Years ago, before the internet became part of our lives but after PC's became common, the greatest virus threat came from floppy disks. There was a saying that every time you slipped a CD (remember 5-1/4 and 3-1/2 inch floppys?) into your computer's drive slot, your 'puter had "slept with" every other computer that same disk was in, and in turn every other computer those computers slept with.
In discussions with my fellow workers, I once opined that viruses were a conspiracy on part of software vendors to discourage software piracy. I.e., someone's offer of a free copy of Word Perfect might contain a virus which will wipe out your hard drive, so the only way to prevent that was to buy software (at full price) from your local computer hardware/software retailer.
I was told then, and this point could still be argued today, that viruses are more likely a conspiracy by antivirus software vendors -- as Messrs. Dodge and Blankenhorn suggest.
Much of the computer security advice we get from banks, browsers and password-protected web sites is a waste of the user’s time.
Last year, Microsoft researcher Cormac Herley confirmed what many of us already knew or suspected: managing dozens of passwords is a colossal pain and of dubious benefit. Do I feel more secure that my bank knows the name of my first dog? Not really.
credit: Microsoft
Herley is not casting all security advice to the wind, but questions the value of all the time we collectively put into it. From his report:
“Users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right.”
What Herley figured out is that the value of the time users spend managing passwords, SSL certificates warnings (Secure Sockets Layer which encrypts data between web server and your browser) and phishing site identification is far greater than the damage done by computer criminals. He describes the benefit from user education as “speculative and moot.”
His findings defy conventional wisdom that you can’t pay too much attention to computer security. The basis for his findings is that our time isn’t free: indeed, he figured out that the time of 180 million adults online in the U.S. is worth about $2.6 billion an hour, far, far exceeding the losses from spam and phishing attacks.
“We find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population…,” he wrote.
Over the years, computer security has irritated me. At one job, I was required to change my password every three months and if I didn’t after repeated and annoying warnings, I was not permitted to send e-mails. How dumb is that? Ironically, this is a setting in Microsoft Exchange.
I simply used the same word and added 1, 2, 3 and so forth to them every three months. That way, I could easily change and remember them.
The report didn’t directly address virus checkers which we blindly re-up for every year, but it reminded me of a story idea I discussed with an editor about 10 years ago. We posited that somehow the developers of viruses were in cahoots with the companies that wrote the software to protect us from them.
Alas, it would have been extremely difficult hypothesis to prove. Maybe there was a tad too much conspiracy tied up in the idea.
For more perspective on Herley’s conclusions, check out IT professional Michael Kassner’s blog post on TechRepublic (a sister site to SmartPlanet.com) and a story in yesterday’s Boston Sunday Globe. Beware, Herley’s report will take you a solid hour to read and digest.
Follow me on Twitter.
Related SMartPlanet.com stories on passwords and computer security:
