Updated: July 21, 2010
I'm probably boring you to death by now with my slightly revolutionary preachings, but the best way to hone in a message is by repeating it incessantly, with only small variations in the general tone. After all, that is what politicians do all the time.
Seriously, I've been giving the whole security thingie a lot of thought lately. Not so much as follow the well-known, well-oiled mantras, more like taking a very good look at the security arena and filtering out the crud. And there seems to be quite a lot of it. Today, I'd like to take another step forward and make your security model even more efficient and foolproof than before. Don't panic, read the whole thing before you judge.
I've given you a taste of what security ought not to be in my Poor Windows users article. You may also have read my articles on safe Web practices and mail security, which explain the basics of healthy computer usage without going overboard. Then, you also have overviews of Windows 7 security, part one and two, and SuRun, a sudo-like tool for Windows XP.
In all of these articles, I've emphasized the importance of abstract security. In other words, if you have a good security strategy, it's flexible and system-agnostic. You can apply pretty much the same model on different operating systems with just minimal adaptations. Furthermore, you avoid the use of tactical ingredients, in this case, very specific, very narrow-targeted tools aimed at protecting against isolated vectors of attacks. For example, all kinds of anti-X programs in Windows fall into this category. And while they offer some prevention, containment and cleaning capabilities, they are usually inefficient, because they follow the blacklist approach and rely heavily on user actions.
My goal is to provide you with a universal, whitelist-leaning security that does not depend on signatures, user skill or recipe-like investments. That will never work as long as Murphy's law or one of the lemmas hold.
Safe Web and Mail security articles are a very good start. SuRun also gives you a taste of what running a hassle-free limited account in Windows can be, compared to Linux. Now, comes the third part in this long series of education, and this is all about customer satisfaction.
Today, security is a 0% guarantee business - in the home environment. How so, you're asking? Well, it's very simple. Pretty much every single EULA for security software, as well as any other software for that matter, includes a very fat disclaimer that informs you that using the software is at your own risk, peril and responsibility. In other words, companies have no accountability for damages caused by the use and misuse of their products.
Security-wise, this means that if the security program works as advertised, fine. If it does not, it's your fault. It's a best effort model, there's no guarantee and liability is entirely yours. Imagine the car industry sold their vehicles based on the best-effort approach. You buy a car and the brochure informs you that using the brakes may not work as expected. Nevertheless, the company will not be held responsible for any malfunction, failure or whatever of the said component.
In the software world, things are a little different. First, there's no life & death threat so much as in brakes not working. Second, the potential for misuse is enormous. It is difficult to force security companies to take responsibility for everything the users do, because it is impossible to predict every stupidity conceivable - or prevent it.
As I've wisely pointed out in my Computer licensing article, this could work if both users and companies were held responsible for their actions. On one hand, users would be forced to pass a computer usage exam and be held legally accountable for their wrongdoings. On the other, companies would be held accountable for bugs and flaws in their software. Today, pretty much neither side is. Bottom line, you use security software, there's no guarantee it will work, and it's your fault. Don't like it, don't use it. More to follow.
Many security products are sold - or rather, leased. You pay for an annual license, which grants you the software resources. The thing is, it is the prime imperative of every company to maximize revenue. Maximizing profit is done in many ways. A good way of achieving it is by expanding the user base. You do this by advertising, offering downgraded versions of premium products for free, bundling software products, and finally, by increasing awareness to your services.
What is the best way to sell security? It's by insecurity. The more insecure your customer is, the more likely he/she is to buy more security. It's a very simple equation. Security companies know this - and use this, all the time. Therefore, it comes as no surprise that security companies are often harbingers of digital doom. Whenever you read an advisory about a huge increase in malware, it's always the head of this or that security company that utters the dreaded message.
Fear mongering works well. It keeps people in check, docile and obedient and willing to spend money to relieve the horrible feeling of helplessness. Then, there's the matter of education. Whenever you read about horrible plagues of binary code roaming wild down the lines of the Internet, it usually comes down to this:
Users can get infected just by visiting a page!
Or something silly like this:
Millions of computers at stake, new worm outbreak ...
The combination of medical and disaster terms are meant to trigger the basic survival instincts. This seems to work quite well. However, there is never, ever any mention of the simple ways of preventing malware infections or how to avoid these dreadful new vectors of attack. For instance, you will rarely see an advisory of the following kind:
There's a new worm wriggling about. Not to worry, just turn your firewall on.
Simple right? Remember the Conficker panic? There was a month of headlines with not a single mention that just by turning even the most basic Windows firewall was more than enough to stop network-related infections. Uh, another worm. Boring.
