Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)

[Stephane Bortzmeyer <bortzmeyer () nic fr>]

On Mon, Feb 12, 2007 at 01:45:41AM -0500,
 Sean Donelan <sean () donelan com> wrote 
 a message of 16 lines which said:

> The important lesson is you can educate people. The content may have
> been bogus,

Right on spot: it is easy to "educate" people with simple and
meaningless advices such as "Install an antivirus" or "Hide under the
desk" or (my favorite, now known by most ordinary users) "Do not open
attachments from unknown recipients". But most security risks do not
require "monkey advices" (advices that an ordinary monkey could
follow). They require intelligence, knowledge in the field, and time,
all things that are in short supply.

The discussion about the NPO who had the choice between breaking stuff
that works because of patches or risking an attack was a very good one
and the "IT manager" at the NPO was quite reasonable, indeed: the aim
is not security (except for security professionals), the aim is to
have the work done and, if you listen only the security experts, no
work will ever be done (but you will be safe).

> If you can come up with a few simple things to do, it is possible to
> reach most of the public.

Sure, just find these few simple things that will actually improve
security. (My personal one would be "Erase MS-Windows and install
Ubuntu". If we are ready to inconvenience ordinary workers with
computer security, this one would be a good start.)