Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Books Media Book Reviews

Security Alert 162

jnazario writes "As a computer security professional, one of the things I notice is that for our proposals to be effective, they often require the participation of the vast majority of computer users out there. Almost all of them are not computer security professionals, so it's imperative that our methods be usable by the non-professionals. What makes this even worse is that most computer users are not terribly savvy about what they're using. Terms like hard drives and memory don't mean anything to them, and a browser is just a window to the internet. A computer is a tool for information use, not an end in itself. So, a book like Security Alert: Stories of Real People Protecting Themselves from Identity Theft, Scams and Viruses sounded like it had real promise." Read on for Nazario's review of the book.
Security Alert: Stories of Real People Protecting Themselves from Identity Theft, Scams and Viruses
author Becky Worley
pages 266
publisher Pearson Education
rating 3/10
reviewer Jose Nazario
ISBN 0735713529
summary Real world tips for regular people to protect themselvs online

If it can communicate threats and solutions effectively to the average computer user, then we're making real progress. After all, even computer security professionals often fail to employ basic measures to protect themselves from typical attacks, we'll have to make sure this stuff is understandable by the general population. Not that they're the "great unwashed" -- hardly. They're just not focusing on this stuff. Hence, we have a challenge: make this stuff understandable by your mom if you want everyone to just get it.

Becky Worley is (was? I haven't watched TechTV in a while) a TechTV on-air personality. She's reported news and events for TechTV for a number of years, and has often done so clearly and at a level you'd expect for a general TV station devoted to technology issues. So, you'd think she'd be a in a great position to collect information and know how to present it. Sadly, Worley's book doesn't fit that niche; it's not going to educate the large masses. In putting myself in the shoes of an average computer user, I found it fails in a number of ways.

The first and foremost failure of the book is right from the beginning. Worley opens up by saying that you're not a target of hackers, yet the rest of the book goes on to discuss how you are. While you're probably not going to be attacked by the same people who try and break in to Pentagon computer networks, virus writers and con artists fall into the same category for most purposes. All of these sorts of people, and what they can do, is described in chapter 1.

There's no discussion of phishing in the chapter on identity theft, which is chapter 2. Identity theft is a large, complicated subject, yet Worley only focuses on credit card number theft. While she talks about social security numbers, she doesn't demonstrate how they have been used to destroy victims' lives. Some advice is given as to how to react to credit card theft, but little information is given here about how to protect yourself to begin with, aside from being careful about whom you give your SSN to.

The book repeats itself often, covering similar material in several places. Chapter 3, which covers online purchasing, covers credit card info theft and email scams again. What it doesn't cover very well is how to spot a legitimate website, how to really use an escrow service, if and how you can get eBay or a shipper to help you out of a scam auction, and the like. Useful information about verifying who owns a certificate for an SSL server, or even making sure you're using an SSL server, is not given. Examples of false websites and auctions would have been useful. After all, after telling us how scammers operate and look so legitimate, illustrating the points about how to spot them would be valuable.

The book is full of anecdotes but few useful pieces of information are placed where they need to be. Chapter 4, which covers viruses, is one of these examples. It spends most of its time covering typical viruses and the usual, but doesn't get into anything beyond "use antivirus software." Never mind that the biggest threat in recent years has been from automated worms and that personal firewalls are useful; that's covered later. We hope you remember the quick tutorial on viruses from before.

The book's organization is poor, with material scattered throughout the book in a fashion that doesn't progress well or develop the information seamlessly. More virus and scam information is placd in Chapter 5, along with virus hoaxes. Several websites are refered to, but little in the way of really spotting a virus hoax or the common scam. Since they still abound, and people still fall prey to them, couldn't a better job have been done to describe what people are looking at have been offered?

In short, the book is a decent collection of links and material but is so poorly organized or so thinly presented it's hard to get what's going on. Take chapters 6 and 7, "Safe and Sane Online Interactions" and "Protecting the Family." Lots of information, somewhat poorly organized, and very skimpy on content. It seems to me that worrying about who is pestering my kids is more important than hearing about someone's EverQuest addiction, so that was a wasted page.

Finally, Chapters 8 and 9 should have been moved up front more. The topic of chapter 8, "Privacy," is perfect for the topics in chapter 2, where worley talks about identity theft. The topics covered here, including spyware and key loggers, are far more germane to the threat against your privacy and bank account information, and have been a growing trend for at least a couple of years. Chapter 9, differentiating being safe and being paranoid, should have been placed up front to help temper the arguments given in the rest of the book. It does a decent job of articulating the threats, what's to fear, and what's at stake.

