Let me give you a case in point, which is the main thrust of the argument. When speaking to a technologist recently, I asked him why he did not implement a simple precaution that would have prevented any of his customers from being hit by the recent Blaster worm. His response was "well that might restrict some of our customers and we don't want to do that".
What he was pointing out was that most technologists want to make their life easy, because at some hypothetical time in the future some hypothetical customer might want to do something odd – which, he admits, they do not do now. He also states that the worse case scenario would be when only five in 100 of his customers might wish to do that hypothetical thing. He is prepared to put everyone at risk now to allow for this future and uncertain event.
This is where 'the lunatics have taken over the asylum; becomes more apt. It raises two points. These technologists don't work in the real world, they think of potential reasons not to protect us. They believe that such protection should be managed by them and be on or off. They have no real concept of a scalable approach or real world policies that
all of us use every day. My question is, why don't they protect everyone, and then let those customers who need to use that particular feature request it if needed? That way, 100 percent of users would be safe now. If a small number of customers decided there was a real business benefit later, then you can allow them to do it, and only a small percentage of your users would be exposed. This concept just does not seem to hit home.
That may not be totally fair. There are thousands of smaller companies whose support people have not had the years of indoctrination training to implement these practical policies all the time, at little cost, and with hugely increased protection. It is the very large and very small companies who actually struggle with either too much, very expensive, technology, or none at all.
The situation is actually more ridiculous than this, and I think it is best illustrated by an analogy. This indicates the simplicity of the current anti-virus problem, but can be applied to a much wider security mindset. Let us imagine that we refer to our computer as a house, The internet as the paths between houses and that we see thousands of unknown people passing us by. When we first built our house, there was no such thing as a proper window, door or locks, there were only door and window shaped openings. When we first built our house, there were only mud tracks and we only saw a couple of people a day. One day, a burglar arrived. He did not have a sign saying 'burglar', he just came in and stole our favourite watch. Then the next day, a travelling security guard turned up and told us that the burglar problem was getting bad, and that he was good at spotting burglars,. We employed him to sit in our doorway, then he would stop any burglar he recognised.
At first, this worked, but the burglars got smart. They started to wear odd clothes and they started pretending to be our friends. Slowly, the guard became more and more confused, and he had to carry round a huge book to describe all the things a burglar could do or say and how they disguised themselves. Then a real problem came. The paths started to be paved, and they ran to our back door, and even, in our split level house, to our windows. Now the security guard started telling us that we needed to hire a few of his friends, as he could not cope. So we spent more money. Then he started charging us to keep his book up-to-date, as his head office spent a lot of money researching these burglars.
And we still were burgled. The burglars started walking on stilts, wearing coats, walking in with our friends in a group, hiding in the refuse bin, and even started coming in the back door and the window. The security company got very rich and had security guards at every open door and window, and charged for them, Every time there was a spate of burglaries we rushed to 'guards-r-us' to update.
The press and the analysts all decried the burglars. They told users who were burgled that they really should buy better and bigger security guards. The situation was getting very bad. People were talking about not being able to use the pathways anymore because they did not trust them and they were so full of burglars it was hard to get round.
One day, a guy came along from another country, who looked at all this and just laughed. He said, "Why have you not got proper doors and windows? Why have you not got window and door locks? Did you know you can even get peep-holes so that you can see who is coming to your door". He continued, "You really don't need all these security guards, and these burglars can be stopped really easily."
He could not believe that the security guards had duped the population so much. When he started to investigate further, he even realised that all the houses were now being built with proper windows, doors and locks, but the security guards left them open. Then he realised that maybe there was something more sinister going on here. Perhaps some of the more unscrupulous security guards knew all about windows and doors and locks, and they did not like it.
He set up a company that helped people close their windows and doors, helped them install locks if they needed them, and even fitted peep-holes. A few forward thinking people listened to him, and they were safe. The huge epidemic of burglars suddenly appeared, as they occasionally did, and stole nearly half of all the nations' wealth. Suddenly, security guard company's profits went up and everyone was running around trying to get the latest security manual. That is, with the exception of people who had the new doors and windows, who sat watching this mayhem with a wry grin on their faces. They were able to carry on their normal lives while all these others were rushing around in doom and gloom.
But the press and the government still talked about security guards and how people just employ more security guards and update their security manual even more often – the world is a dangerous place you know! The security guards start telling people that if you lock your back window, you won't be able to jump out of it one day when you may want to. And because the people were so used to listening to the security guards, they didn't get windows, doors or locks. The man who set up all the windows and doors and had protected so may people held his head in despair, he just could not understand. It was like they wanted the world to be this way.
This is exactly what the anti virus world is like right now. There are technologies out there that could wipe out the virus problem now. Scare stories about security spending rising by billions due to Sobig are just playing into the hands of the security vendors. This problem also exists in other areas of the internet – especially the urban myth that everyone on the internet is anonymous, causing problems with fraud and child grooming.
The vested interests in the technology community that sell us security products just do not want people to hear this. They seem to hold a great deal of sway with industry commentators analysts and the government . Well they would, wouldn't they.
by Nick Scales, CEO at Avecho.