Bruce Schneier makes a solid point in his recent post entitled “Home Users: A Public Health Problem?”, where he states that computers and computer security are much too complicated for the regular home user. That’s most certainly true. No matter how much you “educate” the average user, they’re still going to mess up. Even if they’re working in IT, that’s no guarantee of know-how. There are so many things you can do in IT these days that an IT guy might not even know what a hard drive or a RAM module looks like. You really have to like working with computers to get the way they work and to be willing to put in the time to learn how to protect and operate them the right way.
But then Schneier says ISPs should become IT providers for the home user. In other words, provide real Help Desk support for software installations, router and firewall settings, anti-spyware and anti-virus software, etc. This sounds good at first until you realize there’s a very small step between that and choosing to mitigate damage to the network by controlling what software users can install and use on their computers. What’s to stop ISPs from requiring that users register their computers on their domain (or doing it automatically as users run their software CDs), then pushing down group policies that enforce their rules?
What’s the alternative? Make computers easier to use! Operating systems and the gadgets that go along with them have to become really easy to use. A certain number of security options have to be enabled by default, and those settings have to able to propagate from the OS down to the gadgets (firewalls, routers, printers, network drives, WiFi devices, etc.) automatically and where applicable. You set it once and it gets set everywhere else. I talked about this in another post of mine, entitled “It’s got to be automated“. Have a look at that as well.
The starting point should be OS X. It’s not the best OS it could be, but it’s a lot easier to use for most everyday tasks than other systems, but even it is hard to figure out for a normal user when it comes to security and special protocols like site hosting, file sharing or FTP, and privileges between users in places like the Shared folder.
We need to do away with arcane file names for user groups in operating systems. Privileges should be much easier to set for files, folders and entire drives. Systems ought to be smart enough to know when we’re trying to share something with the firewall up, and pop up an on-screen wizard to assist us. They should anticipate certain things and guide us through.
I say we need to make all network devices manageable directly through the computer, instead of having to log onto them separately. This goes especially for routers. The computer should know there’s a router on the network, and allow us to manage its settings from the control panel, as we would manage a printer, but make it even easier. It should auto-configure it with medium-level security by default and only ask us to choose a password and be done with it.
The solution lies in making better software and hardware.