The book is laden with plenty of anecdotes about online activitis gone awry. What's missing are solid examples of how to do it right, how to use your credit card on trusted sites safely and ensure that you're using services you know are worthwhile. While the book has some useful information in it, it's buried under poor organization, unclear language and presentation, and finally repetition in all the wrong places.

While the world needs a book or two to help every day people understand online security, this isn't the one. If you're looking for something for your kids, your spouse, or your parents, keep looking. This book wont help them make sense of what's going on. I don't think that's too much to ask for, especially from an organization like TechTV which has access to lots of material, people, and motive to produce a solid book.


You can purchase Security Alert: Stories of Real People Protecting Themselves from Identity Theft, Scams and Viruses from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Security Alert

Comments Filter:
  • by Anonymous Coward on Tuesday September 21, 2004 @04:01PM (#10312851)
    under Book Reviews?
  • What!?! (Score:5, Funny)

    by geomon ( 78680 ) on Tuesday September 21, 2004 @04:02PM (#10312860) Homepage Journal
    A computer is a tool for information use, not an end in itself.

    Blasphemy!

    Burn the heretic!

    • by mfh ( 56 )
      Burn the heretic!

      Let's eat his liver with some fava beans and a nice chianti. Computers are much more than tools for information, but I'm sure I don't have to tell any of you that... Sometimes I think my computer has a soul of its own -- until I realize that's my soul... (well at least the energy of infinite keypresses)
      • Re:Liver (Score:1, Offtopic)

        by geomon ( 78680 )
        Let's eat his liver with some fava beans and a nice chianti.

        Hannibal?

        Ummmm.... Look... You see, this whole eating thing....

        Well you can see that it can only be possible if we *first* gut him, and then burn him at the stake.

        That would take some of the fun out of the whole burning-the-heretic thingy.

        But I'm with you, you know.

        • Drawing and Quartering would achieve both purposes nicely.
        • I'm pretty sure that you can remove someone's liver, and still have time to burn them at the stake before they die. and you can roast marshmellows in the cheery blaze
  • One thing.. (Score:5, Insightful)

    by hookedup ( 630460 ) on Tuesday September 21, 2004 @04:03PM (#10312868)
    Getting people informed before their machine is infected with something is the hard part.

    I find they are a whole lot more interested in learning about security as soon as they start getting pornography popups.
    • Re:One thing.. (Score:3, Insightful)

      by Anonymous Coward
      Thats about the same as people who don't think they need data backup until that laptop hdd that they have been storing 3 years of business data on dies.
    • Re:One thing.. (Score:3, Insightful)

      And then they think that they are safe if they don't accept any browser cookies.
    • Yeah, I doubt anyone will pick this up until the Bad Thing has happened. Next.
  • by Anonymous Coward on Tuesday September 21, 2004 @04:03PM (#10312870)
    I am a firm believer that if you own a car, you should be able to change a tire, and change the oil. Basic matinence.

    Same with a computer. If you own a computer, you should be able to upgrade its security, and install a virus protector (minimum!)

    I dont understand why people spend thousands of dollars on a new device, then simply dont bother to learn anything about it. A computer, like a car, is a serious investment. Learn how to use it properly.

    Of course, my theory goes to shit as many people dont know how to change a tire or oil. Oh well.
    • If you own a computer, you should be able to upgrade its security, and install a virus protector

      I thought that I only had to turn it off and turn it back on again.

      • So sayeth TykeClone:

        Thou shalt reboot from time to time. For thou shalt knoweth that rebooting cureth many kinds of evil. Even unto those things that are not Windows computers, rebooting cures evils.

    • by nlinecomputers ( 602059 ) on Tuesday September 21, 2004 @04:12PM (#10312971)
      I don't understand why people spend thousands of dollars on a new device, then simply don't bother to learn anything about it. A computer, like a car, is a serious investment. Learn how to use it properly.


      Perhaps because they don't spend THOUSANDS of dollars. They spend a few hundred maybe up to about ONE thousand dollars. Computers are cheap and thus people think they are or should be as complicated as similarly priced objects like dish washers or large screen TVs.

      It they had to pay $20,000 dollars for a computer they would learn to take better care of it. But then again I see plenty of people that abuse cars too.
      • Argument invalid. (Score:3, Interesting)

        by cbreaker ( 561297 )
        Computers haven't always been under a grand. It's a fairly recent trend, last few years. Before that, they were usually very expensive, and people STILL didn't learn how to use them.

        I believe in the parent's arguement. You should learn how to use a computer if you're going to own one. It's not rocket surgery. With modern point and click updates and easy to read instructions, there's no excuse.

        It doesn't end up working that way but I really don't feel too bad when someone can't figure out their c
        • Perhaps. (Score:3, Insightful)

          However it seems like to me that the average computer user 10 years ago was more knowledgeable then one is today.

