When you write about complex subjects such as security for a mainstream publication like The Washington Post — as I did for so many years until very recently — you sort of have to assume that a non-trivial number of your readers don’t have the strongest grasp of technology and security issues. But I’m curious how krebsonsecurity.com readers would describe their level of comfort with computers and the steps it takes to remain safe online.
Last week, Jerome Segura, a security analyst at ParetoLogic of Victoria, B.C., Canada, published a lighthearted blog entry in which he splits computer users into four basic classes:
-Extra-cautious (paranoiacs)
-Those who somewhat understand
-Those who are over-confident
-Security-conscious folks
Segura also suggests the delineations between these groups may break down along generational lines (pre-boomers, the early boomers, the 70s and 80s users, and the 90s to the present). I’m sure plenty of people would disagree with both of these sets of generalizations. I would add a 5th group, to describe the most recent generation, which I’d label the “complacent” or “invincible.” These users — typically in the teenage to young adult age group — often see security as something that’s optional.
Which type of Internet user are you? Pick the answer that best describes you in the poll below. Don’t see a match? Leave a comment and tell us which category is missing.
[poll id=”2“]
I’m confident, but I don’t want anyone to “bring it on.”
If they do, however, I can just reformat and reinstall Windows. I do that three or four times a year anyway…
I chimed in as confident as well.
FF with NoScript, java/adblock and all the rest of the usuals that a security minded user should have. But as others have said, I chose ‘confident’ simply due to my comfortable paranoia and the counter/preventative measures that I have in place.
I also marked myself as confident, but don’t want anyone to “bring it on”. I run FF w/ No Script + AdBlock on Linux and Windows 7. I’m probably a bit paranoid though, submitting most downloaded executables to virustotal and Sunbelt Sandbox before running them. However, I’ll trust the applications installed through apt-get or from a well known provider such as MS or Adobe.
I agree with others that I don’t fit in any category. I am a long time reader of Security Fix. As such, I take strong precautions to keep my computer locked down (non-admin account, Firefox with NoScript, anti-virus software, always on top of updates to OS and software, etc.), but I know I can still be hit. I read-up on the latest confidence attacks so I don’t get fooled by phishers, etc., but never feel complacent.
As far as knowledge goes, I am professional web developer, so I am knowledgeable about security from a user’s perspective as well as a site administrator/developer’s perspective (heavily involved with PCI compliance these days). I read other security blogs and magazines for the server/admin side of things and Brian Krebs has been my number one source for the browser/user side for some time.
I very excited about the new blog. Good luck!
I am a wary user not because I don’t understand the technology but because I do understand what can and will go wrong with the technology.
As soon as we get complacent up pops some new attack that no one ever envisioned.
Nothing is ever 100% and that is how I have used computers since my Radio Shack TRS-80 days.
Although I checked “confident,” I think you need a category between “wary” and “confident.” Let me say that I feel confident enough to do a number of things on our PCs & Macs, including maintaining security settings & updates, and confident enough to call in an expert when I sense things aren’t going right!
I voted Wary … which is why I read this blog to find out what’s going on.
Paranoid enough (and apparently not the only one) to disable javascript.
i’m not sure if it’s even worth it to bring this up but i question the utility of a poll about how people feel about security/technology when people’s feelings about such things are often completely disconnected from reality.
Where’s the paranoid option? I don’t even use the built-in M$ Firewall (XP) or the M$ Security Essentials, just on the general “fox and the hen-house” principal.
Wary vote here.
I’m the #2 tech at a busy little SW US repair shop (15 – 30 PCs /week) and we speak with many varieties of computer users and the issue we confront most is the glassy-eyed stare we get when we try to gently but firmly point out that Antivirus (anti-whatever) products are not the answer to acceptable security. But stepping up security measures for novices is a repair shop’s nightmare (time=money). Call me a fatalist but right now I don’t see how anything but a write-protected Windows OS could provide salvation for the masses in the near term. Thanks to Brian and other commentators. Back to work now–gotta go dance with another nasty rootkit.
Like others who have posted comments here, I am confident that my computer system is as secure as I have been able to make it. For example, I run Firefox with NoScript in a Sandboxie sandbox. However, experience has shown that sooner or later something will find yet another vulnerability to exploit, and it might do that before either I or anyone else can create and implement a remedy.
So, I don’t challenge anyone to “bring it on” for the same reason that I seldom participate in “beta testing” anymore. I just don’t want to devote the time and energy that is likely to be required to deal with the adversity unless and until, of course, there is no other choice.
Brian – I voted ‘confident’ but am actually between ‘wary’ and ‘confident.’ Wary because I know the challenges; confident because I have layer after layer of defense-in-depth.
I agree with Kurt Wismer that in matters of security how we feel can be totally disconnected from reality. A recent true-to-life example: After your Washington Post piece last September on cyber crooks targeting schools, I emailed a private-school client of ours to review their online bank procedures. Their IT director emailed me back that they use 2nd-factor authentication and went on to write that “I can’t imagine this isn’t safe.” I emailed her back, pointing to your earlier piece about the problems with 2nd-factor authentication. Her imagination notwithstanding, the flaws in 2nd-factor had been well publicized during the couple of months prior to her writing that ‘she couldn’t imagine …’.
This ‘failure of imagination’ is, I believe, one of the biggest challenges we in the information security community face helping our clients [or our companies] properly secure their sensitive information. As Will Rogers said: “It’s not what people don’t know that get them into trouble. It’s what they do know that just ain’t so.”
One of the key reasons for the ‘failure of imagination’ is that information security is very arcane and totally out of the normal context of the average business decision-maker. That’s why what you do — writing about this problem in a way that non-techies can connect to — is so very very important.
Keep up the good work!
There are some really terrific comments in here. Thanks to all who responded.
