[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 15 August, 2003, 10:09 GMT 11:09 UK
Safer computing versus convenience
If we want secure computers, we have to give up the easy life, argues technology analyst Bill Thompson.

Computer user at home
Home users need to protect themselves from attack
The news that Microsoft is going to start shipping Windows XP with its various security features enabled by default should be welcomed, even if it is does not solve the bigger problem.

After all, it still leaves tens of millions of users with an operating system that was set up to make it easy for them to play online games and use e-commerce websites, and at the same time giving virus and worm writers lots of ways to attack their computers.

And that is to say nothing of the Windows 98, NT and 2000 installed base, where security is more a matter of hoping and installing third-party software than using anything provided by Microsoft.

But it is a start.

The decision to change the standard installation of XP is a result of this week's fuss about the MSBlast worm, which has infected hundreds of thousands of internet-connected computers and continues to cause problems on the net.

This could get significantly worse on Saturday when infected computers are programmed to send fake requests to the Microsoft website and try to make it inaccessible.

Firewall trouble

MSBlast is another embarrassment for Microsoft, but it could mark a turning point in how we think about online security.

At last ordinary Windows users will have to do something - actually turn off their firewall - if they want to expose themselves to risk.

So far everyone has been so focused on ease of use and not getting in the way that they have designed and built systems which are intrinsically insecure.

Then it is been left to untrained, unskilled and unaware users to make the changes which limit risks. Few of us, even the technically skilled among us, bother to do this. And few of us do it all the time.

For example, a few weeks ago I was working in an office and wanted to plug my laptop into their network so I could get online. Each time I wanted to do this I had to configure the firewall client on my computer to talk to their server.

One day I noticed there was a wireless network in the office next door that I could connect to a lot more easily.

Bill Thompson
So far everyone has been so focused on ease of use and not getting in the way that they have designed and built systems which are intrinsically insecure
Bill Thompson

Unfortunately I had disabled my personal firewall in order to work with the office network, and I forgot to turn it back on again when I started piggy-backing on this other, wireless, network.

The result was that I got infected with the BugBear virus and had to spend a happy hour cleaning my system.

This was my own stupid fault and I am not blaming anyone else. It happened because I took the easy path, tried to cut corners with security, and got caught out.

Poor understanding

The spread of MSBlast shows clearly that lots of people do the same.

In this case, an update to Windows that would have prevented infection has been available for over a month, but users have failed to download or install it.

That, coupled with a poor understanding of how to secure their systems with anti-virus software and firewalls, created the pool of vulnerable computers that MSBlast has attacked.

So it is not all Microsoft's fault. As with January's SQL Slammer, responsibility should be split between the software developers and the people who fail to keep their systems as safe as they can be.

Which is why Microsoft's change of heart over the XP firewall is to be welcomed.

Frustrated computer user
Making computers secure will be worth it

Instead of having a desktop computer which is wide open to the net and all its nasties the first time you turn it on, users will have to decide which applications they want to be able to use the net, and which features they want to enable.

This is already the case with Windows Server 2003, the business operating system. Most personal firewalls come set to block everything when they are installed, leaving it up to the user to decide which features to enable and which risks to take.

Now the main consumer operating system will do the same. It will mean that life is a little less convenient, and there are sure to be some people who object to having to wrestle with the firewall configuration, just as there are people who object to wearing seatbelts or crash helmets.

But unlike some security measures at airports which do nothing to enhance passenger safety and simply add to the inconvenience of flying, having a firewall turned on by default could both raise awareness of computer security and stop worms like MSBlast from finding machines to infect.

Now we just need to get to work on writing software that is not so vulnerable to attack in the first place.


Is it worth giving up the "easy life" to make computers more secure? How far do you go to make your surfing safe?

Having been on the internet since 1993, I have seen these threats grow. I have had a firewall installed since 1997 and right at this point of time I am seeing an attempt by the latest threat probing my broadband connected network once every three minutes. I may be an a typical user in not using Microsoft products but may I suggest to all the websites using Internet Explorer specific functions that they are letting business pass them by. Keep to the web standards. I'm not trying to be smug behind my firewall protection but in this stage of the internet's development, you absolutely have to be careful or else you will be involved in someone else's disgruntled statement against the establishment
Ian Jones, UK

I am an software developer and more and more of my time is spent working with the system administrators making sure all the servers I use at work are patched up to the hilt rather than actually developing software to deploy on them. It's not just Microsoft software either, the Apache web server is also being targeted, which covers all the web servers at work now.

