Bad Things, Man

Photo by Darcy McCarty from Flickr used under Creative Commons

Photo by Darcy McCarty from Flickr used under Creative Commons

I just started the Snow Leopard upgrade process, and I’ve got about an hour to kill as it wanders through the process. Experience tells me to monitor the progress, just in case it hits a hiccup.

So, I’m going to see if I can form a post out of something that’s been bothering me lately. Here goes.

Having spent a week initiating new computer users, I’m a bit perplexed about how non-technical people feel about the internets. Everyone knows cybercrime is big business, dealing in everything from stolen credit card numbers, identities, medical records and corporate information.

Frankly, I don’t think mainstream media does much to help the situation. As with many threats, people are cautioned using the worst case scenario, i.e. the fear approach. Beware, you could be next. Usually, the stories encourage safety through the usual behaviors: keeping browser and OS software current, avoiding suspicious emails, providing credentials only to a bona fide site, maintaining current virus software, avoiding all popups, etc.

But people don’t follow the advice, and cybercrime hasn’t abated, it’s gotten worse.

So why don’t people take even the easiest precautions? Are they not scared enough?

I don’t think so, having watched a borderline panic ensue around H1N1 earlier in the year. Maybe getting sick and dying is a bit more real than visiting a compromised website with an XSS vulnerability and inadvertently handing your credentials to a hacker. Generally, I think fear is pretty easy to inspire.

Looking over the comments on my post about updates, there are a couple common themes: 1) inconvenience and 2) updates breaking or slowing down regular operations. Joelprovided a funny reversal of the usual credit card problem that underlines what a headache taking patches can be for businesses. I’m focusing here on the consumer side, not the enterprise side, which is a discussion for a different day.

Anyway, if you commenters out there represent a good sample, I guess the media isn’t doing enough to scare you, since you’d rather not be inconvenienced.

Or, maybe it’s a simple cost-benefit analysis. The cost of keeping software current outweighs the benefit of protecting your computers. Why? Because the cost includes a very real concern that patching software could bork up the computer, hosing the all-important interwebs and maybe the entire machine. This is the “if it ain’t broke, don’t fix it” school of thought.

Extending the scenario, a borked computer means expensive repairs, a dicey process in and of itself, or hitting up your technically inclined family and friends.

Further, since many attack vectors happen without any discernible traces to the user, the victim may come to believe that the laissez-faire policy works just fine thank you very much.

Luckily, cost-benefit applies to the criminal too, i.e. the cost of exploiting vulnerable machines is very low, with a high rate of return. Therefore, making your computer tougher to crack and less valuable to a hacker should be enough because there’s always someone else with an unpatched OS doing online banking.

It’s safe to say that everyone will eventually get hacked in some form or another. I guess the real question is how badly we’ll be compromised.

So, maybe that was a full post. What are your thoughts about all this? Do you feel safe enough to skip updates, or are you just not an attractive target for a hacker?

Maybe something else? Find the comments.




  1. Not sure if I am valuable enough candidate for attack. Also not sure if I am an average user spending more than half of my day online reading about such things.

    I just patch. I don't think about it, I don't care, I just patch.

    If it breaks something, I'm sure it will be fixed in an upcoming release as all the others who installed the patch will be complaining very loudly about it. That's the OS anyway (Jaunty Jackalope).

    As far as other programs go…I don't really care. FF? No worries. What else is there? VirtualBox? No updates really, just new versions. Database software? I only have an educational version so don't receive patches. JDeveloper? No worries there either. That's about all I use, and I'm considered a power-user (I think).

    Everyone else uses a browser, email and a word processor maybe.

    Most of these attacks seem social in nature (phishing) right? That's not something you can fix with updates.

    Did I answer the question or add value? I don't know. It's late.

  2. Attack vectors target primarily browser and OS vulnerabilities and social engineering (e.g. phishing, one easy password, social networks). Lately, they seem to be combined, which makes sense as people get accustomed to one, a new threat emerges.

    You're doing it right. Always patch.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.