Small Business Susan

Maybe we have to have that April 1st blow up the world war game before we’ll learn?

CBS 60 Minutes covers Conficker, malware epidemic | Zero Day | ZDNet.com:
http://blogs.zdnet.com/security/?p=3036

Did 60 minutes help or just report the facts very badly?

If I didn’t know better I would say that after watching 60 minutes that I am just going to stop using my computer.  Because obviously just using it for day to day stuff is obviously and utterly dangerous.  In that 15 minutes on the one hand the guy from Symantec is saying I’m screwed, on the other hand the guy from Google says he never sees the bad stuff.  Is that because he never uses the google search engine for things like “March Madness”, which at one time offered up bogus antispyware offerings.


I’m not ready to throw in the towel and say Lauren would be better off with a Mac or Ubuntu to keep her safe as I think that’s too easy of an answer and to lame of a solution.  It’s also merely pushing off to tomorrow what the real issue is today:


We are not educating ourselves as to how to operate technology.


From business to home users, none of us ever get nearly the training we should for operating technology.  I also think it’s not wise to merely give a teenager who has been known to download music from various sources an alternative OS platform and say “go for it” as that’s not teaching safe computing. 


Right now we absolutely are horrific at giving people good answers and good information about real risks for them.  We scare people like Leslie and company just did and then give no good information on how to protect ourselves.  “I thought the firewall was good enough, it wasn’t” but then don’t get into the real issue of how many third party outbound filtering firewalls do not give good enough information for people to make informed decisions. 


The other night the movie of War Games was on TV.


Just like Joshua we have to learn that playing tic-tac-toe like we’re doing with the computer bad guys doesn’t get us anywhere.



Leslie you blew it.  We’re all blowing it.  We’re making everyone fear April 1st and giving them no long term lessons out of this.


From a comment on that Zero day blog….


Hype and panic? Or legitimate threat even for consciencious users?
I watched that 60 Minutes program, and came away with more questions than answers. The report seemed to express that even when users are vigilant about keeping their PCs up-to-date and even when users use good anti-malware and even if users follow proper procedures, like not downloading porn off of torrents, then Conficker might “get ‘em”. Just how much validity is there to that threat? I really get frustrated by media stories that use lines like, “it turns out that even our computers here at CBS weren’t secure enough!” That doesn’t prove anything. A large corporation like CBS has a large, extensive, complex computer network with many, many end users with highly variable computer skills. Of course network administrators for large corporations have their work cut out for them. But what about the person who runs ONE PC behind ONE router, installs all updates as soon as they’re available, and runs anti-malware like AVG and Windows Defender? The one part of the 60 Minutes report I DID like was the Google guy who said, “I’ve been on the Internet since the beginning, and I’ve never had a problem.” Is that a good rule-of-thumb? If you have NEVER had a malware issue with your PC because you follow good practices, maybe you shouldn’t worry too much when the media hypes the next big worm. Just keep following the same practices you always have.


The bad guys win when all we do is confuse people.


The risk of the PCs in a corporate office are not the same risks as a single stand alone system.


The risks of Conficker entering CBS from an employee bringing in an infected USB flash drive, or a system not being patches (we don’t know if they are running NT systems or other non supported/non patched system, the piece doesn’t go into detail), nor does it go into their patching practices. 


No one is truly listing what activities bring the risk to a stand alone system.  There are vague references to bittorrents and music downloads but it really isn’t detailing out the true risk for folks.  Is that because we really don’t know or is it because we really don’t want to be honest where the risks are coming from because we don’t want to shut down that means of entry?  If USB flash drives are truly a massive vector, maybe we should be sending out a patch that turns off autoruns rather than just fixing it?


And on a related rant, is the bittorrent issue.  It floors me the number of people that should know better don’t.  They should know better than to download from bittorrents, but do anyway.  They should at least ensure that they take hash values of the iso’s and compare them to hash values published so that you know you are getting good isos.  And then there’s the Win7 issue.  It floors me the number of people running post 7000 builds that they are getting from bittorrents.  There’s a part of me that wonders if these leaked builds are from TAP/NDA customers if they know what the meaning of NDA is?  There’s a part of me that wonders if Microsoft is secretly leaking them to build a buzz factor.  Regardless which camp leaked them, the fact that people are downloading them in the first place, or at least not taking the precautions they should be doing is mind blowing.  We are clearly not caring one bit about proper computer operations.  All we want is our free music, our free beer and especially our latest build of Win7.


Meanwhile we’re learning no processes and procedures to lessen the risks of the actions of what we are doing.


Maybe we have to have that April 1st blow up the world war game before we’ll learn?