Monday, 8 April 2013

Running with Scissors

There are things that we just shouldn't do - like running with scissors.  We can be told not to do them.  We can know intellectually not to do them.  But until we've stabbed ourselves or someone else it just doesn't sink in.

I've been seeing a lot of discussion recently on attack as pro-active defence - especially related to botnets.  The proponents make a good case that they are making everyone safer.  The opponents say that any unauthorised access - even to disable malware - is wrong and must not happen.  In both cases they have the implicit assumption that the people who own the computers that have been turned into bots are also victims.  I think it's time we addressed the elephant in the room.  We should adjust our thinking and stop thinking of them as victims and start thinking of them as part of the problem.

The only reason they have been turned into bots in the first place is that they haven't enabled even the most basic protections on their computer.  They are running with scissors.  They are stabbing people with the scissors.

We can no longer accept this.  Basic protections won't stop a determined attacker, but turning on automatic patching and running a free antivirus solution will stop most of them being owned most of the time.

It's time the software and operating system vendors made it impossible to turn off these sort of basic protections.  And it's time for society as the real victim of cybercrime demanded it.

Phil Kernick Chief Technology Officer