sayingWell, I'm running Linux here, with SpamAssasin, and Clam installed, and using AT*T as ISP, with a hardware firewall in my modem, so I think I have done pretty well, but I am new to linux, and still don't feel that I have the security well in hand. And I do have a recent BSIT as well. So it is not simple. If you are a professional network admin, you get access to other admiins through the usual contacts with your peers, and the companies whose software you run. However, a home user, who is not doing this professionally, such as I now, even with a degree, and considerable experience, doesn't have the peer connections that you enjoy, nor is there anyone checking our work, and it is a "hobby", done after work for those not retired, all of which means that learning the full garmet of security required is not within the scope of their (my) use.
This is not an excuse, but simple ignorance, cured through education, or through better design, or both. I prefer the both approach, along with some standard package techniques to help guide the user. For instance, instead of saying use Anti-virus, which we have all heard, and to each of us familiar with computing has some meaning (although I would bet somewhat different meanings depending on who you spoke to), it means virtually nothing to a new owner with a sparkling PC just waiting to explore the web.
How about instead saying something like "your system comes with ClamAV installed. To learn about it click here" during the startup process, with reminders at login until the person goes and reads a bit about it. The base documentation should be breif, and describe what it does, and how to set it up and keep it up to date, with other links to more information. The same interface could support Spamassasin or other antivirus software, and the process itself could be included as the "standard" means of supplying AV products so that new products could have access to the same interface.
Since very very few people, including most system admins really know what a virus or worm does or how it does it, it would seem to me that a simple installation and information process would do wonders for helping safe guard these systems. After all, how many of you know how dynamic linking really works, or even linking loaders (which every one of you uses every day) Do you know how the compilers generate code, and how it is constructed to support linking loaders, or debuggers and what the differences are between released code without debugging information and debugging code? What does a macro do iin a compiler as compared to a macro in an office document? My point is that this is a complex environment, and no one knows everything about it (well there may be a few exceptions), so saying you will punish people for ignorance is an archaic concept, based upon a time when the knowledge that was required in th world was much less, and less arcane. Today, across cultures, across systems that range from spoons to spacecraft, that concept is woefully inadequate. How many folks know all the laws that affect their homes, from plumbing to insulation, to heating and airconditioning, to the wiring and circuit breakers, even the box sizes and how wires are run? Just the electrical code for a house is about 1400 pages in most states. Plumbing is a bit more. Roofing and framing is a set of books the size of an encyclopedia. And our computers have bookcases full. The higher the technology, and the more possibility of death or harm, the greater the legislative burden, not to mention the education required to manage the construction and use of such systems. The automobile has libraries dedicated to their regulations, with many more in the offering today. What happens when we add legislation is that fewer and fewer people have the legal ability to work on and run their own "stuff", and it becomes more and more expensive and less and less free. That is why we all need to aviod the "make a law" syndrome, and is one of the major drives behind FOSS.
And don't should on people, unless you like being shoulded yourself.
Regards,
Les H