But it's easier selling USD49.99 software than telling users to spend 14 seconds educating themselves about the functionality of the Control Panel in Windows. Stupid users are good for business. If you're uneducated and ignorant, you're more likely to believe the headlines, more easily coerced into buying false security with money. This has worked superbly with TV news, it continues with the Internet.
So how can you improve your security?
Here we go. There are several ways. Some are simple and trivial, other take more time and dedication. Others yet are radical, pure genius. Let me elaborate.
This is your best option. It has the highest return on investment in the long run. You may need to read a little, but you will gain immensely. Education means being able to rationalize situations and evaluate threats. Education means taking a step back, breathing deeply, reading between the lines, quenching your impulses, saving your money, and performing your own research and analysis of the problem at hand, maybe even devising a solution. Education is understanding how Windows works and why things are not as grim as they seem to be. Learn how to respond to all kinds of warnings and messages.
Spending time learning about computers is not an easy task, though. Many people treat computers as an appliance. They do not want to spend time hacking the internals. This is quite understandable and acceptable. Which is why there's point #2.
#2: Let your voice be heard
You are not just a line on someone's end-of-the-year marketing report. You are a customer and your voice deserves to be heard. But phoning a third-party support line in a foreign country in non-prime time hours is probably not the best way of achieving the desired effect. Your best option is NOT to use any security software that does not have a spotless ethical record. It is very difficult finding companies like those, but there are a few paladins in Sodom.
Ideally, security should be free. This way, you know there's no hidden goal and that the entire focus is on delivering a security service to the users. But this is not always possible, because people writing code need to feed their families, too.
You should strive to avoid software companies that bundle their products with third-party nonsense. You should boycott companies that ignore their users. Abandon products with mediocre track, including performance, bug fixing, customer satisfaction, and the actual ability to do as advertised. Do not be a hostage. Always remember that they need you more than you need them. And there's always, always an alternative, even if you're not really sure what it is at the moment.
#3: Stop using "security" software
You do not really need it. Products XYZ are so 90s. Obsolete in concept. You need a strategy and not tactics. Anti-virus and anti-phishing toolbar and anti-whatever are just temporary tactics. Tomorrow, the winds of the Internet wars will change and these tools will become useless relics.
Let me give you the fishing analogy. There's a proverb saying: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. I say, take this one step further. Be the one who designs the fishing rod and the tackle.
Your Windows, it has what you need, built-in. You have a firewall, check. You have a limited user, check. You have Group Policies, check. Then, there's DEP, monthly updates, and a handful of other mechanisms, just waiting for you to start using them.
On top of these, you can beef your sense of security with totally free programs, which, while not specifically security related, can help minimize exposure and lessen the impact of unhealthy computing habits. For instance, SuRun or Firefox.
How about data integrity and backups? People invest so much money trying to prevent malware infections, which are merely a probability. On the other hand, people rarely invest in making sure their data is safely backed up from hardware failures, which are a certainty.
Think carefully about this. How many people have had malware at some point in their life? 10%? 30%? How many people have had a hardware failure at some point in their life? 100%. Amazing, isn't it? You're much better of spending money on backup solutions, home NAS, imaging software, extra hard disks, and whatnot, then spending time trying to stave off the Armageddon. Oh, there's always Linux, but that's revolution hardcore.
How is any of this going to help?
You will probably not see any difference in the short run. But you will make an impact, eventually. Any security company experiencing a massive emigration of users will automatically do several things: woo their customers, lower the price, offer killer deals, and maybe even work on improving their product. It has happened before.
Which brings me to my Linux success article. You want Linux to be strong. You want free software to flourish, because it leads to better and cheaper payware software. This is true for any aspect of computing, from operating systems via browsers to security.
At the moment, security companies enjoy pretty much a free hand in Windows. They do as they please, cashing in on the malware rampage and the ignorance of the vast majority of users. But you can make a change. Vote with your money, it's the best tool you have.
Some of you will be angered by this article. Some will even claim that I'm irresponsible in suggesting Windows users drop their precious security programs and let the "vile" hackers take hold of their machines.
But how come the entire security concept of the Internet comes down to the little user? How about security prevention on the server level; malware has to sit somewhere, right? How come users get malware in their mails? Someone owns the mail servers, after all. How about free education by ISPs? How about redesigning the trust models?
The truth is not binary. It's not either you use security or you get hacked. My statistics show that most people suffering from malware infections did and do have security software installed, often out of date, without updates and similar, but it's there nonetheless, not used to its potential, however efficient it may be. Not running the classic anti-X software does not mean disaster. It could. But it does not have to.
There's the middle ground, one where companies can make money, in good faith, while users enjoy handsome security without spending too much, without wallowing in fear and despair. There's the middle ground where people have the happy choice of making smart, educated decisions. It's about sharing the pie so that everyone gets a piece. That way, everyone's a winner. As a user, you have the power to make the change. Think about it.