The virus of Youthful Irresponsibility

http://www.businessweek.com/technology/content/sep2003/tc2003099_6173_tc047.htm
SECURITY NET
By Alex Salkever

The Virus of Youthful Irresponsibility
College kids just don't pay enough attention to computer security. Thank goodness adults on campus are prepared to force the issue


Hey, college students, it's time for a pop quiz: If an attachment arrives in your inbox with a suffix of .exe, do you (A) click on it? (B) click on it only if it promises you free stuff? or (C) always click on it if it appears to be from your best friend?
Not enough of America's best and brightest know that the answer is none of the above. As waves of students arrive on campuses across the country, university network administrators have found that significant numbers of computers owned by America's young scholars are riddled with nasty worms and viruses.

FIGHTING BACK. Joe and Jane College may be able to wax about Nietzsche and Voltaire or define a Golgi apparatus, but far too many of them can't distinguish antivirus software from KaZaA. And not enough of them understand that computer-security software is part of the price of entrance to the broadband Internet. Some campuses report that up to 25% of students' PCs on their networks are infected with malicious code.

Worse, a significant percentage of students hasn't installed antivirus software, even after the latest attacks of SoBig and the Blaster worm. So network administrators have resorted to extreme defense tactics. At Georgia State University, students recently were required to wait in long lines while tech-support staffers scanned their machines. At Temple University, network administrators insisted that students install antivirus software before they be allowed on the campus broadband grid. And at Indiana University, network-security administrators required students to submit their computers to an online scan before they could log on.

For the life of me, I don't understand why so many college kids are flunking basic computer security. After all, they've grown up with computers and are far more likely than the general population to surf the Internet and understand information technology. They intuitively understand e-mail.

NOT ROCKET SCIENCE. Two common excuses are offered for the failing grade. One is that computer security remains too difficult and complex, even for America's sharpest young minds. The other is that most people, regardless of their age and intelligence, don't consider computer security a real concern, even if they understand information technology.

Hogwash to the contention that computer security is too difficult. I've personally installed antivirus software on more than a dozen computers. This isn't rocket science. For the most part, you put the CD in the machine, click buttons, and install the security software as you would any other. Then, you can walk through a series of easy interfaces that allow you to set your system to scan the entire hard drive as often as you like -- automatically.

Several prominent antivirus companies offer diagnostic tools that can be downloaded for free and will scan computers for vulnerabilities. To run these scans you have to click two or three times, at most. They're painless to use. They're harmless. And they're easy to find.

BASIC TRAINING. Even some more sophisticated desktop firewalls are becoming easy to install (Norton Internet Security from Symantec (SYMC ), for example). Sure, some users will have problems with compatibility. But people have the same issues with almost every other piece of mass-market software. My wife runs ZoneAlarmPro, a fairly sophisticated firewall, on her computer. She's no security guru. She had never even heard of a firewall before we were married. But she picked it up quickly. Now she understands: Never leave your machine running if you're plugged into a broadband connection and you don't have a firewall and antivirus software installed.

At college, the ability to make this simple leap of logic should be regarded as Computer 101 -- a basic approach to security that can save the hassle of pulling all-nighters talking with the tech administrators in an attempt to fix crashed networks.

O.K., so I'm picking a little bit on college students. There's plenty of blame to go around. Companies that make bug-ridden software deserve lots of it -- yes, that means Microsoft (MSFT ). And security software outfits could help more with the education process. When my wife's firewall asks her if it's O.K. for filemask45.dll to access the Internet, she has no idea if that's a valid part of Windows or a Trojan on her desktop. Nor do I, for that matter. A better tutorial explanation of what filemask45.dll is would be immensely helpful.

NO EXCUSES. At the root of all this is the more serious issue: the common misconception that running a computer should require no more knowledge than turning on the TV. Wrong. Yes, some rough edges still must be ironed out in computer security. But students, listen to those university system administrators. You have no excuse for failing to heed the seriousness of what they say.

I know I sound like your father. But let me use a car analogy to emphasize my point. If the engine of your car seizes on the freeway because you haven't bothered to check the oil in seven years and people are subsequently injured in a crash, you can bet that someone is going to blame you for not understanding the basics of driving and caring for a car.