          I too believe in the grand parents argument. People should have a minimum knowledge of a computer just as they have a minimum knowledge on how to run a car.

          Actually a lot of people couldn't change a tire if there life depended on it. But they can look at a tire and note that it is low and they will have tires rotated and inspected on a regular basis. Something that computer users will not do
          • Re:Perhaps. (Score:3, Interesting)

            by hesiod ( 111176 )
            > a lot of people couldn't change a tire if there life depended on it.

            And many couldn't spell if their life depended on it. But that only reinforces my idea: you don't have to know how to do something exactly right to be able to use it at all. Everyone (I hope) understood your sentence, despite the word switch. And people can use a computer despite not knowing any basics.

            Computers simply do not have the life-and-death situations that are present in a car. Many jerks bring up the "it could spread a
        • > It's not rocket surgery.

          You don't perform surgery on rockets. Please drop off all of your PCs at the nearest Public Training Centre and slowly back away.
          • > You don't perform surgery on rockets.

            Proceed to the nearest humor transplant facility immediately. You are in serious danger of becoming the dullest person on the face of this planet.

    • by plover ( 150551 ) * on Tuesday September 21, 2004 @04:14PM (#10312992) Homepage Journal
      And people do, because they know if they don't they'll end up stranded in Bumbleshoot, Minnesota at 3 AM.

      But there are no consequences for owning a computer that's been hacked and is being used by someone else for their own nefarious purposes.

      Perhaps that's a good reason keyboards should come with built-in tazers.

    • by Eberlin ( 570874 ) on Tuesday September 21, 2004 @04:25PM (#10313087) Homepage
      You'd get called an elitist (as I did) for suggesting the need for computer users to be competent.

      Basic computer skills are a difficult enough concept for some -- and anything past "two clicks on the blue letter E" goes over their heads. Anti-virus, firewalls, and windows update? Way too complicated. Downloading and installing another browser? That's a challenge! (I got a call once from someone who couldn't install something from CD-ROM because it wasn't set to auto-run!) Reformat a hard drive and install an alternative operating system? Definitely too much.

      There isn't any interest in knowing anything past 2 clicks on blue E. Solution? FUD 'em. (not essentially lies but fun half-truths) Tell them their machines are being constantly attacked over the net and they need to protect themselves. Teach them that their personal information can get stolen. Tell them that unless they learn the ropes, they'll have to deal with headaches and heartaches and big computer repair bills.

      Hell, tell them that without a good firewall, (Osama || Saddam || tooth fairy) will break into their computers and terrorists will win. (That method seemed to work well with the average Joe Sixpack for a different, more lethal cause).

      Either way, education is part of the solution...but you can only educate those that want to learn. The trick is to motivate people into learning and understanding computer security.
      • Hell, tell them that without a good firewall, (Osama || Saddam || tooth fairy) will break into their computers and terrorists will win. (That method seemed to work well with the average Joe Sixpack for a different, more lethal cause).

        Funny, I've been trying to convince people we need to firewall the country due to the terrorist threat, and all I get is called racist.
      • No.

        You don't need to lie to people to inform them about spyware and adware. Hackers AREN'T trying to take over their computer, worms and ads are. If you tell them that they're going to be hacked, they'll go out and buy random "anti-hacker" shit from the nearest "security" company. Tell them the truth. If they have spyware, tell them what it is, how it caused their problem, and direct them to a good anti-spyware utility (don't just tell them to search for one as they'll hit fake ones, show them the Ad-A
        • A bit of hyperbole there, but anyhoo, the spirit of the post was to get people to CARE about learning. Spitting out "truth" and details on "the problems and the hows and whys" isn't interesting until you can get their attention.

          Even school has its barf-back education process. You get facts and dates and other mantras that they cram down your throat and learn to barf back during an exam. The real retained knowledge are the bits we found interesting, fun, or somehow important.

          So of course not, don't lie
        • > PEOPLE AREN'T STUPID

          Not as individuals usually, as a group they are.
    • CAA (Score:3, Interesting)

      by mfh ( 56 )
      I am a firm believer that if you own a car, you should be able to change a tire, and change the oil. Basic matinence.

      That's what CAA is for. If you own a computer you should be able to turn it on and use the programs on it. If you need anything else, you should have the phone number to a really good/inexpensive techie. I never ever waste time with installs or anything like that. A guy I know does all that for $20-flat, so I can do other stuff (like play PS2) and I get a superb/secure setup for cheap.
      • Can you get me his number - I'd like to tell him that you're taking advantage of him - doing crap work for $20 flat.

        He should be charging at least that much hourly + mileage + beer :)

        • Volume (Score:3, Interesting)

          by mfh ( 56 )
          He does it on volume through his business. The rate is always less than $30-flat for whatever, be it installs of hardware, software, OS reinstall with ghost drives and full software installs. No matter how many you do at once it's always less than $30 CAD.

