Why is security (still) a Utopia?

Sometimes I wonder if the ‘good ol’ days’ weren’t just that – good old days. Worms and virus outbreaks were hitting us almost daily. The media used attention-grabbing headlines to broadcast stories about viruses infecting computers around the world. The cynics accused us of fear mongering and of selling our software using FUD (fear, uncertainty and doubt). It seems a little strange to say this, but the craziness actually served a purpose. While ordinary people were reading and hearing about malware on a daily basis, they were also thinking about it. People were talking about security, and interest grew. Computers were patched, attachments remained unopened and love letters unanswered. ‘Anti-This’ and ‘Anti-That’ were invented, firewalls separated the inside from the outside and I used a Hydra in a presentation to illustrate the danger of the multi-faceted threats of Nimda.

In a way, that was how we wanted it to be. I have been in the security industry since the mid-1990s and I have been working hard around the clock to keep security at the forefront of people’s minds here in the cold north. I average around 150 presentations a year and am interviewed in the media every other day (that might not sound like much to many of you, but keep in mind that I mainly cover Sweden). Security is still a hot topic up here, but it’s not talked about as much as in the good old days.

Now, don’t get me wrong – I hate FUD just as much as the next guy, but it did serve a purpose. People were more aware. Today, the bad guys use rootkits to hide inside the computer, infect us using drive-by downloads and have removed all the fancy bling, making my job much harder. Often, the bad guys’ rationale is to steal your money and then use your computer invisibly to attack some other victim somewhere else on the Internet. How do we warn users about invisible dangers? How do we warn about the many dangers that, in reality, won’t bother users in their daily activities (unless their ISP cuts their access)? How can we motivate users to pay for protection against something that will attack someone else – albeit via their computer? How do we persuade them to pay for invisible protection against invisible threats?

The sensational headlines kept up interest. The less you read or hear about something, the less you think about it. As far as computer security is concerned, the more time that has passed since a user last read or heard about something scary, the likelier it is that he will click the next ‘interesting’ thing in his mailbox.

Today’s situation only serves the bad guys – and statistics prove it. Look at the number of detections for new items of malware being added to your favourite AV every day. Look at the number of ‘SQL’d’ websites serving malware. Look at IC3.gov and read about the amount of money stolen from Internet users every year (spoiler: in 2008 it was $264.59 million in the US alone). The bad guys celebrate Christmas every day.

So, why won’t we ever be secure? Vulnerabilities and techie stuff aside, Occam’s razor has the answer: many people don’t care and don’t want to care. Kids I’ve spoken to at Dreamhack (the world’s largest computer game festival, held here in Sweden) don’t seem bothered if they are infected as long as it doesn’t interrupt their gaming experience. They reinstall Windows and then it’s game-on again. Older folk generally tend to take infection as a personal insult and find malware scary. Users in-between find it a nuisance and try to avoid it, but don’t always know how to, and frankly they don’t really care all that much – just as long as they can read their email, pay their bills and browse the web.

So, what do we do? We work even harder to make security software as tough as we can make it and invisible at the same time. People don’t want to care about malware, and they shouldn’t have to. That is our job.

Latest articles:

Bulletin Archive