Trilight Zone

tricore · Guest

When people who know better don't act responsibly, who do you trust?

Over the New Year's holiday, we visited some friends. The husband is a small-organization IT manager--the equivalent of a CIO at a much larger operation.

His wife keeps a blog and reads others but knew nothing about RSS feeds. In the process of helping her set up a feed reader, I observed that the Windows XP Security Center icon flashed red and warned that anti-virus software wasn't detected.

Later on, I warned my friend that there might be some problem with the anti-virus software on his wife's computer. "Oh, it doesn't have any," he replied. "My God," I thought. "This is a network administrator for 50 people!"

When asked why his wife's computer had no security software, he shrugged and said that it was too much trouble. "Why bother?" he asked.

I understand that some people don't like to bring their work home and that maybe administering the home network might seem too much like the day job. But, c'mon, he of all people should know better.

In this day of increasing Internet dangers, what's good enough for work absolutely is good enough for home. My friend's attitude is appalling, and I hope we'll still be friends after he reads this post.

Companies like Microsoft have security policies for their own operations, which often extend to mobile employees using remote equipment. But why not further extend those policies to the employees and provide the means to comply? I'm convinced that one way to diminish the botnet threat is for corporations to provide free security software for their employees' home computers.

I know that at least McAfee offers this kind of option. There is opportunity under some site licenses for businesses to provide security software to their employees for home use. But few customers take advantage of the opportunity.

A further step--and one that would mean a short-term public relations blow--would be for Microsoft to mandate security software for some of its products. No security software, no installation. Such action would lead to strong blog and news media reaction, if not some customers.

If Microsoft feels strongly enough about forcing consumers to validate that Windows is genuine--and take some hefty negativity in the process--surely the company can do something to ensure customers are better-protected. The wrong response, by the way, would be Microsoft requiring its own security products, such as Windows Live OneCare, for installation but not competing products (Microsoft released Windows Live OneCare 1.5 to manufacturing yesterday, by the way).

Microsoft owns the software, not the buyers. Microsoft sells the software with a perpetual license, while retaining ownership. I've argued before that this makes Microsoft a landlord, who should take more responsibility for protecting its property--and the renters within--from Internet marauders.

Good policies can help overcome people's bad habits.

One worrisome bad habit: unprotected Macs. I don't know a single Mac user--and it's a long list--that uses security software beyond anti-virus, and I can count on two hands the users with AV. More worrisome: I've seen a goodly number of Macs in corporate environments without security software. The IT managers load up Windows with security software, but like my friend, some take a "why bother" attitude about Macs.

The Month of Apple Bugs should be a real test of Mac OS X's security resilience. Even for exploits for which Macs may seem immune, they can still be carriers that infect other operating systems or their applications.

That said, the presumption that Macs are immune to malware is another bad security habit. Every IT manager that lived through the "I Love You" virus should think again about "why bother." A successful malware attack can quickly sweep across unprotected computer populations. With I Love You, bad habits about file attachment handling led to the virus' fast propogation.

When the hammer falls, it will hit Apple hard. Microsoft will always take more of the blame, though, in part because so many more people use its products. Some of Microsoft's bad reputation is undeserved because people have bad security habits. I keep wondering: How often does my friend patch his businesses' desktops and servers?

"Why bother" would be the wrong answer.