          What you might fail to realize is that this company took all the business away from the rest of the competitors by doing this, so whenever I use him I know my system is gone for about four days because of the long line of customers they have.

          They are rea
          • Hey - if he's happy with what he's getting and is getting by with it, more power to him.

            I charge $30/hour for that kind of work and have enough to stay very busy in the evenings and on the weekends. That kind of work, you can price yourself the amount of work that you want.

    • And the battery. And the brakepads. And spark plugs. And spark plug wires. And the air filter. And the fuel filters. And check fluid levels. And refill with fluid when necessary.

      In short, people should know how to do all those things that the engineers can't do for them, since the engineers must design cars with parts that wear out.

      Another car analogy - if you put your CAR on the ROAD you must ensure that your CAR is not a danger to other CARs on the ROAD. Replace CAR with COMPUTER and ROAD with INTERNET.
      • "Granted, no one will die if you get infected with a zombie, but neither is your car capable of crashing every other car on every road in the world."

        Your computer cannot do the same, either. Were it so, we would have already had one computer crashing every other computer on every other net in the world. We have not, not can it happen. Your entire post is excess.
        • X has not happened, therefore X cannot happen. Heh. Let me know when you have a well-reasoned argument.
        • Were it so, we would have already had one computer crashing every other computer on every other net in the world. We have not, not can it happen.

          W32/LovSan, also known as Blaster.

          (To be accurate, it didn't crash "every other computer", but "only" a significant percentage of them. But it's nothing a zero-day remote exploit in the IP stack, once it appears, couldn't do.)

    • many people dont know how to change a tire or oil.

      Clearly, what is needed is a network of retail shops, call them 'Jiffy Comp' or something, for people to pop in and have their computers scanned and upgraded while they wait in the lobby watching CNN. After 20 minutes or so a jumpsuited tech would come in and say, "Mrs Pauley? We found two worms, installed service pack II and updated the virus defs. Everything is ok now but be sure to bring it back every 30 Gigabytes or 3 months. That'll be $24.95 + tax"

    • by techno-vampire ( 666512 ) on Tuesday September 21, 2004 @07:43PM (#10314839) Homepage
      I dont understand why people spend thousands of dollars on a new device, then simply dont bother to learn anything about it. A computer, like a car, is a serious investment. Learn how to use it properly.

      Back when I was doing tech support, I heard almost daily from people who'd say, "I'm completely computer illiterate." Most of them would say it not in shame but in pride. They seemed to think there was something good about being incompotent and that it made them better than people who knew how to use computers. There are more of them out there than you'd like to think, and none of them want to know what they're doing. Same thing as it is with cars; knowing how to change a tire makes you lower-class in their eyes, just as knowing how to install software.

    • I think this is a nice analogy, but it does not really support your point. You're probably right that most people do not know how to change the oil in their car. But if they need to, they can drive to the next service station and have it done for them. You can't do this with computers. Also, look at the changes that have been made to computers in the last 20 years and compare them to changes in cars. If you went to driving school 20 years ago, you can still apply your knowledge to today's cars. On the othe
  • RTFM Issue (Score:5, Insightful)

    by webword ( 82711 ) on Tuesday September 21, 2004 @04:03PM (#10312877) Homepage
    Unfortunately the folks who need the help the most are the the least likely to read. It is like a law: Those who need to RTFM are least likely to RTFM.
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
    • Re:RTFM Issue (Score:3, Interesting)

      by plover ( 150551 ) *
      Even if the review had been glowing and great, you're right. Nobody I know who would need to read a book like this EVER would have bought it.

      That's why I think it's somewhat our responsibility to help our friends and families (to whatever extent possible) to keep them out of computer trouble. I carry a copy of Spybot S&D and AVG Antivirus with me when I visit family members, just because I know they don't have what it takes to keep themselves safe. Some can't even be bothered to run Spybot without

    • Worse yet - in the US, 97% of people should at least be able to RTFM [cia.gov] - there's no excuse!
    • ...kinda a catch-22 though, cause the reason they need to RTFM is because they haven't RTFM, unlike us who have RTFM.
    • Read what? What are people supposed to read? What manual? What instructions? Welcome to 1990. There is no manual, any more.
  • by kdougherty ( 772195 ) on Tuesday September 21, 2004 @04:06PM (#10312900)
    Why don't you demonstrate security flaws instead of just explaining them? Show your board or whoever actuall real-time exploits and flaws so they understand what the consequences are. If not you could always use a crayon and paper... it's how I taught my mother to use email. :)
  • by qualico ( 731143 ) <worldcouchsurfer&gmail,com> on Tuesday September 21, 2004 @04:06PM (#10312905) Journal
    I'm *not* being serious.

