BBC PC Security Reporting

Today seems to be BBC PC Security reporting day with articles on their web site and on the TV news.

It seems that they conducted a reasonably simple experiment and decided that the results were news. I suspect the real driver is coming from the Get Safe Online campaign though.

If you have reasonable level of knowledge about IT security then be prepared for a number of cringe moments. Making this complex issue as simple as possible is a real challenge, I know I’ve tried explaining it a number of times.

What I can’t decide, though, is whether the BBC has done us a service or a dis-service in this reporting. The issue is the level of alarm and the target of the alarm.

I’d like people to be concerned and to take the right actions to alleviate those concerns. When we drive on the road we should all be concerned about the safety of our vehicle, being alarmed would be an unhealthy response. When people use IT, I want them to be concerned about the safety of what they are doing.

In car terms people terms people are thought to check the basics; oil, tyres, windscreen wash, etc.. On the BBC coverage they tried for three “do’s” and three “don’t” while it’s a reasonable approach to communication it’s prone to over simplification and false assurance. One of the over simplifications was in the TV report, when people were told to use their common sense when opening emails, and not “open” suspicious ones.. I have a real problem with the notion of “common sense” in this scenario. This is new technology to most people so the level of “common sense” is very low and can’t be relied upon. It also raises the tricky question: “If I don’t open it, what do I do with it?”

On the whole I think these reports probably did strike the right balance, just.

One piece of advice that really frustrated me was the level of advice given at the end of the TV news report. The only advice given was to go to Microsoft.com and use the tools their. I’m sorry but that’s terrible advice. It’s terrible for all sorts of reasons:

• Microsoft.com is a terrible place to start. The only obvious link on Microsoft.com is a link to a 90-day trial for Live OneCare. Live OneCare is only available in the U.S. at the moment .
• Microsoft is a product company and wants to sell its products. What about other companies products? What about free products?
• How is Microsoft going to help all of those Apple customers?

The Get Safe Online site has a much more rounded approach to security.

Microsoft are probably a bit disappointed that the link to “Microsoft online scanner” on the “Tips to help you stay safe online” article (which is the more detailed article) point to the Malicious Software Removal Tool on the very day that Live OneCare safety scanner is released.