Five-Year Security Review

Opinion:  Five years after I began writing about security, things aren't as different as you'd think they'd be.

Where does all the time go? It's been five years since I began writing these columns. I thought it would be interesting to look back and see how much things have really changed.

In my inaugural column, I stated my philosophy that it stunk that people had to waste time and money on computer security, and I haven't changed my mind. At least it's clearer now to more people that they do need to pay attention and spend money.

Some of my attitudes have changed. For instance, I used to be bothered a lot more by "researchers" who disclosed vulnerabilities publicly. There definitely still are responsible and irresponsible ways to handle vulnerability data, but the genie's just out of the bottle on this stuff.

But more things are basically the same now as then. One of my very early columns asked why users ignore security updates and then, months later, blame Microsoft when they are attacked through the patched vulnerabilities? This is still a common, dumb attitude: Blame Microsoft vaguely for deficiencies in their patching process, wait, get owned (there's a word I didn't use five years ago). Anyway, it's still the case that the vast majority of compromised systems took inadequate defensive measures.

Today I would argue that companies that take security seriously, put money into protection of their systems and enforce reasonable policies are going to be very hard to compromise - not impossible, mind you, but very hard. Certainly that was less true five years ago, but it was true to a degree.

How much has the spam problem changed? There are good, sophisticated protections from numerous respectable companies that can keep spam out of your mailboxes, even off your network, and they're very good at what they do. On the other hand, the systemic problems are as bad as ever, even somewhat worse: The percentage of e-mail that is spam is more than 90, SMTP authentication has not been widely adopted and botnets still run rampant.

Phishing attacks are really not that different from what they were before; They're still attacking most of the same targets (eBay, Paypal, banks), and their English is still appalling. The major advance now is fast flux networks, which make them much harder to take down.

Early on, I warned users of one of my favorite truisms of computer security, that without physical security, no system is secure. The advances in this are mostly limited to things like disk encryption, which are not nothing, but they're not a complete solution. If someone can get physical access to your computer, there are plenty of ways they can hurt you.

I'll go out on a limb and make another judgment: New computers are much safer than they were five years ago, and users are better-equipped to protect themselves. They have been told to be skeptical of unsolicited communications and they are, but they're unsophisticated about that skepticism.

And even experts are unsophisticated about the protections in Vista, which does a great job of helping users to protect themselves against attack. Five years ago, I was skeptical that education would ever make a real difference in security because of how much ordinary users had to learn. They're not the only ones.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.