    Although, it sure would be nice on the one hand to have a well written security book for the masses, its equally important on the other to stress that using a professional is a great way to achieve the goals of protection and understanding.

    Maybe I'm just trying to create more job security for myself. :->
  • by eggoeater ( 704775 ) on Tuesday September 21, 2004 @04:06PM (#10312906) Journal
    Sounds like she's also missing a chapter on which OS to use if you don't want to worry about viruses and worms and security holes.
    • Say, like OS X? Or how about
      where OS !="Windows"
    • Common myth: Linux is invulnerable from viruses, trojans, worms, etc.

      The truth: Linux is just as susuptable to all those nasty things as everything else, however, security holes get fixed quicker. However, if a user gets an email with the subject "Awesome Pic!" and the attachment "virus.jpeg.exe" and they open it, it isn't a headache for the sysads because the virus only wipes out their home directory, not the system. The problem comes when you get something like OSX where the user is the admin.
      • Last time I checked, .exe files didn't run on Linux without Wine or something similar. Are you trolling or misinformed, or did you forget to mention that you're assuming a setup in which exe files are automatically opened in Wine or something similar?
  • by Neil Blender ( 555885 ) <neilblender@gmail.com> on Tuesday September 21, 2004 @04:06PM (#10312910)
    Most people, present and future, will probably remain ignorant forever. No book will solve the problem of internet/computer security for the masses. The computer needs to solve it. People just aren't interested.
  • In real life (Score:5, Insightful)

    by Otter ( 3800 ) on Tuesday September 21, 2004 @04:09PM (#10312935) Journal
    Every society develops certain universally-known rules of thumb about safety, from "Don't swim in the muddy water near that rivermouth!" to "Stay clear of the bar where all the tweaker bikers hang out!" Eventually, we'll have universal wisdom about being careful of email attachments and avoiding phishing schemes. But it'll have to happen through word of mouth and Oprah. No one is going to read a book like this.
    • Eventually, we'll have universal wisdom about being careful of email attachments and avoiding phishing schemes. But it'll have to happen through word of mouth and Oprah. No one is going to read a book like this.

      Nobody at all? What if, for example, someone who Oprah happens to know reads a book, learns something, passes it on to Oprah, and Oprah decides to do a show based on it?

      Just because few non-experts will read books about computer security, it does *not* follow that books about computer security wr

    • Safety rules of thumb propagate from parent to child.

      The result is that social knowledge takes a long time to catch up with technology.

      For an example, compare the level of road safety in the USA to the level in countries that haven't had four generations of car experience.

      Internet-connected PCs are way too new for safe usage to be common knowledge.
  • Beyond Fear (Score:4, Informative)

    by savagedome ( 742194 ) on Tuesday September 21, 2004 @04:09PM (#10312939)
    If you haven't read Beyond Fear [amazon.com] by Bruce Schneier, I definitely recommend you should before buying any other security book!
  • How Things Work (Score:4, Interesting)

    by nemski ( 587833 ) <davidATnemskiDOTcom> on Tuesday September 21, 2004 @04:11PM (#10312951) Homepage
    It always amazes me that geeks think that everyone should know how a computer works. Why? Does a automechanic or plumber or electrician expect the same? I hire a guy to fix my brakes, change the oil, install a new heater and air conditioner in my house, and, frankly, I don't want to know how they do what they do.

    Before you drop into identity theft and such, how many people don't even know what they're credit score is? And you don't even need a computer to find that out.
    • You don't have to know how a computer works to be safe, just like you don't need to know about blinker fluid to drive a car, but you should still follow at a safe distance, not drive like a maniac, and use your turn signals.

      There's being an auto mechanic, and then there's being a safe driver. The same thing goes with computers.

      Of course, having just came in the door from a death-defying commute home, I can attest that if there were as many safe computer users as there were safe drivers the problem would b

    • A computer is significantly different than a car, or an electrical system, or any of that. The possibilities for a computer's uses are only limited by system resources; a car can only turn wheels around, and an electrical system can only distribute energy. Computers are also connected to the internet, which introduces a whole new level of complexity. The fact is that for computers to behave like a car or an electrical system, modern operating systems must try to manage all this complexity by themselves.
    • I think that trying to educate the general public about computer security is as much of a lost cause as trying to promote defensive driving on the roads.

