When does self-responsibility kick in?
The Web site www.itnews.com.au has highlighted a Russian 'smartbomb' for purchase that allegedly targets unpatched PCS:
According to itnews, Websense has reported that 1,000 sites are using the smartbomb, which can be purchased for as little as US$10.00.
The worrying thing that caught my attention about the report is that according to the statistics from just one attacker site, over 1,770 PCs were successfully compromised via a vulnerability that was patched back in April 2003!!! I find it amazing that there are still computers out there that are vulnerable to an exploit that was patched three years ago.
The second most successful exploit for the highlighted attack site was one that targeted createTextRange, which was patched on April 11 - Websense reports that 1,507 PCs were compromised via that vulnerability.
There is only so much that we, as computer professionals, can do to protect people from themselves. Sooner or later every computer owner has to take responsibility for their own PCs, for their own security, and for their own education.
We're having an interesting discussion in a security focused mailing list at the moment about reports that Windows Vista's outbound firewall abilities will be disabled by default because the corporate end of town want it that way.
Some of the reasons given for why the decision is ok are, to me at least, staggering - for example:
1. The average user is not going to be interested or will freak out;
2. Stuff may get through anyway;
3. If you force them to learn they'll start using another OS;
4. The public doesn't want to be educated;
5. Computer manufacturers/ISPs won't like the cost of supporting confused users.
So.... computer manufacturers/ISPs won't like having to wear the cost of support calls - big deal. Let's think about cost. How much money do you think is spent fighting, for example, spam? Spam that comes from compromised home computers? How much money has been and continues to be spent by corporations and private citizens paying for the bandwidth absorbed by said spam? How many corporations have had to spend money on various attempts to ward off spam whether it be software or hardware solutions. How many have had to upgrade their hardware to cope with the demand? How much money do you think has been spent is fighting denial of service attacks from compromised home machines? How much money is spent fighting to take down phishing sites on compromised home machines? How much money has been lost to the criminals behind phishing sites? (the last report I read mentioned losses running into the millions).
Users who are not willing to educate themselves are a risk to themselves and other internet users. Their compromised machines pump out spam; their compromised machines are used for denial of service attacks; their compromised machines are used to host phishing websites.
I am a finite resource; my associates are a finite resource; sooner or later we have to say "listen, you're harming the community at large, get with it or get out'.
Therefore, if forcing users to 'get educated' ends up with their choosing a different operating system, then I'll show them the way and shut the door behind them. Its one less thing to worry about. If forcing users to learn about and use things like firewalls and patching leads them to choose a different operating system - there's the door.
If home users are not educated - if they will not take responsibility for their own machines - then spam will not go away, denial of service attacks will not go away, phishing web sites will not go away. That's the reality folks.
Another article at Eweek from earlier this month noted that "recovery from malware [is] becoming impossible:
I have met Mike Danseglio (the guy who was interviewed for the article) - I attending training sessions that he held back in April 2005 in Singapore and still have his business card on my desk. I remember how we left his sessions thinking "we're screwed". I also remember that we wanted to cancel all the other sessions for the rest of the day so that we could continue working with and learning from Mike.
When I look at the risk to the internet community at large from compromised machines spewing crap I wonder how the heck people can say that not pushing for user education is ok.