I realize the poll is somewhat lame and limited, but believe it or not it does help to know one’s audience to a degree, and these comments help even more.
There really are only two types of computer users: those who have lost valuable data, and those who are about to…
Am more confident since consciously seeking to be become better informed, and thus, better prepared, via security websites such as Kreb’s.
More confident definitely, but ALWAYS vigilant.
A “comfortable and vigilant” category is needed.
I would rate my use as cautious and conscientious. I have good security skills and software, but am aware that there is always someone looking to take advantage.
zmlp puts it well; I too am confident … but vigilant.
wary and vigilant but knowing that no protection system is perfect, every system is vulnerable.
I say that as a mac user who helps family members who still use pcs, have NO idea what to do, how to do it properly, when to do it, etc … and again I write that knowing that: NO system is invulnerable and no system created thus far is actually user friendly but the marketing makes it seem so.
Most regular non-tech users have absolutely no idea what is going on in their systems or how to protect or fix them, etc.
keep up the great work/carry on from your work at the WP — i hope you continue in the same easy to understand approach. all the uber geek-tech sites exist for terminal users and code heads — it’s folks like me who need your type of expertise in practical language.
I’m wary. I do take precautions (FF, No Script, Request Policy, limited-user account, etc.), but I must confess that half the stuff in your columns is over my head. So while I would like to be confident, I’m not technically adept enough to be there.
Thank you for writing clearly enough that I can follow the other half of your advice.
I’m wary regardless of which OS I’m using. I use Linux, Mac OSX, and several versions of Windows. I run a firewall on all and AV on Linux and Windows. Mostly, I use Firefox with NoScript on Windows though I do think IE8-64 running in protected mode on Vista or Win 7 is about as secure.
I also keep abreast of security issues through several different sources and track malware trends. Most importantly, I practice safe browsing on the net. I will use public WiFi for some things, but certainly not transactions or banking unless I’m going through a VPN.
I don’t consider myself paranoid, just aware of the fact that even after taking all reasonable precautions there is still some risk of compromise, albeit relatively small.
I counted myself among the “Wary” because in my looong years of computer experience (since…gasp…2003) I’ve come to see that the many, many, onion-skin layers of complexity involved with these “machines” seems to be just asking for penetrations of all sorts. Hence, I place confidence in folks like our Brian Krebs here to keep me alert, and who has dedicated a blog to delve into all of this “whack-a-mole” potential.
I like to mention that I’m 78 years old and think that keeping up (“or trying to” in the words of Rob Pegoraro, another top notcher.) is vital for brain tone.
Keep a’ clickin’, geezers! Use it or lose it.
You didn’t have any category for “Confident but Cautious – I know what I’m doing but don’t invite attacks”.
I’m not paranoid, and still I run different applications in different sandboxes. Don’t run IE unless needed for a company website, Don’t run Flash, have Acrobat’s JavaScript disabled.
At the sametime I bypass inane security controls implemented by my company, and publish my life online with every social network you can imagine, although this is mostly automated.
I’m wary enough that I now do any remote computing related to work on a laptop I installed Ubuntu on (and I still run Clam anti-virus and use a firewall). All my on-line purchasing is also through the Ubuntu machine.
If not the Ubuntu machine then I use my Mac (where I also run an anti-virus program and use the firewall).
Even so, I pay careful attention to what I do.
As a prior poster said where is the ‘paranoid’ category? I chose ‘confident’ instead to reflect the degreee of mitigation I employ. I consider myself very well informed about what kinds of attack are possible and consequently run OS X with my own set of firewall rules, Privoxy and a non-mainstream web browser.
I’d switch to a more secure BSD (Apple are proving atrocious at keeping their open source components up to date – see Rixstep’s ‘The Version Race’ article at http://rixstep.com/1/2/20091211,00.shtml) but I’m a sucker for their top-drawer user experience ;o)
Brian, great question – like many I checked “confident” when the more appropriate alternative would be “paranoid expert”. It’s tough to get the appropriate selections into a manageable granularity, good job.
What would be very interesting to me is whether there is a correlation with technical skills, or if ignorance is bliss. Do the folks who are confident really have the technical skills to provide a foundation, or are they counting on a recipe that just applies patches provided for them?
FYI, my own technical level would have me asking “why doesn’t this codec work?” only on the first build after I finished writing my custom driver software for it – on subsequent builds I’d already know why… 🙂 In other areas my past professional experience includes designing and building enterprise security platforms as well as debugging on hardware to the board and chip levels.
Another dimension is confident in the face of what threat or adversary? In the CISSP material the phrase “a sufficiently resourceful and determined adversay” is used, that’s a good yardstick. Is the confidence about herbal viagra vendors or fake a/v scareware, or is it the hostile nation-state actors that sometimes target home PCs of government employees as a way of making an end run around the work security perimeter? So maybe another question might be “who are the attackers you are defending against?” – that, with realistic appraisal of technical skills and confidence level would give a really good self-evaluation of one’s security posture.
Although I voted confident; I believe a more appropriate choice is “Aware: Choose to avoid higher-risk activities”. I’m not inviting malicious users/criminals to bring it on, yet I don’t figure my computer has a virus if it running slowly, either as that for “Wary”.
I recognize many attempts to spread malware and choose to avoid higher-risk activities as I realize I can’t outsmart all attempts to compromise my system/information.
You may be a security/computer expert, Brian, but you need work at creating a decent research question.
:#)
I, too, fit none of the above categories. I’m security cautious. Since I take precautions, I have a level of confidence, but am always on the lookout. But I’m not one who frets every time my computer seems to lag a little.
I would like to think I’m “prepared”, by keeping all apps patched via Secunia PSI, using the Opera browser, SuperAntiSpyware, updating XP each month, and not going to any shady sites.