      As new technologies become commoditised into everyday use, one would expect society to adapt to cope. Taking the automotive example further:

      (1) We now have insurance companies that thrive with the consequences of misuse, and
      (2) As cars become more complicated and less user-serviceable, mechanics and electricians (with diagnostic equipment) appear in grea
    • Because they get paid for it?How many people hire someone and pay an arm and a leg to fix their computer? More often than not, no one does anything about it, until their geek cousin/friend/nephew comes around, ("It's running really slowly, could you take a look at it?"), who then has to go around fixing it. Done it for at least two people (one of whom is incidentally, an EE engineer who designed VLSI circuits in grad school).I don't mind doing it,but I'm sure there are people who do.
    • Does a automechanic or plumber or electrician expect the same? I hire a guy to fix my brakes, change the oil, install a new heater and air conditioner in my house, and, frankly, I don't want to know how they do what they do.

      Ummm, if your mechanic does not excpect you to know or show you how to check your fluids and keep your car in the correct running order, time to get a new mechanic. YES! Mechanics should show you basic car mantianice. If not, time to find a new mechanic.

      The first time I went to my m
    • Re:How Things Work (Score:3, Interesting)

      by DarkMan ( 32280 )

      It always amazes me that geeks think that everyone should know how a computer works. Why?

      Whilst I don't fall into that catagory, I can explain that attitude.

      I don't use anything that I don't understand how it works, and that I don't know how to construct at least a basic version of it. Thus, I can't design a state of the art VLSI chip, but I could make a transistor, and assemble discretes into logic blocks, and make a basic computer out of logic blocks.

      Same goes for a car, a CRT, plastic bottle, door

    • It always amazes me that geeks think that everyone should know how a computer works. Why? Does a automechanic or plumber or electrician expect the same? I hire a guy to fix my brakes, change the oil, install a new heater and air conditioner in my house, and, frankly, I don't want to know how they do what they do.

      I should think they ought to expect you to know how to change a fuse, check your fuse-box and test a light-bulb and/or be able to debug causes of a leak in your plumbing (unconnected overflow pipe
    • "I hire a guy to fix my brakes, change the oil, install a new heater and air conditioner in my house, and, frankly, I don't want to know how they do what they do."

      Cool, an easy mark... :)

      I know how a computer works, I fix my brakes, change my oil (most of the time), and could install a new heater or AC in a house. Hell, I could do plumbing or electric work. It is not difficult-time consuming if you are not experienced and a waste of money in many cases but I know how these things work or could do them if
  • So let me get this straight:

    I'm supposed to buy a book that I've never seen nor heard of before, judge it by it's cover and it's self-aggrandizing description, then open it and proceed to upload it into my brain without any virus scan for all the tinfoil-hat type text.

    Then, this book will tell me that I shouldn't do on the internet, in email, etc. what they're absolutely counting on me doing in real life? I can't trust those emails and open those attachments and download the contents because it's unsafe?
  • by bennomatic ( 691188 ) on Tuesday September 21, 2004 @04:15PM (#10312997) Homepage
    Messages that are intended to change the way people think about things need to be delivered fast and hard. Think commercials. Or kids book. Or comic books. Grab them, get an emotional response, associate an old behavior with bad feelings, associate a new behavior with good feelings.

    I have not read the book, but based on the description, it sounds like it will be seen as most effective by people who already know what they are doing. With large numbers of anecdotes and not enough focus, it falls firmly under the heading of preaching to the choir; the only people who will probably slog through this book will be people who understand its importance before even opening it up. I've got friends who not only use easy-to-guess PIN numbers and passwords, but when participating in a conversation about the importance of security, they'll even announce their information proudly, as if it's some sort of joke. You don't change those sorts of attitudes with a textbook.

    Maybe security philosophy would be better spread through viral means such as a really funny movie (think the original South Park Xmas Jesus vs. Santa video), or a bunch of jokes that people tell. Here's one that would work on an old friend of mine: Q- What do you get when you take the area code away from your phone number? A- Your ETrade password!

  • It's worse. (Score:5, Interesting)

    by teamhasnoi ( 554944 ) <{teamhasnoi} {at} {yahoo.com}> on Tuesday September 21, 2004 @04:17PM (#10313016) Journal
    A browser is not a 'window to the internet' but IS the Internet to most clueless users. Even though these same people would be able to tell you that, 'No, there aren't little people putting on a play for me inside my TV.', they still don't know the most basic things about using the computer.

    The tower case is the 'hard drive', the monitor is the 'computer', and even after being repeatedly told and shown what the correct terms are, it's gone in an hour.

    My dad is a perfect example. One of the first things he would do on my infrequent visits home, is take off his digital watch and have me adjust it for daylight savings time.

    "Hey, Pops - let me show you how to do this. It's easy."
    "Don't bother, I will never remember. Just set it."

    Ahhhrg. People don't remember, because they don't *want* to. I am constantly amazed at the lengths people will go to in order *not* to learn something.

    • Give them a hint. [thinkgeek.com]

      "No, I will not set your watch."

