Home Users: A Public Health Problem?
By Bruce Schneier
To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of their operating system "out of the box," but there are still a dizzying array of rules, options, and choices that users have to make. How should they configure their anti-virus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on and so on and so on.
How is it possible that we in the computer industry have created such a shoddy product? How have we foisted on people a product that is so difficult to use securely, that requires so many add-on products?
It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application -- IM, peer-to-peer file sharing, eBay, Facebook -- to make computers both useful and enjoyable to the home user. At the same time, we've made them so hard to maintain that only a trained sysadmin can do it.
And then we wonder why home users have such problems with their buggy systems, why they can't seem to do even the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.
At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don't see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they're available to help me recover if something untoward does happen to my system. Home users have none of this support. They're on their own.
This problem isn't simply going to go away as computers get smarter and users get savvier. The next generation of computers will be vulnerable to all sorts of different attacks, and the next generation of attack tools will fool users in all sorts of different ways. The security arms race isn't going away any time soon, but it will be fought with ever more complex weapons.
This isn't simply an academic problem; it's a public health problem. In the hyper-connected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam, and attack other computers. We are all more secure if all those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is: what's the best way to get there?
I wonder about those who say "educate the users." Have they tried? Have they ever met an actual user? It's unrealistic to expect home users to be responsible for their own security. They don't have the expertise, and they're not going to learn. And it's not just user actions we need to worry about; these computers are insecure right out of the box.
The only possible way to solve this problem is to force the ISPs to become IT departments. There's no reason why they can't provide home users with the same level of support my IT department provides me with. There's no reason why they can't provide "clean pipe" service to the home. Yes, it will cost home users more. Yes, it will require changes in the law to make this mandatory. But what's the alternative?
In 1991, Walter S. Mossberg debuted his "Personal Technology" column in The Wall Street Journal with the words: "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, the statement is still true -- and doubly true when it comes to computer security.
If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn't any other way.
This essay is the first half of a point/counterpoint with Marcus Ranum in the September issue of Information Security. You can read his reply here.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.