By Michelle Delio
2:00 a.m. Aug. 16, 2001 PDT
In a connected world, we suffer from the consequences of other people's computer ignorance.
This summer, inboxes have been filled to overflowing with SirCam-infected e-mails, a hassle even if you don't click on the attachments. And well-protected networks continue to be whacked by constant scans from Code Red-infested computers.
Most security experts lay the blame for the widespread virus and worm attacks on sloppy hardware and software design, and say that systems are designed with far too many unneeded fancy features intended to woo the reluctant buyer but skimp on basic "boring" security.
But aggravated techies have been tossing around the idea that everyone should learn some basic computer competence skills -- and prove it by getting a license -- before their computer gets connected to the rest of the world's computers.
"A computer connected to the Internet is in traffic," Rick Downes of RadSoft.Net, an organization of programmers, said. "Being in traffic demands responsibility, which is why potential users of automobiles are required to take driver's tests to ensure they can handle their vehicles safely both for their own and for other drivers' benefits."
Licenses for computer users may sound good –- or at least mildly amusing -- in theory, but would never work in the real world.
Michael Adams, a retired business law professor, said that licensing computer users would require a "major push" from a politician, and would probably have to be passed on a state-by-state basis, as individual states are in charge of issuing driver's licenses to their residents.
"I suppose letting each state establish the conditions for a computer users' license might defeat the purpose of a unified set of standards, but that's how it would be done, even if by some bizarre twist of fate the order came down from the president," Adams said. "Each state issues its own professional licenses, and computers would probably fall into the professional use category."
New York State requires licenses for, among other professions, workers at racetracks or casinos, people who sell hearing aids, those who repair used bedding, businesses that "take in, count, or hold coins for other businesses," owners of pet cemeteries, and people who dispatch taxicabs. But there is no license for computer users pending, according to a spokesman for New York Senator Hillary Rodham Clinton.
Clinton's representative said that although the senator was strongly in favor of many educational initiatives, compulsory computer education and licensing was not currently on the agenda. "I suppose that if constituents were in favor of it, they could write, call or e-mail the senator's office."
"I've heard from a number of people who think we should formally 'police' the Internet for unpatched computers and 'fine' those who fail to comply," Rob Rosenberger of vMyths, a virus information website, said. "We'll need a global licensing body and digital patrol cars if we ever hope to achieve utopia."
Most experts, including Downes, think that creating a safe and healthy Internet is ultimately the responsibility of computer hardware and software manufacturers.
"We as an industry have single-handedly managed to create the equivalent of the Colt .45 equalizer which is equipped with a barrel that fires in both directions," Jack Danahy, senior vice-president of WatchGuard Technologies, said. "We have put world-class computing power and pervasive networking in the hands of the public, and now we are telling them that this may be too dangerous for them to use."
"We own the responsibility of making the tools safe, or of limiting the ways in which they can use it."
Danahy pointed out that a home PC was never intended to be a weapon; its original purposes were simple and mundane.
"We wanted to read things, we wanted to watch things, and we wanted to order things from catalogs, catalogs that were active, and nifty, and full of color and life. We wanted to talk with our friends, and share ideas, and pictures, and emotions," Danahy said. "None of these activities require any specialized training in the real world, nor should they require any in the ether."
Danahy and other experts believe the computer industry has done a huge disservice to basic computer users by indiscriminately lobbing ever-more complicated programs and increasingly sophisticated operating systems at them.
"When was the last time that Uncle Ed wanted to change the program that he uses to browse Popular Mechanics every week and to get e-mail from his buddies in the old bomber squadron?" Danahy said. "Probably around the same time that he'd sell all of his belongings to live in the woods and experience the plight of the snowy owl."
Most users don't need or understand many of the capabilities that their computers and software now provide. Proof of this can be found in Code Red continuing to hammer away at networks even after a major media blitz warning users to patch all Windows NT and 2000 systems running Microsoft's IIS Web server software.
Since Code Red is still alive and evil, the logical conclusion is that some computer users either can't comprehend the need to patch their systems, or are unaware that they are running Web server software.
"A computer user's license could have dealt with the first issue, and more restricted and clear set of options when installing an operating system could have handled the latter," James Devino, a systems administrator, said. "People need to have a basic working knowledge of technology so they don't interfere with other people's computers. Either that, or techies need to be protected from the clueless."
But Richard Forno, co-author of the new security book Incident Response, thinks that licensing computer users is an idea rooted in good intentions that will never become a reality.
"It'd be like trying to license anyone using power tools, a barbecue grill, or any number of major household appliances ... any of which can also be used by an idiot and can cause serious damage or death to themselves or others."
And licensed or not, Forno said, the "bad guys and idiots" are always going to do things that are contrary to the law or common sense.
Forno believes that the answer is not licensing users, and he doesn't think the problem can be solved by security or system experts running around playing PC paramedic and triaging each new virus event either.
"We need to step back and examine the underlying causes of such events -- attack and deal with the root causes, not just alleviate the symptoms," Forno said. "If the conditions that make macro viruses 'ripe' to occur are eliminated, this whole licensing issue is academic and moot."
Attacking the cause would require cracking down hard on those who write and release viruses.
"It always amazes me how many people want to keep grandmothers off the information superhighway," Rosenberger commented. "The info-nazi crowd seems to complain less about evil hackers and more about unwitting matriarchs. Go figure."
"The individuals or groups that write and spread the viruses, cracks and exploits are ultimately the problem," Gerry Freese of security assessment firm Vigilinx said. "Unfortunately, anonymity, privacy issues, laws and their enforcement are all problems that we need to sort out before we can make any progress against those who would harass and disrupt the Internet. We have a long uphill battle ahead of us."
Most experts also felt the industry needed to build better security into computers and networks right from the start. But they also warn that users may not be thrilled with the end result.
"There has always been a trade-off between performance and security, and unfortunately, productivity will suffer as security increases," Dave Kroll of antiviral software firm Finjan said. "More security will mean changing habits, more steps, passwords and annoying tasks that, in the end, will make the Internet a safer place to be. So we'll all have to adapt."
Given that tradeoff though, maybe computer licenses aren't a bad idea. But then again, computer-savvy doesn't always confer common sense.
"A lot of users don't know the risks, but there a lot of others that just ignore the risks," Menashe Eliezer, also of Finjan, said. "How would you explain the fact that so many system administrators haven't installed the IIS security patch? Even the security updates Web server at Microsoft got (infected with) the Code Red worm."
<< Back to Editorials