I find Bruce Schneier to be a voice of calm reason when discussing matters of US national security. He exposes rhetoric and overreaction with clear and concise arguments, explaining his position succinctly, and demonstrating why a particular measure will not achieve the desired results. The majority of his writings, except for the books, can be found on his website at http://www.schneier.com/
However, in the case of his essay, Who says safe computing must remain a pipe dream? | Perspectives | CNET News.com
I believe he fails to see what the real problem is.
First I agree with some of the recommended steps, while others I must also question. While it is not something that I do myself, I would agree that a normal home user should shut down the computer when it is not in use. His advice for laptops and PDAs is perfect. His advice on backups is also reasonable, though the expectation on how this is to be done is the crux of the real problem. The recommendation to limit the number of applications to only those that are actually used, and to keep them patched is ideal. The advice on browsers is also the same as what I recommend, not only for the home user, but also for the enterprise user. All ecommerce web sites should be used only after weighing the options, if it can be done easily offline then probably the security concerns should preclude doing it online, simply because even the best run, most secure site may give up critical personal or financial information of yours to a hacker, or you may mistakenly give that information yourself to a phisher. I agree with most of the advice about email except that I found Outlook 2003 to be acceptable. Each home user should have a firewall as recommended, but it is only the Window OS user who must pay, both Linux and Macintosh computers come with adequate firewalls for free. Even the newer versions of Windows, such as XP SP2 will have an almost acceptable firewall included. The rest of the recommendations may be good advice for a relatively experienced user, they are beyond the capabilities of most users to implement and follow.
Backups are more easily doable, by a home user, in Windows, than in any other operating system, but it is still too hard. Especially the process of doing a restore, when the inevitable happens. The backup and restore process was developed for the system administration professional, not for the home user. Performing backups in Linux requires considerable expertise, and is not possible on a Macintosh running OS X, without adding a third party product.
I use all 3 operating systems in my office, and have administered Unix system going back to 1985 in the enterprise environment. I actually decided to get very serious about information security when one of the first Linux computers I ever installed was hacked within 15 minutes of connecting to the Internet. My personal favorite OS is the Macintosh, especially from the point of view of security, but there is a significant premium at the entry level for the purchase of a Macintosh, in part because it contains a higher security value. I understand the recommendation to delete "command.com" and "cmd.exe", but would extremely wary of actually doing so, as these programs are not in themselves security vulnerabilities, and are in fact necessary tools. Similarly setting Windows Update to automatic is not a panacea as the process fails with a high regularity to correctly apply the necessary patches.
The advice on passwords is partially correct. It is nearly impossible to remember a truly secure password. I have to agree with Mr Gates here, passwords have past their best by date, but the technology to replace them is still some years away. So if a user creates a secure password, but needs to write it down the problem then becomes where to store it. It should never be in the same wallet as banking information, such as debit and credit cards are stored. Storing these items together is like storing a weapon with its ammunition - something is going to get shot, or substantial sums of money are going to be lost, which the bank will not replace due to user stupidity. Perhaps Bruce Schneier did not want to pump his own product, but he has created a password vault tool. I recommend you use it or something similar for storing passwords.
Every user should run antivirus software, and yes the updates should be installed as frequently as they are available. I object to the automatic update of virus data as the vendors are generally using tools to perform this update, which are themselves vulnerability vectors. Non-windows OS users should also run antivirus software, even if there are none or nearly no virus vulnerabilities in their OS, as a windows virus can be harboured in their OS and later transferred.
I disagree with the recommendation on antispyware software. There are not enough reputable firms participating in this effort and the ones that are reputable are not a complete solution. If the user does not know how to avoid spyware in the first place, they will not be able to adequately combat it even with the best of the current crop of tools. If spyware is a problem do not use that computer for any ecommerce or keep any information that is important or should remain private on that computer, or any computers also connected to that network.
The use of encryption is second nature to an individual such as Bruce Schneier, but for the uninitiated it is a black art, especially the free versions of PGP. The commercial versions are better, but the problems such as key recovery and backup issues make this impractical for the vast majority of users.
Fred Langa runs the Langa List
, which is a twice weekly newsletter full of tips and advice. This newsletter is targeted at the a user who has some familiarity and comfort with the operation of a computer, but it is evident that even these users would have difficulty in following the recommendations of Bruce Schneier, but Fred regularly gives relevant advice to try and demystify the process.
There have been suggestions, none truly serious, where a user would be licensed to get access to the Internet following a competency test. If that were to be followed through on, then the concepts noted in this article could form the basis for the practical examination portion where a user demonstrates that competency. Failing a licensing process, computer manufacturers, including OS, software and hardware need to change their products so that security, not usability are the prime concern.
At the opening of this commentary I note that Bruce Schneier failed to understand the nature of the problem. I think the problem of information security for the home user is a result of the complexity necessary for correct operation of current computers. The Macintosh clear has the lead in being the least complex with the most security. Windows has the highest degree of user desired functionality, mainly at the expense of those users security and privacy. Linux has the absolutely worst mix from the point of view of a consumer, in that it is complex in terms of both functionality and security. Both Windows and Linux have begun to address some of these security issues, but considerably more needs to be done before the goal of safe computing becomes other than a pipe dream.