{"id":50,"date":"2008-06-06T11:53:27","date_gmt":"2008-06-06T16:53:27","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/publius\/2008\/06\/06\/beau-brendler-malware-the-great-equalizer\/"},"modified":"2008-11-18T16:22:57","modified_gmt":"2008-11-18T21:22:57","slug":"beau-brendler-malware-the-great-equalizer","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/publius\/2008\/06\/06\/beau-brendler-malware-the-great-equalizer\/","title":{"rendered":"Malware: The Great Equalizer"},"content":{"rendered":"

Essay by Beau Brendler<\/a>, a response to David Clark<\/a><\/a>
\nContinue the conversation with Michael Barrett<\/a>.<\/p>\n

Eight years ago I spent two-grand-plus on a Sony Vaio laptop when they were still sort of cool. It was kind of a muscle car then, full of multimedia editing software I wanted to make movies with in hopes I\u2019d get invited to Cannes rather than conferences with 2.0 in their titles. But then a wretched worm attacked, days of futile damage control followed, and finally I gave up trying to download Service Pack 2 from the Microsoft site and just asked for a CD, which they sent for about $6. (Genius business model! Charge people for patches to fix security holes in your operating system that can\u2019t be downloaded for free because your Web site sucks). After that I might as well have deep-fried my laptop in bacon grease. It lived out its miserable life as hard-drive storage for photos until the screen display dissolved to static.<\/p>\n

Just about everybody has a story like this. I don\u2019t want to bore you with mine but to make a point I will return to: I\u2019m supposed to be sort of smart about this stuff, somebody who goes on TV and radio and gets quoted in newspapers talking about security and fraud and other Internet things, yet I was brought low by malicious code in minutes. I feel like the paranoid guy in the first Highlander movie — the only good Highlander movie — who drives around New York City armed with Uzis and MAC-10s only to get push-pinned on Clancy Brown\u2019s giant Kurgan sword. No one\u2019s safe, he complains to the grizzled old detective, bleeding from his ears in a crummy hospital bed. I\u2019ve got all this stuff, and still I\u2019m not safe.<\/p>\n

Now, I don\u2019t mean to engage in the kind of hyperbole the computer security industry uses to hype its myriads of marginally effective products. No one\u2019s yet actually been killed by badware (though I have stood in the sweaty Manila headquarters of TrendMicro, watching real-time outbreaks of badware attacks on a topo map of South America alight and blaze red like so many fires in the rainforest, which was a little scary). Dumpster-diving and mailbox raiding were still the number one identity theft vectors last time I checked. <\/p>\n

But when I go to bed at night, I know my TV set isn\u2019t going to be stealth co-opted through my satellite cable and coerced to blast my personal data to somebody in Sighi\u015foara. I don\u2019t know this about my PC.<\/a> A friend of mine who used to manage an Internet service provider told me last week the machine his wife uses to run her home business got skranked so badly by a piece of botnet malware it took days and many dollars to fix. Home invasions just aren\u2019t a happy thing, even if the perpetrators are digital and incapable of carrying baseball bats. I\u2019d be pretty mad if someone somehow outside my house buggered my hard drive so badly that I lost even a single picture of my kids. And again: We\u2019re supposed to know something about computers, my friend and I.<\/p>\n

The feds think: We Have a Situation Here. The National Cyber Security Alliance<\/a> put out a survey couple of months ago that appears to have gone largely unnoticed, though I don\u2019t dispute the results:<\/p>\n

\t* Only 49 percent of consumers changed their password within the past year, 19 percent within the past month. Wanna bet how many are using \u201cpassword2\u201d or the cat\u2019s name instead of the dog\u2019s?
\n\t* 71 percent haven\u2019t heard the word \u201cbotnet.\u201d Actually, I\u2019m surprised it\u2019s not higher, and wonder if the question was phrased, \u201chave you ever heard of a botnet?\u201d
\n\t* About half the population don\u2019t know \u201chow to protect themselves from cyber criminals,\u201d probably more when you factor in the magic of social research.<\/p>\n

Badware\u2019s <\/a>even coming at us from digital picture frames these days, and some manufacturers aren\u2019t sure how it got there. Buy a memory stick for your camera off eBay, and if it\u2019s not a fake and you can get it to work, God knows what it\u2019s going to leave you with the morning after. A year ago the FBI said a million computers were infected with malware that could have ginned up an \u201carmy of bots\u201d that could threaten national security. \u201cBotnets continue to be an increasing threat to consumers and homeland security. Unsecured computers play a major role in helping cyber criminals conduct cyber crimes,\u201d said Ron Teixeira<\/a>, NCSA\u2019s executive director.<\/p>\n

It\u2019s true\u2014 a Consumer Reports survey two years ago found only 21 percent of Americans actually enabled security software on home PCs. But I\u2019m not ready to blame slacker consumers for potential national security threats. People have other things in their lives to worry about, and simple advice for the home user actually goes a long way if it\u2019s followed: You don\u2019t need to worry about Van Eck Phreaking, but you should at least turn on WEP-level security on your home network. For anti-virus protection, download Alwil\u2019s Avast!<\/a> which doesn\u2019t bug you every 12 months to pay for re-up, though you do have to keep registering it. Suck it up and sign up for automatic OS updates.<\/p>\n

No matter how often we seem to say this stuff, however, lots of people just aren\u2019t going to do it. So we need help from policymakers, computer manufacturers, law enforcement and regulators. For instance: Every PC that leaves a store should come with free, active anti-virus software that doesn\u2019t ask for $24.95 after 12 months leaving you unprotected until you pay. Consider it takes about 7 seconds from the time an unprotected computer is plugged into the Internet until its first malware infection.<\/p>\n

Since laptops don\u2019t come with instruction manuals anymore, every PC should come with a reasonable, understandable, step-by-step tutorial that walks the user through firewall enabling, browser settings, anti-virus setup, and Internet personal security 101 — the basic principles of phishing, ID theft and the top five most popular Internet cons. Hire children\u2019s book authors, not \u201ctechnical writers\u201d in China to create these interactive tutorials. Set operating systems to enable Internet connections only after the tutorial is done. Regulators should keep closer watch on computer security companies and keep consolidation and mergers in check. Whether there should even be a software security industry is a question unto itself; at the least, we need spirited competition.<\/p>\n

Finally, try raging against the machine. Don\u2019t buy computers from companies that load bloatware and force insecure operating systems on the public. Buy a couple of how-to books, spend some time on a site like Freshmeat.net and consider joining the open source movement. And if you\u2019re still worried: Just turn the damn thing off. <\/p>\n

Beau Brendler is director of Consumer Reports WebWatch<\/a>, which he founded and launched in 2002. He is a frequent contributor to the Consumer Reports WebWatch blog<\/a>. However, this essay represents his opinions as a computer user.
\n<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Essay by Beau Brendler, a response to David Clark Continue the conversation with Michael Barrett. Eight years ago I spent two-grand-plus on a Sony Vaio laptop when they were still sort of cool. It was kind of a muscle car then, full of multimedia editing software I wanted to make movies with in hopes I\u2019d […]<\/p>\n","protected":false},"author":1815,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2650,2652,2755,3593],"tags":[],"class_list":["post-50","post","type-post","status-publish","format-standard","hentry","category-beau-brendler","category-david-clark","category-michael-barrett","category-protection-from-harm"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/users\/1815"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/comments?post=50"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/posts\/50\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/media?parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/categories?post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/publius\/wp-json\/wp\/v2\/tags?post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}