Computers are diabolical machines.
I say that partly tongue-in-cheek, since I make my living coaxing these diabolical machines into doing my bidding. To me they’re quite familiar; I wouldn’t go so far as to call them “friend”, but certainly a colleague whose behavior I can predict through years of experience.
That time is gone. Programming is an arcane skill unattainable by far too many people; the computer too important a tool to be the province of a tiny sliver of humanity. We now have the concept of “software”, ready-made programs that we can buy or download, and install onto our computers to make it do new things. This is the power of the general-purpose computer: someone who knows how it works can make it do almost anything, and then share that new capability with someone who doesn’t know how it works.
And Now, the Bad News
This, then, is our current situation: legions of computer users, peppered ever-so-lightly with those who understand more deeply how these contraptions work. Those scant few can be a boon… or a curse.
It is a sad thing, but all too true, that using a computer is a risky proposition for the average person. If you are an expert computer user, pretend for a moment that you are not. Think of the hordes of viruses unleashed every day (dozens of fresh copies languish in my spam trap at this very moment). What would the average person—who knows a little bit how to use their e-mail—do when infected with one of these nasty blighters? Think of the worms and trojans gleefully setting up unprotected file shares on users’ hard drives, exposing all their data (including their financial data, possibly) to everyone on their cable network, or logging keystrokes to extract any passwords the user knows. Think of the spyware programs most users have installed on their computers, completely without their knowledge, which tracks their web surfing, launches extra ads, or modifies the contents of web pages.
I have many humorous tales of this sort of thing, collected from my forays into friendly technical support. (You know what I mean; where a friend hears that I “know” about computers, and so enlists my aid to fix their ailing system.) People who open virus files because it says “here is the information you requested.” People who click “OK” to every prompt on every web page. People who try to “make some room” on their hard drive by deleting that really big and not-so-important directory “WINDOWS”.
In all of this, one thing is clear: most people do not know how to keep themselves out of trouble when it comes to their computers. I do not say this maliciously; it is not that they are trying to make trouble, or that they don’t want to learn how to be safe. It is that for the average person, the “rules” of what keeps them safe are too many, too bewildering, for them to learn it. Computer experts don’t remember all the rules either. Instead, we learn the principles, and then apply them quickly along with our own judgment. But the principles are largely foreign concepts to most people.
Take, for example, the issue of attachments in e-mail. Which can be safely opened, and which not? Opening an .exe on a Windows computer is foolhardy; similarly, opening .scr, .bat, and .pif files. What about .jpg? Most likely we would say yes; however, if someone had just found a buffer overflow in the JPEG handling code of Internet Explorer—the default JPEG viewer for many people—then the answer would be no. .txt files? .mp3 files? How do we know?
I’ve tried to explain the differences to people before. Executable code is bad; simple data files good. Of course .vbs files are bad, because they’re plain text but executable. .html files can also be dangerous in the wrong context. Trying to educate people on these subtle differences has shown me that most of the time, it’s quite pointless. People don’t want to know the difference, just like most people don’t care about the brand of spark plugs in their car. It’s not that those details aren’t important; it’s that most people aren’t interested enough to learn about those details. They just want their computer to work.
Targeting Windows
Plenty of people who know a lot about computers—including me—like to pick on Microsoft and Windows for this particular problem. It is not completely without justification that we do this; as the vendor of the most popular desktop operating system, Microsoft has created the biggest, most commonly-exploited platform for viruses and other malware, as well as the basic system itself which seems so prone to instability.
We pick on Microsoft because we think they’ve made some poor decisions for the user, decisions designed to benefit Microsoft at the user’s expense. For example, embedding ActiveX controls in web pages and then letting the browser download them automatically. To security experts this is a big no-no: executable code is dangerous. Microsoft addressed this by creating a system to “sign” the code, so that it would be clear who wrote it: if you trust the company that signed the code, you would allow the code to run. The problem is that code can have flaws, flaws can be exploited, and so code that is signed can be unsafe. Signing doesn’t really protect anything, it’s just there to provide a warm fuzzy feeling. But Microsoft introduced this technology to “one-up” Netscape’s Navigator browser, which had its own extensible plugin technology that required users to manually download plugins. Downloading ActiveX controls (plugins) automatically is certainly at first glance a usability improvement, but in the long run, the security problems it has created have impaired the usability of computers by making them less reliable.
Problems like this aren’t just passing fads. Microsoft has continued to make basic design decisions like this, as the latest versions of their web browser still contain these flaws and are still configured by default to allow this kind of behavior. Certainly this risky behavior can be disabled… if you know how. But how many people know how? I recently let someone else use my laptop to connect to the net; their favorite sites wouldn’t work without the (unsafe) bells and whistles I’d disabled. Popular web sites are thus also requiring users to make their browser less safe in order to access content. How is the average person supposed to keep track of all of this?
Windows is Not Alone
Techies reading this may smugly pat themselves on the back for using something other than Windows. Perhaps they’re using Linux or FreeBSD, or even a Mac with OS X. They are confident that no virus or worm meant for the Windows platform will affect them. In this, they are correct, but they miss some essential points.
The first point they miss is that they’re not targeted because they’re not mainstream. Were the dream of Linux zealots realized and Linux displaced Windows as the operating system of choice for the masses, virus writers would simply target that platform. Open source systems like Linux are good at being patched quickly once a flaw is known, as the source is available for anyone to review and fix, but the fix must still be distributed. Is the average user going to patch their system once the fix is available?
This leads to the second essential problem, one that appears in Windows but also appears in other popular systems: they are still too complicated for the average person to maintain. With Windows, it seems to be the steady accumulation of junk, little programs that got installed here and there, extra copies of drivers or network configurations that are no longer needed, files from uninstalled programs that never got removed. With the thousands of components that make up a Windows system, no one can keep track of it all (not even an expert).
With Linux the problem is similar, but with an added twist. Linux is a system built by programmers primarily concerned about performance and flexibility. Everybody wants it to work in a slightly different way, so software for Linux tends to be configurable in the extreme. But this makes it very difficult for the average person to figure out how to use the software. If someone else—an expert—sets up a Linux system for the average person, that person can use it… until something goes wrong. (And it always does; Linux is not immune to this.) At that point it is as hard for the average person to fix as a Windows system would be.
At least the Mac is better about this than Linux or Windows. For a long time, the Mac system has focused on ease of use. But OS X now rests on a BSD (Unix) core. This is a great leap in reliability, but also a huge leap in system complexity. There are now plenty of chances for things to go wrong that never went wrong before, and we’ve already seen security flaws show up in OS X. It isn’t immune either.
Security, Reliability, and Ease of Use
This leads me to my third essential point, the point of this entire rant: to the average user, it does not matter whether their computer is infected with a virus, whether their video driver is buggy, or they just can’t figure out how to get the latest game installed. Their perception—their experience—is that the computer is operating by rules they don’t understand, doing things they don’t expect, and they just want it to work. Security ties into reliability; reliability ties into ease of use. They are all closely related.
Computers are among the most sophisticated machines humanity has ever built, but too many of those building them and the software that runs on them love complexity for complexity’s sake. We don’t expect car owners to know how to re-install their transmission every six months in order to keep their car running smoothly; we have mechanics for that, but even so, replacing a transmission is out of the ordinary, not routine. We don’t sell newspapers that require buyers to sign a slip of paper agreeing that when they use them their name and address will be sent to “selected partners“. And we don’t buy potato chips that come with twenty-page booklets on how to open the bag.
We can do better. The solution isn’t educating software users; the solution is educating software makers.
