are you trying to fool?) who was operating the IRC channel where stolen credit cards were routinely traded for the last few months.
 * You will be sued by a big company whose computer nerds tracked down the main source of junk mail clogging up their systems. Surprise - it was your computer.
 * You will be greeted at your door by a number of government agents and a pair of nice handcuffs. The reason: your machine was used to attack the .
 * You will go to your bank just to find the account empty. Internet banking may be secure, but the password sniffer that the bad guys installed to your machine two weeks ago was literally worth every penny.

Not enough? Let's add the new kind of news that started to appear in 2003. A number of Western European businesses which depend on being online (publishers, music stores etc - note that these enterprises usually lack strong in-house IT staff to work on this kind of problems) received letters which demanded lots of money and if refused, threated to bring the victims' networks down. What is startling in this kind of distortion - if the sum is "reasonable", the victim will probably be tempted to pay to avoid remarkably larger losses resulting from downtime. As in all distortions, this will lead to new attempts. Now - how is it connected to our story? Just simply as that - the attack that was threatened to launch against the distortion victim, was to be carried out by hundreds of hijacked machines from the Internet. Joe might have been unknowingly helping the Mafia.

Sad but true, this is the reality of today's Internet. It happens every day.

Simple, affordable, secure. Pick two...?
So why are people using insecure things? Sure, the first explanation is that they do not know about the problem. But even when there are lots of warnings around?

There is a group of people who will probably never learn. They are told "Don't open the attachments from strangers!" and they will do it in the next moment. "Don't go after those advertisements!" - they do, and receive tons of junk mail as a result. They just are like that. If there is a justification at all for the arrogant hackerism "dumbuser" (or in a bit more subtle version, [L] "luser"), it could be perhaps appropriate for these people.

But the rest? Why are millions of people still using Internet Explorer, Outlook etc, even if they know that they have lots of security problems? Because they are familiar with these programs, have paid for them when buying the operating system (because lots of people are still convinced that you only get what you pay for) and feel it difficult to re-learn anything. Perhaps if these people could realize that their indecision endangers not only themselves but lots of others too, they would change their minds?

Windows is simple and affordable. Mac is simple and secure. Linux (and other members of Unix family) is secure and affordable.

Or is it really so? The affordability of Windows on a world scale could be a subject for another writing - but for a typical Westerner, it is generally affordable. What comes to Macs - they have their dedicated followers and lots of well-established uses (publishing, music, multimedia), but they still lack the mass factor of the PC and the affordability is not the smallest point here. And finally Linux - the media still tends to cultivate the image of "a hacker system", something that is incomprehensible for "normal people". Security is seldom debated - Linux has strong reputation in it. Affordability cannot really be disputed as well - it is difficult to get anything cheaper than gratis (even though some variants are also sold). But simplicity?

Actually, many diehard Windows users may well be shocked how similar to Windows can a modern Linux distribution be. "May" is the key here - the level of customizability enjoyed by Linux and other free systems' users is something out of question in proprietary systems. A state-of-the-art, general-purpose distribution like [L] Ubuntu, [L] Mandriva, [L] Fedora Core or [L] SUSE is as easy to use and arguably easier to install than Windows.

There are still some obstacles to overcome, as many commercial vendors have had a long practice of considering Windows platform only. Examples include Macromedia Shockwave (Flash is supported) and MS Office macros (in which case, their innate insecurity is a major factor of not supporting them). However, if to consider how fast has the development of Linux been, it might be a good idea to start looking towards that direction.

An important reminder - the system's inherent security may have no effect if the duties of the administrator are neglected. A Linux system without updates is perhaps only marginally more secure than Windows. On the other hand - a professionally managed Windows system can be quite reasonably secure, although perhaps not enough for critical applications. Carlos Sainz, Sebastian Loeb or Markko Märtin will possibly have no problems beating a beginning driver in a top-notch rally car while driving a 1980 Ford Sierra - it is the driver that counts. But when drivers are equal, better technology will give an upper hand.

The basics
Let us start with a very simple thing which is similar in all the abovementioned systems. Do all our users have a password? Is it a good one (i.e. not their first name or just 'a' - good passwords include at least numbers and letters in both cases and are at least 6 characters long). One of the most used methods of getting access besides just guessing the password is brute-force cracking - a special program which is connected to a dictionary will just try all possible variants, which is not so big a job for today's fast computers. The rule of thumb is - if your password can be found in Webster (or any other large dictionary), better change it.

There is another very common mistake which mostly is limited to Windows users (besides tending to be less computer savvy than Mac or Unix folks, they still tend to underestimate passwords - Windows 3.x did not have them at all, Windows 9x only had them protecting one's desktop setup and only NT, 2000 and XP have proper password systems). The problem is using the computer in full rights as an administrator. Besides being an external security risk, it is also playing with fire internally - one is not protected from his/her own fatal mistakes. If the habit combines with bad or non-existing password, then we have a problem.

Finally, it is probably quite rare that a car owner does not know the type of gasoline/petrol that his/her car uses. Computer users who do not know what exactly is stored in their computer are unfortunately much more common...

System issues
If one insists on keeping using Windows, then it should at least be secured as much as it is possible. This includes continuous loading of updates (automatic update is generally a good idea), installation of a good antivirus and a firewall, regular monitoring of files and awareness of what is installed in your computer, avoiding random downloads and "funny things" received by e-mail... These steps are actually natural for any sensible computer user, but the problem is that many people even do not know about these.

