Oranges and Lemons

Over the last few weeks, we’ve been looking at various aspects of online security. It’s a big topic, and it’s often difficult to be clear about what’s happening, and what’s at stake. This week we’ll try to provide a few basic ideas about how to judge what makes us safer and what doesn’t.

We rely exclusively on our senses to assess the presence or absence of threats in the world around us. When we get up in the morning, we check the bread we eat for mould, sniff the milk before adding it to the tea, and touch the edge of the mug with our lips before drinking, to make sure it’s not too hot. We look both ways before crossing the road and we listen for oncoming traffic. We hesitate to get into a bus that doesn’t look safe. We cover our mouth and nose if there’s too much dust or smoke.

We employ our senses in a multitude of ways without any conscious thought. All the while, in the background, the brain is taking everything in and deciding from one moment to the next how to react to each new situation. For most of us, a typical computer gives us exactly nothing to react to. All we see is a pretty background, a few flashing icons or blinking lights and the Solitaire game in front of us.

When a geek looks at a computer, she sees at a glance what’s happening inside. Those pretty icons are translated into visual clues to the immensely complex interactions happening in the guts of the computer. The blinking lights are like Morse Code, shorthand missives summarising the goings-on in this labyrinth of complexity.

It may look a little uncanny to a normal person when a computer professional does little more than glance at their PC, then announces with perfect assurance that the shnizzle booster needs to be refabulated immediately, or the pernificator won’t survive the week.

It’s all context and experience, of course. To the average person, a computer consists of a screen that sometimes displays what the user wants to see, a keyboard and mouse that sometimes allow them to do what they want and a magic box that never does what they want, but without which the screen, keyboard and mouse cease to function.

If computers are so inscrutable, how are we ever supposed to know when it’s safe to give out our email address, to enter our username, password and credit card number? How do we read the onscreen cues and interpret them properly?

To some degree at least, we need to trust someone to tell us. But knowing who to trust is a remarkably difficult. Bruce Schneier, a widely recognised security expert, borrows from economic theory to state that our inability to see what’s happening inside the computer has created a ‘Market for Lemons’.

Says Schneier:

“A used car market includes both good cars and lousy ones (lemons). The seller knows which is which, but the buyer can’t tell the difference — at least until he’s made his purchase…. This means that the best cars don’t get sold; their prices are too high. Which means that the owners of these best cars don’t put their cars on the market. And then this starts spiraling. The removal of the good cars from the market reduces the average price buyers are willing to pay, and then the very good cars no longer sell, and disappear from the market. And then the good cars, and so on until only the lemons are left.”

His conclusion:

“In a market where the seller has more information about the product than the buyer, bad products can drive the good ones out of the market.”

Good security software should be like a well-built house. Once the foundation is laid, the walls raised and the doors and windows hung, we shouldn’t have to worry about these things again. Install the software, configure it sensibly and let it be.

That should be all there is to it. Updates? Automatic, of course. Firewall? Sensible enough to know the difference between an invitation circulated to friends and spambot activity. Nobody wants software that behaves like a yappy dog barking its brains out every time someone passes the gate. Nobody wants the lazy dog either, too dense to realise that the shadowy figure slipping over the fence might be a threat.

The problem is, yappy and lazy dogs are all we seem to have these days. The folks in the Marketing departments of security software makers realised early on that they’d have a hard time selling software that doesn’t appear to do anything. So they created software that focuses more on the appearance of security than on actually providing it. The result is intrusive pop-ups warning us about passers-by on the road and nothing about the burglar in the back yard.

In other words, we buy software that looks like an orange but tastes like a lemon.

What’s to be done, then? If all we have to go by is the skin, how do we tell whether the fruit inside is sweet or bitter? It’s all about knowing who you can trust. This requires a healthy dose of cynicism mixed with a little bit of education.

Do not under any circumstances assume that whatever everybody else is using is going to be sufficient. We’ve already mentioned that the software market encourages lemons, so we can’t assume that a given product is good just because it’s popular. In most cases, this is simply not the case.

Don’t ask just anyone what security software they use. Ask them first whether they get a lot of viruses, and whether their computer runs well for them. If they answer the first two questions adequately, then you can consider asking them what they do to secure their computer. What you’ll likely hear will be as much about safe practices as about software protections.

Another useful metric is the number of icons visible on the desktop and in the system tray. If a user has hundreds of icons visible and dozens of applications running simultaneously then there’s a good chance that they’re not picky about what they install on their computer.

What about when you’re shopping for a new computer or new software? How do you know when you’re being sold a bill of goods?

First, consider the salesman’s motives. With a little care and attention, it’s possible for even the most computer-illiterate to discern whether the vendor is selling you an orange or a lemon. Listen to the interest (or lack thereof) in his voice. If someone can’t briefly explain in plain English precisely what the thing does, what balance is maintained between security and usability, and most importantly what details to watch out for, then odds are they don’t have what you want.

Anyone who simply waves his hands and tells you that their product will do everything you want is being less than generous with the truth. Conversely, anyone who immediately overwhelms you with a barrage of geek-speak hasn’t given enough thought to how mere mortals are going to live with what they’re proposing.

Quite often the best software is simply given away, rather than sold. This may sound strange, but it makes sense. Programmers who care more about keeping their systems running well than about making money are often inclined to share their code with other like-minded developers. Everybody contributes a little and gets a lot. The only way this kind of process works, though, is if the software itself is free.

A lifetime of experience dealing with computer security issues has made one thing clear: It’s more about education and awareness than it is about the tools. There’s no substitute for taking the time to inform yourself about the threats that exist and how to avoid them. As with all things, an ounce of prevention is worth a pound of cure.

And who knows – you just might find that those dancing icons and blinking lights actually mean start to mean something.