Years-Old Conficker Worm Still a Threat 71
RedEaredSlider writes "The Conficker worm is still a threat, even though it is more than two years old and nobody has used it in a botnet attack yet. The problem is that so many machines are infected (largely because many don't realize it) and it's such a flexible piece of malware."
The real issue: (Score:5, Insightful)
The Average User is still a threat in his path to ignore one and all security measures.
Nobody should be surprised with that one (Score:5, Insightful)
Just wait until Microsoft stops releasing security updates for Windows XP, then conficker will really have a chance to run wild.
Re:The real issue: (Score:5, Insightful)
The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.
The bar could be raised far higher than it is now without even beginning to approach expertise. That's the part that is often underappreciated.
"Truly secure" in an absolute sense is rarely if ever attained by anyone, and almost never necessary. What you really need to achieve is "unprofitable to compromise". It's security in a relative sense and much more realistic.
I don't really disagree with your assessment of the average quality coming from the software industry. The users are not typically blamed for that, even though they're collectively responsible for creating a market where shoddy quality sells. That responsibility is indirect and spread out among large numbers of people.
The users are more often blamed for not even trying to protect themselves, for not making even a token effort to understand the risks. That decision is more immediate and individual. For this reason average users are often characterized as stupid.
I'm personally more inclined to believe that they could do better if they wanted to. I've seen the mentality many times because there is such an overabundance of examples (and not just in computing). It's not stupidity in the normal sense, though you could call it a kind of stupidity because it tends to act against one's own interests. It's more like an intellectual laziness combined with an entitlement mentality which insists that things like security must always be "someone else's problem" even though it won't be "someone else" who suffers any insecurity.
Like any entitlement mentality it has to have an excuse to function, to seem like a believable position one does not wish to abandon. In this case it's the excluded middle: the notion that users are either drooling idiots or highly skilled experts with no intermediary states. That enables the afflicted to respond to recommendations for how they may improve by becoming offended instead of assessing the feasibility of the suggestion. The intellectual laziness component comes from institutional schooling's lesson that learning is hard and full of toil and cannot be a joyful process of discovery and fascination.
You combine those things and you get a user who is nearly impervious to even the most basic, most easily understood advice especially concerning topics like security. Even when it's in their own interests to listen to it. Even when implementing it would be easier than their current practices. The rest of us get a degraded Internet in the form of spam and DDoS attacks and worse that so many compromised machines facilitate, thanks to network effects.
The case against the mentality of the average user has a solid foundation, primarily because most of them could choose differently.