Cormac Herley of Microsoft recently wrote a paper about why users reject the majority of security advice given to them - and seems to think they have good reason to. There's a problem of course - for starters the guy works at Microsoft. Why is this a problem? Because he's biased - he's operating based on the assumption that every user is running a Windows operating system on their computer.
For the most part - he's correct. Most people, due to the fact that computers running Microsoft Windows are the least expensive computers available on the market, are running Windows. Also - most people, even though there are several alternatives available, are using Internet Explorer, the most insecure web browser available, to surf the internet. So - with these two statements in mind - he is also correct when he states that creating a new password every few months, making it extremely secure with different numbers, symbols and a mix of capital and lower case characters - is a waste of time and effort for most people.
Why is it a waste? Because if you have a secure password, but you operate with Internet Explorer on a Windows computer and view a website that has an advertisement which automatically drops a trojan or spyware into your system using flaws in Adobe Reader and Javascript - it doesn't matter what kind of antivirus protection you have, and it doesn't matter whether you have kept your computer up to date with every Windows security update available.
Lately - due to the more complex spyware out there - it doesn't matter if you keep your Adobe Reader and Java and Flash up to date because your updater has already been compromised and is now delivering additional spyware to your system, including keyloggers that are automatically recording your usernames, passwords and passing them on to the author of this software or the person deploying it.
And if your eyes started to cross while reading that paragraph and you are bored and want to go read something else, that's why your computer is infected. It's too difficult for the average user to comprehend the majority of the security information that's out there in this day and age. It's also too much work to keep a Windows computer up to date with all security patches, a working antivirus program up to date with all security patches and scheduled to run periodic scans of your system when it is idle, and more than one spyware removal tool up to date and scheduled to run periodic scans of your computer. It's too much work to figure out which web browser is the most secure (currently Google Chrome), and too much work to research the latest trends in exploits and find ways to help prevent against them.
But as the Microsoft researcher also points out - if a keylogger can so easily capture your super secret password, what's the point of making the password secure? If most people's computers are hacked using social engineering tricks (diverting them to a page that offers them a free iPod for filling out a survey and their personal info, including their e-mail address, for example) what's the point of keeping antivirus up to date?
Most people are not even aware that there is free antivirus available that is superior to any of the products you have to pay a yearly subscription for. Most people don't even know that antivirus software typically can't detect the spyware that is the real source of infections in today's world. Most of the old security advice doesn't really help today's userbase.
I have two answers for two different types of people. If you are the kind of person who understood and bothered to read most of this article, you may want to take a look at LINUX. There are many flavors out there, Ubuntu or Kubuntu are the two most user-friendly (Kubuntu is the most "Windows-like" of the two) and easy to try/install versions. You don't have to wipe out Windows to install them. You can even try them without installing them at all.
If, however, installing an alternative operating system on your computer sounds like I just spoke in Greek, and you are worried about the security of your computer, I strongly, strongly encourage you to buy a MacIntosh. "But they're too expensive!" you cry. Not true - once you add up the price of a yearly subscription to antivirus software for three years, factor in the added expense of bringing your computer to a repair technician at least once a year (which is the average) and various other extraneous expenses, you will find that your $400 Dell actually costs you about the same or more than a $999 MacBook.
But forget about that - what about the price of your time? This is something people subconsciously understand but don't seem to put to the forefront of their mind when they make any purchase, and especially a technology related one. In many cases all they see is the initial price-tag, but they don't think about how much time they will need to spend on the phone with technical support when something doesn't work right.
And let's be blunt - when it comes to Windows computers, something doesn't work right on a REGULAR basis. Just got a new PC, want to set up your old printer? There are people who spend over 8 hours trying to get it working, only to finally go to the local computer store and purchase a new one. If your pay rate at work is roughly $8.00 per hour, and you spend 8 hours on the phone trying to get a depreciated printer to work with your new PC, that's $64.00 of your time (most people earn more than that). You can purchase a new printer for less than $50 if you look for a good deal.
So take this example, factor in how much your time is worth per hour, how many days on average you spend on your Windows machine trying to get something to work that just won't, and then multiply those numbers together. $999 for a MacBook ought to be looking REALLY good right about now. Why? Because you won't need to spend a fraction of that much time trying to get things working - Apple products typically work with very little setup on the part of their owners. It is rare for something to go haywire.
I'm a computer nut - I like knowing how they work and I don't mind spending hours getting into the nuts and bolts of things - kinda like how a car enthusiast doesn't mind tearing apart their engine. I enjoy the challenge of fixing my computer - but I do not deliberately put my computer into harm's way because I have a finite amount of free time available to fix it when things do go wrong. I also understand most people have no desire to do what I do. This is why I am making this recommendation: Seriously - do yourself a favor and get a Mac. I'm not an Apple fanboy (far from it) but I recognize that the Mac is the best computer for the average computer user for multiple reasons, security being one of the most important. [End Rant]
Addendum: Recent events including the yellow tinted 21" widescreen monitors for the iMac, the yellow patches found on iPads and the latest frenzy regarding the antenna of the iPhone 4 have made me begin to recant my recommendation for Apple products. It is also important to bear in mind that as more Apple products become mainstream, they become a bigger and more enticing target for malware developers. Apple at this time likes to pretend their systems are invulnerable to attack, but this is simply untrue. They are merely too small of a market for the major malware developers to go after, but that may change due to the popularity of products such as the iPad. Consequently I cannot recommend Apple as heartily as I used to, although they are currently still producing the easiest to use systems for those who are not computer savvy.