    • My dad is a perfect example. One of the first things he would do on my infrequent visits home, is take off his digital watch and have me adjust it for daylight savings time.

      Sounds like your dad needs a little "tough love". Next time he asks, just tell him you've already shown him how to do it many times before and that you can't be bothered anymore. Sure, he'll be upset (initially) but he'll either learn to do it himself, or he'll buy another watch with a winder.

      The same thing applies to most folks an

      • or he'll buy another watch with a winder.

        That is, indeed, what he did. :)

        Now I'm holding out for him to return to the hand-cranked phone.

  • by flinxmeister ( 601654 ) on Tuesday September 21, 2004 @04:19PM (#10313032) Homepage
    The systems of today are designed to be usable by the average Joe and Jane, but they aren't designed to be securable by that constituency.

    From a security perspective, "computers these days" are like a nuclear reactor, or a rocket, or the tax code. They're just not manageable by the average person, and the bolt on shells of security that are offered only work to a point. Without a consumer-securable security model integrated from the ground up, you're going to have melt downs, misfires, and botched returns.

    So, a book of anecdotes about "real people" and contemporary information security is almost going to be inherently uninformative. How could you possibly cover all the seams that todays severely limited security models leave open?
    • by Anonymous Coward
      "From a security perspective, "computers these days" are like a nuclear reactor, or a rocket, or the tax code. They're just not manageable by the average person"

      Well Windows' security might not be managable by a normal computer, but there seem to be a whole lot of people surviving just fine with an OS that was designed to be secure and easily usable...
      • > Well Windows' security might not be managable by a normal computer, but there seem to be a whole lot of people surviving just fine with an OS that was designed to be secure and easily usable...

        You mean Linux (or Unix in general) ?

        Easy to use for a realtively technical person? sure. When properly setup, it can even be easy to use for non tech users.

        Securable by someone who isn't technically inclined? come back when you have non technical users understand things like init, rc scripts and the like. Who
    • a book of anecdotes about "real people" and contemporary information security is almost going to be inherently uninformative. How could you possibly cover all the seams that todays severely limited security models leave open?

      You can't, but covering the ones you read about is better than not covering them. Having true stories to relate to your users can make a bigger impact on them than just hypothetical risks that you made up.

  • General Security (Score:5, Insightful)

    by starseeker ( 141897 ) on Tuesday September 21, 2004 @04:21PM (#10313048) Homepage
    I suspect we will never have universal security in the computer world, as long as it takes any effort on the part of the end user. Which leads to several conclusions:

    a) Social Engineering will ALWAYS succeed. Whatever engineers do to protect a computer, they can only protect the user from themselves up to a point. There's no cure for giving someone you think you trust your username and password, for example, and then having them rip of your confidential data. Or for that matter, keeping people from answering emails using information they shouldn't. It's a grim conclusion, but short of warning people not to be trusting nothing can be done.

    b) The machine itself CAN be made much more secure by default. This usually comes at the cost of user-friendlyness, but the username/password/account idea seems to be virtually universal now. The key to making a user friendly secure machine for the average consumer is to set up rules that allow the machine to do everything the user is likely to want to do, and ONLY that. In other words, some form of Mandatory Access Control. This is a pain in the neck for those who want to do lots of complex things on their machine, but I suspect the average needs of the modern user are becoming well defined enough to achieve something. And if applications AS PART OF THE DEVELOPMENT PROCESS create rules for what their program needs to be allowed to do (which can be externally audited to keep them honest) we might achieve a situation where it's difficult to impossible for a computer to be cracked from the outside through technological means.

    c) The bad news is, there's no market for b) and so it's unlikely it will ever happen. People have to be willing to pay the price for security, and I suspect up front cost of inconvenience (either to developers, end users, or both) will be seen as greater than the statistical potential of dangerous information theft. Whether that's true or not I don't know, certainly it varies on an individual level, but it takes herds of users to fund commercial software development and I suspect the average consumer response will be the immediate path of least inconvenience.

    d) Open Source, being outside normal economic constraints, might produce something like b) eventually. But while individual projects might code to such standards, they are probably too high a median to set for casual, unpaid development. Success would require most of the open source community to be willing to do extensive testing and planning for running their software in a MAC environment, and that's not much fun to most non-security oriented developers.

    e) So, in the end, matters will only improve when the costs of electronic theft and attack are so high they raise demand for secure systems to the economic minimum. Whether that will ever happen I don't know. My cynical guess is it won't - we'll just have to live with it. (Individual geeks of course can try to do better, but the internet has become a community. For better or worse.)
  • *cough cough* (Score:1, Interesting)

    by Diordna ( 815458 )
    If you want someone to be free of security problems, have them get a Mac. It's the easiest solution. If anyone here can tell me of an instance of a Mac getting hacked in the last 2 years, tell me and I shall be humbled. On another note, someone has hacked into my XP box and is using it to watch hamsterdance.com 24/7. It's really eating into my connection...anyone know how to ward off an 8-year-old?
  • by Anonymous Coward
    It does not matter how much $$$ and how much technology you put into your security. You can have well trained security response teams, company polices and remedies/punishements out the wazoo.

