change the name to 'Windows 2000' because it has a better marketing feel and goes well with Windows 95 and 98." Lo and behold, Microsoft proved my prediction true just a few months later. (Now, if only I could apply this somewhat elusive skill to lottery numbers and sports victories...)
A couple of Fridays ago, I posted an entry here discussing some basic, common-sense rules for safe Internet use, and I based them on the "rules you learned as a kid" idea. The last rule I put in was, "Don't drive without a license," based on the idea that you have to learn the basics of safe driving, traffic laws, making a car do what you want it to do, and safe vs. unsafe driving situations before you are permitted to legally drive a car on your own. Once again, my elusive gift of prophecy has kicked in, but in a much stricter manifestation. This came to me today in my Security Wire Perspectives e-newsletter, which I get from Information Security magazine:
*A LICENSE TO BROWSE?
By Bill Brenner, News Writer
Aided by home users blissfully unaware of their computers' security
holes, Sasser strangled millions of PCs last May. Others like Mydoom,
Bagle and Netsky menaced the Internet throughout 2004. And more
people worked remotely, picking up infections on laptops that were
carried back to their company networks. All this left some wondering
if it's time to make users get a license to travel online.
"People need to know what they're doing to protect themselves and
others," said Ned Lindburg, a network engineer for Dallas, Wis.-based
Chibardun Telephone Cooperative. "They need a rudimentary education
before going on the Internet. I support the concept that you must
provide proof you know what you're doing."
As far as Lindburg is concerned, minimal government regulation is
usually best. But with cyberspace crowded with reckless browsers, he
said it may be the only way to bring sanity to the Internet.
"In this situation people are endangering others," he said. "It's
like someone who doesn't know how to drive getting on the highway."
Jon Benson, a network systems administrator for Neurome Inc. of La
Jolla, Calif., took the concept a step further, saying the actual
computers should be licensed.
"It really isn't the person that should be licensed, but the computer
connected to the network," Benson said. "Any computer connected to
the Internet should be shown to be free of malicious code; that it
actively seeks out and destroys malicious code. You prove your car is
safe [with inspection stickers]. You should also prove your computer
is safe."
James Ott, IT auditor for a global high-tech manufacturing firm, said
people should be made to understand the risk they pose to others.
"The concept of a Web driver's license and Web insurance might be the
way to go," said Ott, who did not want his company named. "The number
of zombie machines on the Internet is huge and the impact can be
enormous. If we don't put some fiduciary responsibilities on the Web
and e-mail users these two marvelous technical resources are going to
become more and more expensive to use."
He said he read George Orwell's "1984" like everyone else of his
generation, "but that does not mean we cannot have some monitoring
and regulating of the e-mail and Web traffic on the Internet."
Some believe a license would be overkill and "wouldn't really change
anything," said Jesse Correll, manager of IT infrastructure for
MetLife Investors of Newport Beach, Calif. People can't be forced to
become competent in information security, he said. In the end, it's
up to the software writers and computer manufacturers to create a
secure product.
And home users who aren't updating their antivirus or installing
security patches may have to get burned before they understand.
Dave Bixler, chief security officer of Norwalk, Conn.-based Siemens
Business Services, said, "Sometimes you have to let a kid fall off
the bike, break the glass or touch the flame before he understands
the pain. With users, maybe it's that you need to get hit by one of
these viruses to learn the importance of security."
Bradley Dinerman, technical operations manager for Newton,
Mass.-based IT management firm MIS Alliance Corp., said that while
he'd love to insist his clients obtain a license to operate a
computer, he doesn't think it would be practical or even enforceable.
"Computers are ubiquitous now, and not just in the workplace," he
said. "Asking a home user to obtain a license to use his or her
computer is like asking that person to obtain a license to operate
the oven. Misusing an oven can result in tragedy -- not just to the
soufflé -- yet we all use them without any formal training."
Now, the concept I was trying to convey was not quite so strict, as some of these gentlemen were proposing; I merely suggested that it's prudent to stay on top of things when you're using the Internet. Good drivers are always thinking not only about what they're doing, but they're also anticipating what others on the road will do, and they know their vehicle and personal skills enough that they know how to get out of bad situations as best they can. If, when you went out driving in your car, you drove as though no one else were on the road and you didn't really have to pay attention while you were driving, bad things would happen, and very quickly. No one in their right mind drives a car this way, yet probably 80-90% of Internet users take this approach when using the Internet.
My view is a mix of a few of the views in the article. First, it is entirely incumbant on users to educate themselves on safe Internet use. It is also incumbent on IT and infosec professionals to help educate not only the users they are directly responsible for, but also the users they are not responsible for but know and love (i.e., friends and relatives who are regular users). Second, in some ways, people are still like animals. The only way some people learn and exercise their brains and use good judgment is through pain. If a user has to be infected with a virus that destroys all of their music, replaces all of their family pictures with porn, erases their Quicken bookkeeping files, and deletes all of their useful applications on their computer, so that they'll learn what it means to be a smart user, so be it.
I don't feel you should need to provide proof of competency...yet; we're not quite to that point, but if users continue to act in such a careless fashion while on the Internet, I can easily see such methods being implemented at every level.
No comments:
Post a Comment