Safe Computing: Whose Responsibility is It, Anyway?

A recent blog post by Christopher Dawson over on ZDNet caught my eye. At first I thought the article, titled "I really don't want to use Windows anymore," was just another tiresome case of generalized Microsoft bashing. Then as I read through it and saw his reasons, I realized that there's a problem here and it's not a problem with the operating system.

He states that "...I've still re-imaged 3 computers in the last two weeks due to massive infestations [of viruses/malware]." I find that absolutely amazing. I use Windows, of all varieties. So does my husband. We have Vista machines, XP machines, even a few Windows 2000 servers still live on our network. We haven't had a virus or malware infection in years. We run AV checks regularly, and nothing is ever found. Are we just lucky? Do we have a guardian angel looking over our shoulders?

I don't think so. I think these folks who are suffering from frequent "massive infestations" are doing something wrong. Now, if you're a typical home computer user and you've been hit by a virus, I'm not saying it's your fault. It's the people who write and distribute these things who should be blamed, not the victims. But unfortunately, the threat is out there and it's imperative that we all learn to take common sense precautions to keep from being victimized. And if you're ostensibly a technology pro, you should know that and you shouldn't be getting infested, regardless of what OS you use.

So when Chris says, "... right now, none of the computers in my house (four of them, all Mac or Ubuntu) have had even a blip of malware. My students who have switched over to Linux? No problems. Teachers with Macs at home? No worries. Schools with Macs in them? Not a single issue," I have to inject a gentle reminder here that correlation does not necessarily mean causation.

I doubt that Chris, as an IT professional, would be getting virus and malware infestations on his home machines if he were running Windows. And I would postulate that those students who've switched to Linux usually tend to be the more tech savvy folks, who are also less likely to practice computing habits that get you infested. Teachers with Macs? I don't see that group as one that ventures into dangerous Internet territory a lot, either.

What I'm saying is that your OS is not the sole - or even the most important - determining factor in whether you fall victim to malicious software and attacks. Let's say I leave my Ford parked in a nice neighborhood, and nothing happens to it. Then I park my Chevy on a back road in the worst part of town, and when I come back to it, I find that my window has been smashed and my stereo stolen. Does that mean Chevrolets are less secure cars than Fords? They might or might not be, but the fact that the Chevy was attacked and the Ford wasn't, in this situation, tells us nothing about their relative security.

Or let's say we have a thief who's a bit less of a brute forcer. He's using stolen master keys to get into vehicles and steal whatever valuables he finds inside. He's targeting Chevys and Fords; those are the keys he stole because he knows he'll find lots of those in any parking lot. Even though logically, the contents of your Aston Martin might be more attractive to a thief, he passes it by because he doesn't have a master key to it. He didn't bother to get one because he doesn't run across nearly as many Aston Martins. Thus the Aston Martin seems to be more secure, because it doesn't get broken into even when sitting in the same parking lot where all those Fords and Chevys are being hit.

I think those who say or imply that Linux and OS X are "immune" to attack are doing computer users a disservice - because it's simply not true. The fact that Apple doesn't somehow magically make software that's attack-proof can be shown by the fact that its iPhone - which does have a big market share and thus is attractive to hackers - has required numerous patches for security vulnerabilities. Just this month, 12 vulnerabilities had to be fixed:
Apple patches 12 iPhone bugs, adds Street View, podcast downloads

Guess what? The iPhone software is based on OS X. Apple's Safari browser, iLife and iTunes programs, QuickTime player and iPod Touch software also regularly require security patches.

How about Linux? Well, the truth is it's not bullet-proof, either. For example, on Thanksgiving Day, nine security vulnerabilities were announced affecting all versions of Ubuntu:
Newly Discovered Kernel Vulnerabilities Affect All Ubuntu Users - Update now - Softpedia

There are legitimate reasons to choose a Mac or Linux system instead of Windows. If you do a lot of graphics type stuff, or just like the OS X interface, by all means go for it. Or you can save lots of money by using a free open source OS. But those who tell others to switch to Mac or Linux for security purposes are either misled or misleading you. And by increasing the market shares of those operating systems, they're just increasing the odds that hackers will start writing more malware and exploits for them, as well.

Instead, they should be encouraging everyone to practice safer computing habits. An interesting phenomenon I've noticed is what I call the SEP syndrome. No, I'm not talking about a type of retirement account, I'm talking about the tendency to regard security as Somebody Else's Problem. Too many computer users take the position that the OS vendor holds all of the responsibility for protecting them from cyber danger. It's not unlike the philosophy that the government should be responsible for keeping us all safe from all physical and economic harm - no matter how foolishly we act to put ourselves at risk.

A variant on the SEP syndrome is that we're much more likely to act responsibly when we don't have the illusion that someone else is doing it for us. A friend who's very tech savvy and normally very security-conscious mentioned to me not long ago that when he's at work, he doesn't take the same precautions in his computing habits that he does at home on his own network - because he figures the IT department "has his back" when it comes to security. So he simply doesn't worry about it as much. At home, it's up to him to be sure no attackers get into his network. At the office, it's Somebody Else's Problem.

Ultimately, it's up to each of us to protect ourselves. Of course we should expect the software companies to do everything in their power to make their software as secure as they can - and all major software vendors spend millions doing just that. But the only perfectly secure OS is one that nobody can access, including you. If there is a way for you to get out to the Internet, there will always be a way for an attacker to get in from the Internet. Doors open both ways. The builder of your home can equip it with the best locks and alarms in the world, but it's up to you to engage those locks and arm that alarm when you leave the house.

Tell us what you think. How important is it for users to develop responsible, safe computing habits? Should we be able to just forget about security and let it be Somebody Else's Problem? Should we be able to visit whatever web sites we want, use P2P file sharing wantonly, click on any link in any email from any stranger, and expect that our software will keep anything bad from happening? Or do we share some of the responsibility for protecting ourselves? Does Windows get a bad rap when it comes to security? Or do all the other OS makers have a magic formula for creating safe operating systems that Microsoft just can't get the hang of, despite pouring money, time and the efforts of some of the brightest minds in the business into it? Let us know your opinion.