Like a car, a computer requires constant care and a general knowledge of its workings to run properly. Plug that PC into a broadband connection, and you assume certain responsibilities. So when college network administrators make you wait in line to check your hard drive for worms and stop you from accessing the Web via the campus network until you've cleaned your computer of viruses, be patient. Friends don't send friends .exe files.


Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column
Edited by Douglas Harbrecht

 

It's a shame that a lot of people (especially ones who own a PC) can't comprehend the risks associated with the Net. Really, it's not too different from opening your wallet in a crowd with your eyes blindfolded. How many dishonest people are going to reach in? A lot of it may be ignorance of the dangers. When I started, I didn't know anything about computer security. I had an AV, but no Firewall. I thought a firewall was to keep fire from spreading from one building to another. But through talking to people and reading, I found out there's more to security than just an AV. Firewalls, ATs AVs, AntiSpy, registry monitors, and a lot more that I probably don't know about, are all a part of it. There's no single cure all I know of except throwing out the PC. I found out it's a necessity, if I was going to stand even half a chance of being secure on the net, I was going to have to learn all that I could about it, and I'm still learning. I know I'll never learn everything, I doubt anyone could. I'm just going to try to get as good as I can. They should too. I think a lot of people have got the "You can't see it from my house!" syndrom, and with that attitude, someday they'll find the best security teacher in the world. Losing all their data, formatting, and starting over!!! If they think PC security is a pain in the ass to deal with, try having to do that more than a couple of times.

 

They need to learn that pc and security go together like a car and insurance, it is a little nuts to have one without the other. It is a little hard for me to understand how they grew up in the computer age and so many of them have never learned the responsibitity of pc scurity either to them selves or others. To any readers of this post I am not picking on all of the young people in that age group most of you are very responsible. It is just the few that never cared to learn.

 

i think comparing it to driving a car or opening a wallet blindly (hehe) is just not fair.

driving cars requires licensing.. that means testing and so on.. and sometimes going to certain driving schools will lower your insurance.. in other words, there are laws and incentives to educate oneself about driving.

and opening a wallet, life experience from parents and so on can help ensure some poor guy doesn't do that!

with computers/security it's way different. there was no official place where i could really learn about computer security before university. my schools didn't offer anything, nor did the community at large. my parents couldn't teach me anything because they knew nothing about computer security. so i had to learn everything from trial and error, asking people who may or may not have known anything about it, and get burned a few times doing stupid things on my own.

only very recently is there any sign that computing is being taken seriously by the average middle class student as more than a game-machine. this is just the evolution of computing technology bleeding into pop culture. to say that this is the computing age, albeit true, is misleading. computers (the desktop variety) aren't ubiquitous in the minds of the average person. computing is still counter-intuitive.

if the progress is going too slow, then the fault shouldn't be placed on the end-user i think. it should be placed on governments, geeks everywhere who already 'get it', and exploitive companies. more education at the most basic levels, putting computers and high-speed connections in every home, and building communities not just online (where newbies will have a hard time navigating), but also offline, where the average person is more comfortable. either that, or introduce licenses for pc use.

 

Or you could be required to take training in pc security,online ettiquite and the ability just to know how to use the pc at all. I do beleive that all new computer buyers should be informed about the hazzards of surfing the net or just being connected to a university network getting your lessons done, or any other endevor that has the possibility of someone or something getting in or out of your comp. No easy answers out there but eventually there might be a light at the end of the tunnel. But I deffinatly don't agree with having to be licensced to have a pc. What next a permit to watch tv.

 

Even when you've been taught by the best isn't the "hands on" learning in everything by trial and error?

The Goverment has got its hands into everything anyways. Why would anyone want them to secure their PC? Talk about "Big Brother".

How did they "get it?" They learned.

Just wait 20 years. Maybe less.

Everyone is a "newbie" to everything the first few times. But you still have to learn to get better. Sure there are going to be falls along the way. It's called life. Everyone falls. The only ones who don't succeed, are the ones who don't get back up and try again.

 

=) i didn't mean that the men in black suits should bust in and make sure your pc is net-compliant. i meant more traditional roles the government can take, like for example better education programs for the public and high school students (or even better, start earlier) but putting more computers into school, having better trained teachers, and allowing a controlled environment where everyone can learn hands-on.

other than that i agree with everything you say beetlejuice.