Hello, this is officer support of the ISP Police Department. You say youre worried that someone might try to steal your car? OK, Im going to try to troubleshoot this problem for you, but I need you to do two things.
First, Im going to need you to bring your car down so we can check it out. But I want you to park your car in a poorly lighted lot in a shady part of town. Trust me, we handle this kind of thing all the time.
Now, this second part is very important: When you get to that dark lot, youll need to leave your car running with the doors open. Yes, thats necessary for us to be able to check for problems. After youve done that, walk over to the police department, which is several blocks away from the lot (did I not mention that earlier?), and well try to help you out in the next few hours.
If a police officer did say this to you, youd be outraged. And theres no way that you would do what he or she had asked. But this is exactly how ISPs treat many small businesses and corporate customers when they have problems.
A few weeks ago, I wrote a column about security basic training and how vendors and ISPs need to do a much better job of educating users about security, rather than sending messages that the ISPs will take care of all the problems. It turns out that some ISPs are even worse about educating users than I thought. In fact, I found out that some ISPs actively make their customers less secure whenever these customers call for support.
According to reader responses to the aforementioned column and to eWEEK Labs Technical Analyst Andrew Garcia, who worked as an IT consultant before joining the Labs, it is not uncommon for support workers at ISPs to tell users who call in for assistance to turn off anti-virus programs and firewalls before any help can be provided. I guess virus- and worm-ridden computers are much easier to troubleshoot and support.
I know that Linux and Mac OS users are typically left out in the cold when it comes to support from SOHO-oriented ISPs, but I didnt realize that some ISPs had decided to actively harm Windows users.
But maybe anti-virus programs and firewalls are overrated as security tools. In a response to my column, IT consultant Triona Guidry told me that a support person at an ISP informed one of her clients that he didnt need these kinds of tools because the ISP network already had them.
I would really love to see that ISP network—it must be almost magical. Why, this ISP apparently has been able to pull off a level of network-based protection that would make any corporation or government envious.
Most ISPs have license agreements that indemnify them against everything short of burning down their customers houses (and some probably do go that far), but do they really want to actively harm their customers just to make it a little easier to do a remote scan?
To pull an idea from my Feb. 7 column, isnt there a Glum at these ISPs who will stand up and say, "This is a bad lawsuit just waiting to happen, and no matter what our license says, do we really want to go to court and defend telling customers to turn off features that would have protected them?"
Whats most galling is that theres no need to turn off security applications. I realize that support personnel at many ISPs are not the technological gurus that users imagine them to be, but providing good support in situations where firewalls exist requires just a few extra steps. But no one wants to go through them because people are lazy—and laziness is the root of most security problems.
So, many users end up with systems that are worse off than they were before the call for help was made. And many users and companies dont have an Andrew or a Triona around—someone who will tell you that the ISP advice youve just received is dead wrong and that you need to put your coat back on before you and your PC head back out into the stormy night of the Internet.
Heres my advice: If your ISP tells you that you need to be less secure to get support, then a very good way to be more secure is to get a new ISP.
Labs Director Jim Rapoza can be reached at email@example.com.