June 2004 - Posts
The “blame the victim” mentality is prevalent in many facets of society today. Cities pass ordinances that make it an offense to leave things of value in view inside your vehicle, lest some just-in-time thief be tempted and break in to take it. Victims of motor vehicle burglaries are astonished, when they report the crime, to find themselves receiving a ticket.
Blaming the victim is an attitude that's seeping into the computer security arena, as well, in several different forms. I recently read an article by a fellow security expert that “if you leave something unlocked, you invite crime.” [my emphasis]. That sounds a little like the old (and thankfully, pretty much abandoned) idea that a rape victim whose dress was a little short was “asking for it.” I've heard and read similar statements on numerous occasions, with some going so far as to say that computer users who don't have all the OS patches installed, AV updates and properly configured firewalls installed “deserve what they get.” Ouch!
Sure, we all need to take responsibility for protecting ourselves and doing our parts to protect our networks and The Network. But let's get real about who bears the BLAME for DoS and other attacks, viruses and worms, etc. -- that's the person(s) who launched them.
Another popular variant on the “blame anybody except the person who did it” theme is to bash the software vendor for not creating a perfectly secure OS or application. Well, guess what? There's no such animal, and never will be.
Back in my “previous life,” when I was teaching defense tactics to embryonic cops at the police academy, one important block of instruction was weapon retention. A disturbingly high number of police officers are killed each year with their own guns, and it's essential to know how to defend against an attempt to take yours away from you. However, there were always a couple of kids in each class who knew it all, and discounted weapon retention training because they were going to use so-called “security holsters.” These are holsters designed to make it more difficult to get the gun out, to help thwart just such an incident. The problem was that, when many of these folks got to the range for firearms training, they couldn't draw and fire their weapons in an acceptable amount of time. Oops!
Does that security holsters are useless? No - but it does illustrate an important point that carries over to my current incarnation as a network security author, trainer and consultant: security and accessibility are always on opposite ends of a continuum, and the more you have of one, the less you have of the other. A good security holster can provide an extra measure of protection - if you practice faithfully to burn the moves required to draw your weapon into muscle memory (standard theory is that it takes about 3000 initial reps to do that, plus ongoing, regular practice to maintain it). However, there is no 100% secure holster (just as there is no 100% secure piece of software) and if there were, you (authorized users) wouldn't be able to get to your weapon (data) yourself.
I believe we can educate users on how to make themselves safer from hackers, crackers and network attackers without painting them as being somehow complicit in the crime if they do get victimized. And I think we can encourage software vendors to do all they can to make their code secure without making them out to be bigger villains than the real bad guys.
There seems to be an assumption, at least on the parts of less tech-savvy parents, that all kids are computer whizzes. After all, the parents often have to call on their teenagers or pre-teens to figure out how to operate their own computers. In many cases, it's true that today's youngsters, who literally grew up with computers, are able to pick up on technology faster. But that leads to another assumption: that because the kids know how to use the computers, they also know something about protecting themselves and their systems. And that is not necessarily true.
I think there is a security gap here; schools are teaching computer literacy but they aren't necessarily teaching computer security to the extent and as early as they need to. That leaves a lot of kids out there on the 'Net without the knowledge they need, exposing a lot of systems to viruses, attacks, and more. It's sort of like teaching the kids how to operate a car in driver's ed, but not teaching them anything about driver safety.
We computer book authors, trainers and speakers haven't been paying a lot of attention to the younger set, either. Many of our tech books are a little on the dry side, even for adults. Given the attention spans of members of the MTV generation, many of them aren't going to be interested unless we specifically target them. Recently I got a look at a book that does just that.
“Always Use Protection: A Teen's Guide to Safe Computing” by Dan Appleman (published by Apress) impressed me as much by the author's writing style as anything else. All the information in the book is available elsewhere, but his presentation is such that I think kids just might read it. I don't know how old the author is, but it's obvious that he is actually involved with teenagers and knows their language and what they're doing on their computers. He neither talks down to them nor over their heads.
He covers many of the most common scams, explains concepts such as computer forensics and identity theft without getting bogged down in technical jargon or legalese, and describes both the dangers (malicious code, viruses, email scams and attacks) and preventative technologies (firewalls, anti-virus, security updates, good password practices) in a straightforward manner. The book is divided into logical sections: Protecting Your Machine, Protecting Your Privacy, and Protecting Yourself. It's actually a good introduction to computer security at a very high level for new computer users of any age.
It's been a crazy couple of weeks, first last week with Tom off to TechEd (representing us both this time -- to all those I missed out on seeing, my regrets and hopes that next year I'll get a chance to be there too) me holding down the fort here. Then this week we've been battling Mother Nature, with the Dallas-Ft. Worth area being pounded by storms almost every night. We spent one evening couped up in our “safe room,” a small bathroom in the middle of the house downstairs, with tornado sirens going off around us and two very confused cats wondering what was going on. The next night, high winds had a live power line on our street dancing and sparking, and we lost our electricity. We were lucky, though -- there were over 200,000 people in the area who were without power for days instead of hours.
All of this started me thinking about how most of us, even we “security experts,” tend to take chances in at least some areas of our lives. I have my service packs installed on my computer, anti-virus running, an ISA server on the perimeter of the network -- but we haven't ever gotten around to having that underground tornado shelter put in or installing that generator. Why not? Well, we've had some close calls (like Tuesday night) but we've never been devastated by a twister. It's not so much the cost in money as the cost in time that's the problem -- we have work to do, and storm shelters and generators aren't our field of expertise.
The experience made me stop and think with a bit more sympathy toward all those net admins and individual computer users out there who just haven't gotten around to taking the steps that they need to take to protect their networks or systems. After all, they have jobs to do too, without adding security to the mix.
And that's why we need to work to build security into the operating systems and applications -- even if it causes some access problems, even if some people get upset about the inconvenience those built-in security measures can cause. If our house had come with a tornado shelter, we certainly would have used it this week. If a generator had been included when we bought the house, we might have grumbled about the inconvenience of buying fuel for it and having to learn how to use it, but we certainly would have appreciated it yesterday when our air conditioning, refrigerator, even [shudder] our computers were all rendered temporarily useless by the power outage.
Security comes with a price tag that's measured in more than dollars, and it just doesn't seem like a very high priority when you have “more important” things to do -- until you need it, that is. In that moment, the cost seems pretty minimal.