I spent a few hours today trying to help my father sort out the MSBlast nightmare on his PC. If XP had come with the firewall enabled, he would have been OK. The embarrassing thing is that I was the one who convinced him to upgrade to Windows XP from ME, which he did one week ago. I've yet to tell him ME wouldn't have got infected.
Oliver Pyke, London, UK

Its absolute laziness (or stupidity) to switch off (or not renew) anti-virus and security software, leaving your machine open to attack. We lost about two days' productivity this week at work due to MSBlast - most of our 1000 or so machines becoming rapidly infected after our main server failed to stop the worm. This was due to failure by our IT support contractor to update the server software patch in time. All our machines are XP-based.

My 2 XP-based machines at home were, however, a different story. Our kids spend ages on the nest, so I am pretty diligent in preventing viruses and removing spyware etc - usually on a weekly basis. The message is simple - let Microsoft automatically update your windows setup and all will remain well. Of course, this effectively rules out those with pirate copies of the operating system, but so what? Lets face it, viruses are computer terrorism. And these days, people should have learned to be vigilant!
David, Scotland

The last sentence about writing software less vulnerable is the most important. Many attacks use the fact that sloppy programming has left buffers unchecked thus allowing carefully designed code to run on unsuspecting systems. User stupidity in downloading "Look at these naked tennis player" type e-mails will contribute to the problem, but the fact that the underlying PC software is badly written is the real key here.
Lee Mayhew, England

If you were unwilling to install security on your own PC, then many internet features, like e-commerce, would be too unsafe to use. Would you give a credit card number if you thought the server was not secure enough to keep the details secret? Or how about your personal details, would you like those all over the net? We are now in the information age - that information needs to be secure. And in the worst case, your PC might become useless, due to this worm. A firewall and an anti-virus software (both around 20) are most definitely worth it to stop all that.
Richard, UK

I use a Mac - without Internet Explorer, but with a personal firewall (part of Mac OSX) and am relatively free from worry. No Microsoft = Much less risk.
Ted Treen, UK

I have been using a firewall ever since I built my first PC, guess what, I have never been infected by one of these internet worms. i suggest people go to www.grc.com and take the free security test to see exactly how secure (or insecure) their PC is. Then download a firewall accordingly, there are a few good ones about that are free.
Rob, UK

Online security is something that computer users have not taken seriously for far too long and making the computers easy to use is certainly no excuse. However, a large part of the problem is that Microsoft designs too many features to be "cool" rather than secure. Good examples are the "I Love You" virus which exploits visual basic functionality in Outlook and the Office "Macro Viruses".

The security and design of Windows XP should be closer to that which a user would find in Linux, BSD and other UNIX like operating systems.
Daniel Snowden, UK

The day after I got my broadband connection I went out and bought a hardware firewall that also acted as a router, meaning both mine and my wife's Mac could share the connection. Although I had to learn about the firewall and how to configure it this was a small price to pay (in both time and money) in order to protect our computers. This means that we can leave them permanently connected to the internet in the knowledge that we are reasonably well protected - add in the virus protection software, e-mail scanners and being sensible about cookies and attachments and I think we're pretty much secure. Go out and learn about this security stuff before someone teaches you a hard and possibly vicious lesson!
Andrew, UK

At work I run two virus checkers and a personal firewall. I backup my work every night. Excessive? I don't think so! While I was working quite happily this week, colleagues were running round repairing the MSBlast damage! At home we use a router with a basic firewall for our ADSL, and I run anti-virus and a firewall. Again, this is well worth it. I'm glad MSBlast has caused so much damage - I hope it prompts people to be more alert!
Paul Madley, UK

The best personal firewall currently available, ZoneAlarm, is completely free and very easy to use. It was a piece of cake to install, it loads when the computer starts up (so I can't forget to start it up) and it allows my normal net use to continue unimpeded. I haven't given up the "easy life"! Maybe PC suppliers should start installing it as standard when they sell a PC?
Tony, UK

Send us your comments:

Name:
Your E-mail address:
Country:
Comments:

Disclaimer: The BBC may edit your comments and cannot guarantee that all emails will be published.


Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.



RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific