When you write about complex subjects such as security for a mainstream publication like The Washington Post — as I did for so many years until very recently — you sort of have to assume that a non-trivial number of your readers don’t have the strongest grasp of technology and security issues. But I’m curious how krebsonsecurity.com readers would describe their level of comfort with computers and the steps it takes to remain safe online.
Last week, Jerome Segura, a security analyst at ParetoLogic of Victoria, B.C., Canada, published a lighthearted blog entry in which he splits computer users intoΒ four basic classes:
-Extra-cautious (paranoiacs)
-Those who somewhat understand
-Those who are over-confident
-Security-conscious folks
Segura also suggests the delineations between these groups may break down along generational lines (pre-boomers, the early boomers, the 70s and 80s users, and the 90s to the present). I’m sure plenty of people would disagree with both of these sets of generalizations. I would add a 5th group, to describe the most recent generation, which I’d label the “complacent” or “invincible.” These users — typically in the teenage to young adult age group — often see security as something that’s optional.
Which type of Internet user are you? Pick the answer that best describes you in the poll below. Don’t see a match? Leave a comment and tell us which category is missing.
[poll id=”2“]
What? No novices? C’mon people. This poll is for posterity!!
Seriously, though, it is at least anonymouse.
I voted Wary. But your categories are not well chosen for me. I know enough to know I don’t know enough.
I’m a retired engineer/physicist, and a student.
I’ve audited several courses in practical computer science (4 semesters of Cisco, A+, etc, and hope to take
a course on Windows Server 2008 this semester.)
I read your work almost everyday.
Roy
test
For posterity? What did posterity ever do for me?
π
I too have to say that the categories offered don’t realistically describe me – I’d call myself “Cautiously Invincible”. I don’t run Windows, yet many other dangers lurk that are independent of platform, so I am on lookout for them. And I read your blog, so I try to stay up to date on these issues.
BTW, 2 votes for “Novice” have appeared since your exhortation – were they really Novices, or were they just trying to make your day?
I marked “confident” as the most accurate answer for me. However, I would never say “bring it on.” I;m not sure how serious this poll is — not complaining, just saying.
What happened to the Extra-cautious (paranoiacs)? I am often defined as such, but I have worked with computer for far too long to take security lightly. It is probably the highest priority for me, so much so, I must spend nearly 1/2 my time checking geek blogs and get updates from sources the more knowledgeable IT techs get! I guess that would make me a “Paranoiac!”
Windows is for Losers, well said.
I’m more concerned about privacy than security on the Internet. With Firefox plus NoScript and GNU/Linux, all my ducks in order security-wise.
Just last month I deleted my Facebook account, that took a lot off my shoulder.
Eric Schmidt said that only 10% of Internet users care about security and privacy, all my life I knew that I didn’t fit in lol.
I’m a 52 year old woman and maybe that makes you think I should be in the novice category BUT I know more than my cohorts about computers and security. I went back to school three years ago and earned an AAS degree in computer science. Not exactly an MIT degree, but on the other hand I’m not trying to use the DVD drive as a cup holder.
Could be that novices just don’t read your blog? They are the ones that need the information the most but if they were inclined that way they wouldn’t be novices for very long.
Statisticians call that a “self-selecting sample”.
I have been installing and maintaining computers and computer networking technologies for 30+ years (I sent my first e-mail over what was to become the Internet in 1982). The technologies that most people take for granted today are indeed very complicated. If I have learned anything over the yearss it is to be wary of these technologies because things can and do go wrong.
When it comes to your survey I guess I am Wary Internet user, but I am by no means a novice user — quite the opposite in fact.
Most people describe themselves as confident – not very surprising given that all other categories sound slightly negative and nobody likes to describe himself in a negative way. I guess you will only really find out when you see the comments to your posts.
I come from the Compuserve days, when I used a Brother word processor with an attached modem to get online. I’d have to list myself as confident, considering my age, and my job. =)
I listed myself as confident, but I’m only confident because I’m paranoid.
I’m writing this via nano, and saw your page in w3m. I whitelist javascript per site. Etc, etc. Sure, I use konquerer and firefox+noscript sometimes, but this isn’t my “fun” disk. I dual boot, and swap drives to do so. Nothing on my “important” drive can get screwed up by a virus on the “fun” drive. And if the “fun” debian gets malware I can reimage it without losing anything important.
My first thought was that “oblivious” was an obviously missing group. Then I realized that the kind of users I had in mind (some current or former clients) would be very unlikely to read Krebs on security. If they did, they probably would choose confident. Count me wary-to-paranoid; certainly not bring-it-on confident.
And users’ behavior is different at work and at home. Same wary home user may be an invincible at work.
I’d argue that the overconfident users are enough of an overlap with the youth-of-today, Brian, that your fifth group is not necessary. There are plenty of overconfident users that are careless; security is just not their problem, it’s something that eventually comes because someone else does the work.
Their machine is owned by a Russian bot in either case, careless or clueless.
I don’t fit into any of those categories.
I’m a security practitioner and have been studying security for about 10 years now. I have been using computers for about 25.
The closest category I would fit into would be the “Bring it on.” option – except that sounds too overconfident for me. As an example: I can’t see the results of the poll because I don’t have javascript turned on.
I use computers assuming that I might be wrong about my setup and there might be someone smarter than me out there who is trying to get in. That might actually fit the “paranoiac” category from Jerome. But as the always say: “You’re not paranoid if they really are out to get you.”
I would have voted, but I surf with javascript disabled. “Confident”
Squeek!
Anyway. I found it hard to find my niche, because I’m confident, but I’m also pretty cautious because I know that it’s a jungle out there.
Who moved my cheese?
There’s no category for the security professional. I’ve been working in computer security professionally since 1985; on the internet since about 1979 (when I was a UCLA).
Complacent invisible – that’s good! And that’s them alright! LOL
Security for Windows (l)users – actually the shoe fits. And there’s way too little accent on how leaky unfit operating systems undermine our general security. Security for Windows (l)users sounds like ‘but oh I run a Mac I don’t have to worry Macs are cool’ which of course is the ultimate sucker POV because those people get screwed by social engineering and second grade hacks all the time. But educating the masses is easier if they don’t need to be educated. We devote way too much time to security today. We have to of course right now – but it’s not ideal. I firmly believe things would be dramatically better with only secure operating systems being used to connect to the net.
59 years old and methodically cautious
I, too, see methodical caution in my Internet habits, and I’m 63. I try to keep a healthy perspective regarding how much I don’t know about computer security in today’s sophisticated threat environment. Although I have paid subscriptions to AV, firewall, and anti-malware programs, I think the most important thing I do is conscientiously patch. I worry the most about shooting myself in the foot by inadvertently misconfigured security software resulting in conflicts and reduced protection. I also think it’s important to fight back, so I send my firewall logs to DShield every day.
You write informative, thought-provoking and timely posts, Mr. Krebs. I look forward to reading daily and learning much.
Only one I really fit is the confident option. Anyone that thinks themselves overconfident or invincible, is kidding themselves, and doomed to fail.
Brian: I’m having trouble relating to your categories. I’m very wary, but confident. I listen to a couple of security podcasts per week. I read multiple security feeds per week. I subscribe to a couple of security mailing lists. I’ve developed web sites. I’ve attempted to clean other peoples infected Windows machines. I do my banking and surfing mostly from a Linux OS.
Thanks for your reporting.
Being a Mac, Apple OS-X, only user, I’m less paranoid, but cautious by simply using common sense and the obvious firewall and system check programs. Mostly it’s just check where you go and what you do, and by all means don’t open files you don’t know.
I don’t think we’ll ever have complete secure computers (the Cheney logic). Hackers will always still work to find holes to exploit and Microsoft, Apple, Adobe, Google, etal, will continue to react with patches and updates. It’s the risk you take and the price if you’re not prepared.
I’m unable to participate in the poll because I’m running NoScript. What category does that put me in? How about, “Wary and Educated: PC ISN’T slow today… I’m a SANS GSEC certified IT Technician. Haven’t had malware in years.”
π
I work as the IT Security Advisor for an Aussie Federal Gov’t department (small one), and have been heavily involved in IT for over 25 years; the last ten in IT security. So I’m pretty sure of my ability to protect myself, but not so cocky as to think “It couldn’t happen to me!”. π
So I rated myself as Confident. I have tried various A-V products and settled on the one that I have greatest confidence in, I have a top-notch firewall and other bit and pieces, I practice good (ie, cautious) online behaviour, but most importantly, I test myself and my assumptions pretty regularly, and I stay up-to-date with events from sites like this one.
Brian, the reason there may be very few in the Novice category in your poll is that ours is a pretty small industry. And while I believe you are among the best (if not THE best, IMHO) investigative reporter in this sphere, you’ll forgive me if I point out that you don’t have the audience draw of Bruce Schneier…yet!
So novice users probably haven’t found you, and maybe won’t. Just us pros.
I couldn’t take the poll because it requires Javascript to be enabled. π
Yeah and who can’t find the ‘any’ key?
Invincible because paranoid. I back up my data regularly (thank the FSM for Time Machine), don’t open attachments from unknown people, or people I wasn’t expecting attachments from, and take the other usual precautions.
I’m confident but that’s because I know how to take all reasonable precautions.
I’m a paid professional paranoid who’s been around IT long enough to remember Teletypes and punch cards.
I don’t fit into any of those categories – “bring it on” is overconfident.
I put myself in the category Vigilent But Not Overconfident or Paranoid.
I pay for what I consider to the best antivirus program, rather than using a lesser free program. I keep Vista’s UAC turned on. I have IE8’s SmartScreen Filter turned on. I keep Windows and all applications up to date, including Flash and Adobe Reader. I currently have Java turned off in Adobe Reader.
I’m a wary novice. I can fix most hardware issues and install and remove legitimate software but it comes to recognizing and effectively removing malware I’m in over my head. I do use a linux live CD for online banking.
There was no category for paranoid, which is where I belong. I long ago took your advice and cruise the internet as a limited user. So I registered as ‘confident.’
I am a software developer, and have worked on network protocols, and have used and developed code that uses both Kerberos and secure shell, and others. I have worked on both Linux and Windows.
I see things both from the enterprise level (where we rarely if ever have problems) and from the home user point of view (where people don’t know squat and view the computer as an appliance of sorts, and you have people trying to download “free games”).
I guess what alarms me the most is how blase most users are related to security. I suppose if you never used a credit card # or did online banking, there isn’t as much danger (but you could still give up enough info for identity theft). But most people buy stuff online, and lots of people do online banking.
When we encounter bugs, there is oftentimes a chain of events – one unexpected result can lead to failures downstream that can cause other unexpected behavior. While one might fix it by fixing only one of these issues, that still isn’t very robust – typically I would want to understand the entire chain of events, and break as many of the links in the chain as possible.
Security is sort of the same way – there are multiple levels of protection. I remember the old days before people commonly used firewalls and all of the malware that did port scanning and tried to infect buggy network clients. Now firewalls are much more common, and some people assume that this together with good AV software gives you complete protection. In some ways it is even more dangerous in that it gives people a sense of complacency in that they think that they are no longer vulnerable.
What is most interesting to me now are the phishing and social networking attacks which appear to be far more effective in getting people to infect themselves with malware.