I just started the Snow Leopard upgrade process, and I’ve got about an hour to kill as it wanders through the process. Experience tells me to monitor the progress, just in case it hits a hiccup.
So, I’m going to see if I can form a post out of something that’s been bothering me lately. Here goes.
Having spent a week initiating new computer users, I’m a bit perplexed about how non-technical people feel about the internets. Everyone knows cybercrime is big business, dealing in everything from stolen credit card numbers, identities, medical records and corporate information.
Frankly, I don’t think mainstream media does much to help the situation. As with many threats, people are cautioned using the worst case scenario, i.e. the fear approach. Beware, you could be next. Usually, the stories encourage safety through the usual behaviors: keeping browser and OS software current, avoiding suspicious emails, providing credentials only to a bona fide site, maintaining current virus software, avoiding all popups, etc.
But people don’t follow the advice, and cybercrime hasn’t abated, it’s gotten worse.
So why don’t people take even the easiest precautions? Are they not scared enough?
I don’t think so, having watched a borderline panic ensue around H1N1 earlier in the year. Maybe getting sick and dying is a bit more real than visiting a compromised website with an XSS vulnerability and inadvertently handing your credentials to a hacker. Generally, I think fear is pretty easy to inspire.
Looking over the comments on my post about updates, there are a couple common themes: 1) inconvenience and 2) updates breaking or slowing down regular operations. Joelprovided a funny reversal of the usual credit card problem that underlines what a headache taking patches can be for businesses. I’m focusing here on the consumer side, not the enterprise side, which is a discussion for a different day.
Anyway, if you commenters out there represent a good sample, I guess the media isn’t doing enough to scare you, since you’d rather not be inconvenienced.
Or, maybe it’s a simple cost-benefit analysis. The cost of keeping software current outweighs the benefit of protecting your computers. Why? Because the cost includes a very real concern that patching software could bork up the computer, hosing the all-important interwebs and maybe the entire machine. This is the “if it ain’t broke, don’t fix it” school of thought.
Extending the scenario, a borked computer means expensive repairs, a dicey process in and of itself, or hitting up your technically inclined family and friends.
Further, since many attack vectors happen without any discernible traces to the user, the victim may come to believe that the laissez-faire policy works just fine thank you very much.
Luckily, cost-benefit applies to the criminal too, i.e. the cost of exploiting vulnerable machines is very low, with a high rate of return. Therefore, making your computer tougher to crack and less valuable to a hacker should be enough because there’s always someone else with an unpatched OS doing online banking.
It’s safe to say that everyone will eventually get hacked in some form or another. I guess the real question is how badly we’ll be compromised.
So, maybe that was a full post. What are your thoughts about all this? Do you feel safe enough to skip updates, or are you just not an attractive target for a hacker?
Maybe something else? Find the comments.