Point/Counterpoint: Home Users - a public health problem

Point: Bruce Schneier / Counterpoint: Marcus Ranum

I’m sure that many of the things Bruce points out about computers at some point or another applied to automobiles or just about any other technologically interesting and complex device. There was a time, in the early days of the automobile, when any idiot with the money could go 75 mph with no requirement for training, safety equipment, or sobriety - let alone a license. As Bruce says, eventually that kind of thing becomes a public health issue and then society begins to enforce constraints. The question, to me, is whether the whole thing is just a matter of time? Perhaps human societies "learn" about new safety problems slowly and painfully - and we just need time to build new ideas into the popular consciousness.

When I was growing up, there was just one kid in my entire high school who had a computer. Today, it seems that every kid above the age of eight is a Windows system administrator. And some of them are better at it than you might expect. That's because they grew up doing it, and the human brain appears to be able to integrate amazingly complex tasks as "normal" as long as we're introduced to them early enough. My wife, who grew up on horseback, becomes an extension of her horse's body as he infers her intent—whereas I sit on P-nut's back and negotiate every detail of every step on the trail. Bruce, I think the problem is not with all the home users—I think it's with the adult home users.

I see the generational distinction most clearly with my parents. My father still writes using an old Underwood typewriter. My mom has adopted a computer, but she’s exactly the kind of user you're worried about — she clicks “OK” on anything — or used to, and seems to be trying to collect spyware. Thinking about it, most of the generation before mine is pretty uncomfortable with computers, and I was one of the early experimental kids who grew up networking on the ARPAnet and Bitnet. Does that have something to do with the fact that I have always had a good grasp of the concepts of transitive trust and distributed systems? I think it does; I think the analytic parts of our brains, if given a task early on, are able to make sense out of all kinds of insanely complicated things: like walking while chewing gum and talking on a cell phone.

"Educate the user" is an old mantra in security, and its uselessness is one place where you and I agree. I think, though, that building simpler systems is not the answer. The answer is to let the current user population die off! It's going to happen, anyhow. The current generation of kids is going to grow up with the same natural understanding of Nigerian banking practices as you and I have of looking both ways when you cross the street. I was talking to a teenaged gamer the other day who displayed an uncanny detachment about not making any assumptions regarding who or what was on the other side of an online chat. “I don't believe if it's a girl or boy or whatever. Who cares? It only matters when it matters.” That's the sound of someone who is growing up with an early immunity to social engineering.

Forcing ISPs to support home users, or re-engineering computers to be simple enough for us old coots to understand completely misses the point. At the point where enough customers want simple-to-use Internet terminals, a market will develop for them. Arguably, it already has: witness the evolution of handheld PDAs and centralized “no spam” managed free e-mail services. The complexity of the Internet and software systems administration is getting absorbed into the IT infrastructure of Google, Yahoo!, and MySpace. I’m not demanding that Detroit make cars that are simple enough for me to repair; I choose to buy vehicles that are usually reliable, and I outsource the repair work to the mechanic up the street. Perhaps what we're doing is shifting complexity around in our lives: I never learned how to fix a transmission, but I can still scratch-bake a firewall with a custom filtering reverse web proxy in a weekend. I've seen home users who can't manage a Windows XP upgrade, but who can successfully instrument land a jet fighter. We tend to think, “If he’s smart enough to do that, then he ought to be able to handle the Windows upgrade,” but maybe he used up his allocation of techno-smart brain-space in flight school.

Bruce, when you and I are old coots sitting on the porch (next year) you’ll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it's just what progress looks like from our side of “over the hill.” Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is, today.