The next step could be switching from the most vulnerable software to some more reliable alternative. Currently, the most common variants are:

* Internet Explorer => Mozilla, Firefox or Opera * MS Outlook => Thunderbird or Mozilla Mail * MS Office => OpenOffice.org (not so essential in terms of security, but OO.o is a free product)

All these alternatives are freely available from the Internet. In many cases, the abovementioned measures will eliminate a big majority of threats. Later, one could invest into knowledge and skills on firewall customization, popup blocking and spyware hunting (and also into some of related software - lots of better things in the Windows world cost quite a lot). Using the example from the beginning of this writing - this is your driving school. Only after graduation it will be reasonably sure that you are not a threat to fellow citizens.

What about the Linux way? In 2006, it is a perfect solution for a more knowledgeable home user or an office worker with some technical backup available if needed (Linux has been successfully field-tested by many grandmothers and grandfathers who have some geeky grandchildren to support them when necessary). While it is fully possible to start on Linux as one's first system, casual Windows users with no technical inclination may still occasionally run into trouble. The main problem is the choice - the strong side of free software can be problematic for a beginner. A simple countryman finds his way around in the village shop, but will probably be hopelessly lost in a city hypermarket. When in Windows one usually buys just the newest version, Linux has about 150 active variants (distributions) - some fitting on a floppy, others filling a DVD; some cost money, most do not; some are suitable for beginners, others for experts. Making smart choices is the key here.

This leads us to the core principle of free software - it is not about price, it is about freedom of choice. Therefore, users can choose whether they prefer to learn about possible choices by themselves (investing time) or will trust someone more knowledgeable to make the choices for them (investing money). The main point here is that while in proprietary systems one is usually forced to rely on the second variant, in free software the user is also free to choose between different providers - in principle, anyone can offer support services, which makes it a real open market of services.

The advantages of Linux way are many - practically non-existent virus problem (Windows viruses do not work - however, care must be taken not to forward them, e.g. in an infected e-mail), very good built-in (and active by default) firewall, better general security model, much better control over the system. In 2005, the most widespread potential problem could still be file incompatibility - some Windows application do not yet have alternatives on Linux, and while OpenOffice.org can use most MS Office documents just fine, occasional small problems may occur (due to Microsoft's unwillingness to publish its file formats - OO.o has reached surprisingly good level of MS file support, but mostly by trial and error). There is little support for MS Office macros (Visual Basic for Applications; probably won't be supported at all due to its very weak security model - VBA has been one of the main sources of virus activity). Web designers may miss Macromedia Dreamweaver and graphics gurus Adobe Photoshop - alternatives do exist, but are not on par yet. And finally - while last years have brought most new games (Neverwinter Nights, Doom 3, Wolfenstein: Enemy Territory) to Linux as well (to complement a large number of native games), Windows is still the main gaming platform (although this may change pretty soon).. But if these points are not important, Linux is an option seriously worth considering.

(A side remark - there is a couple of ways to run Windows software on Linux. First, there are two proprietary projects - CrossOver which can run MS Office, Photoshop and some other popular applications, and Cedega which can run a many popular Windows games, and finally there is Wine which is a free project and can run a wide range of Windows software.)

But whatever the choice is, it boils essentially down to the fact - today's user must know the computer quite significantly more than it was necessary during the 80s. The stakes are much higher - the laziness or ignorance of one person will hit lots of others. This is something that cannot be afforded.

All sides involved in further development of computing should do more for educating the bulk of PC users. Schools should provide essential courses in computer ownership, manufacturers and resellers should look over their manuals and have the missing parts added to them, software resellers should be obliged to inform the users also of potential threats and security risks (far too many Windows users do not even know about the need for updating a system), broadband Internet providers should educate their users on using different firewalls (making it a mandatory condition to use a service could be a good idea). If these steps will not be taken, the current problematic situation will possibly emerge into a full-scale chaos where the threats and nuisances of Internet will start to outweigh the benefits.

When summing it up, let's do it in a traditional way...

Ten Commandments
1. Thou shalt keep your Systems updated. 2. Thou shalt not take the Rights of Administrator in vain. 3. Thou shalt choose all passwords carefully, paying utmost care to the Administrator account, likewise shall thine passwords not have valid meaning in any known language. 4. Thou shalt create separate accounts for each User of thine Computer. 5. Thou shalt have antivirus and AdAware (or its likes) software and use them often if thou insist on using Windows. 6. Thou shalt not touch unknown Attachments in thine Mail and not allow anyone who lives in thine household to do it. 7. Thou shalt put junk mail filters into good use. 8. Thou shalt know what Software lies in thine Computer. 9. Thou dost well if thou use OpenOffice.org, Mozilla Thunderbird and Firefox instead of MS Office, MS Outlook and Internet Explorer. 10. Thou shalt seek wise people to help thee, and wisdom for thyself. A wise Man may err once, while a Fool keeps doing it all over.

(Amen!)

Final words
An old Chinese curse goes "May you live in interesting times!". Unfortunately for many of us, we do - be it then passenger aircrafts used as terror weapons or organized crime invading communication channels. As elsewhere, security is a process - one can never be totally secure, but work towards its increase. The more prepared we are, the less real threats do we have to face.

For Discussion

 * What should be done to help Joe?
 * Some countries have introduced so-called computer driving licenses (e.g. the ECDL). Do you think that this will help?
 * What should different parties (computer sellers, ISP, software companies, trainers etc) do for the situation?