    If you don't help your employees gain an awareness of what it means to be secure, why it is important, and provide some education to them beyond here is your computer and your Word/Excel/Powerpoint, etc your security policy and situation is bound to fail.

    You need to get with your people, teach them, train them, and h
  • by rufey ( 683902 ) on Tuesday September 21, 2004 @04:30PM (#10313140)
    I just spent the past few days with my spare time cleaning up a friend's computer. It was a mess with spyware/adware and possibly some maleware.

    The advice I gave them is to never download anything from the Internet that seems "cool" or promises "this or that". Sure if you are downloading an update to software you already use, its okay. But you don't need this new cool search bar for IE, a search tool that promises to be intelligent and show (a.k.a. pop-ups) only ads you'd be interested in, and you don't need to keep up with the Jones with every "cool" spyware software.

    Explaining how these things are dangerous has little affect on the "normal" computer user who doesn't know the difference between a DSL/cable router and a hub, who doesn't know how the Internet works (such as how TCP works, packets, routing).

    I've found that simply telling them to not do it is the most effecitve thing I can do. Most users won't understand the technical details. But they will understand if you simply say to not download it because if you do it enough, your computer will become unusable.

    • Explaining how these things are dangerous has little affect on the "normal" computer user who doesn't know the difference between a DSL/cable router and a hub, who doesn't know how the Internet works (such as how TCP works, packets, routing).

      Or like explaining the difference between effect and affect? :)

  • Tech TV?!!? (Score:3, Funny)

    by jonnystiph ( 192687 ) on Tuesday September 21, 2004 @04:35PM (#10313191) Homepage
    I used to watch the station when it first came out. Everytime I was left with the feeling of one of two things. Either these people have little to no clue what they are doing, or they are vastly dumbing it down for the average TV watcher.

    I can not imagine spending money on a book written by these "Computer as soo cool d00d" people. Perhaps I am transplacing thier "on TV" personality with thier real abilities. However, after reading the review, me thinks not so much.
  • un-savvy people (Score:3, Interesting)

    by qtothemax ( 766603 ) on Tuesday September 21, 2004 @04:36PM (#10313203)
    Kind of offtopic, but it really is true the the terms memory and hard drive don't mean anything to most people, and it took me quite a while to realize it. People are always asking me to fix thier computers when they have spyware problems, and are all worried because they have a couple games and mp3s on thier 80 gig hard drive, and think they have filled all the "memory." I have a hell of a time convincing everyone that having used 5 gigs of that 80 gig drive is no big deal and they don't have to delete everything to improve performance, though at the same time I have a hard time convincing them to turn off all the useless apps they have running in the system tray.
  • by OreoCookie ( 814421 ) on Tuesday September 21, 2004 @04:44PM (#10313274)
    IMHO; All operating systems should have an option that can be selected where ALL security options and ALL network configuration is set by the OS, basically saying to the OS "I know nothing about computers. Take care of me." Only if you actively choose to turn this off would you be asked to set anything yourself.
    • this will only work if the same user is willing to accept "i can't let you download that junk / play that game / view that malware-laden web page" when the machine tells them so.

      making a machine that won't get infected by all kinds of crap isn't all that hard; making a machine that won't get infected no matter what the user demands it do for them is impossible. and no user too stupid to take care of themselves is smart enough to accept being baby-sat by any mere machine.

  • by Chuck Bucket ( 142633 ) on Tuesday September 21, 2004 @04:44PM (#10313282) Homepage Journal
    Most Windows admins I know have the book "What you don't know can't hurt you", and they seem to follow that to the letter.

    CB!
  • Another book shallow on facts, because its real intent is to promote a centralised infrastructure? No thanks.
  • Catbert: "Your users are defective. I recommend cat scans."
    [later] [holding employee head] Catbert: "This one is defective too."
  • Just to clarify the status of author Becky Worley and the TechTV network... This book bears the TechTV logo as it was part of her work at TechTV to put out the book, in the same way Leo Laporte co-wrote his almanacs with the entire production staff of The Screen Savers and Call For Help. Becky was an on-air personality for TechLive who occasionally contributed segments to Fresh Gear as well. On May 28 of this year, Comcast after owning the network for about 3 weeks merged it with "G4: TV 4 Gamers" into "G

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...