How is Security in YOUR “Friends & Family” Network?
If you’re reading my blog, there’s a good chance you have a technical background or work in the IT industry. Like myself, I’m guessing that most folks who work in IT become known as the “tech guru” in their circle of friends and family. You know you’re the “tech guru” when everyone in your circle automatically comes to you for any problem that is remotely related to technology. I’m sure most of us have received those 12am phone calls. No, not the ones that wake you up in the middle of the night, but rather the ones about how to get rid of the !#%^&*#@ blinking “12:00am” on the stove, microwave, VCR, etc, etc.
Note: It still amazes me how difficult it can be for folks to figure out how to set a clock. Although, I’ll admit, there are some devices that stump even me!
Fixing clocks is just light weight duty as a “tech guru”. The real work is in playing tech support for all of their computers. I manage a “network” of machines including mine, my family members’, and even some good friends’ too. I call it my “friends & family” network. I’ve done this for years as part of my responsibilities of being the “tech guru” in the family. Whether it be installing new software, setting up a wireless network, or figuring out how to get the printer working, all of these things fall into my lap.
In my “friends & family” network, I currently manage about 12 machines, as well as occasionally answer questions for a bunch more. Eight of those machines run Vista, three are still running XP, and one is a Mac (the machine I use for Silverlight development and demos).
While a lot of time is spent just getting things set up and making sure they are working, one area of focus for the family “tech guru” is security. Security is one of the most important features of an operating system. When we read about security and software, it’s usually in a negative context, perhaps describing the latest vulnerability or exploit that is wrecking havoc in the world. Microsoft, as a company, has had more than its fair share of security challenges over the years. I don’t think anyone who works at my company can honestly deny that.
Once upon a time, my job as family “tech guru” was miserable. It was a LOT of work. Let me repeat, it WAS a lot of work! E-mail viruses, worms, drive-by spyware installs, etc, etc. Many a Saturday were spent cleaning Aunt Betty’s* machine or educating Uncle Bob* on how NOT to trust those e-mails from the Nigerian prince. (* - names have been changed to protect the innocent).
Malware (the generic term for viruses, worms, and spyware, etc) has been around almost as long as computers themselves. However, much of the modern craziness for this “tech guru” started up in 1999 with the release of the Melissa virus. (Which was created by a guy at home in his pajamas in the same small Jersey town that I live in now! Talk about a small world.) Over the next couple of years, the onslaught of malware was overwhelming. It felt like there wasn’t a day that went by without a headline about one security exploit or another hitting Microsoft customers and costing big $$$ to remedy.
Anytime a major security patch came out, I’d have to call everyone up and remind them to make sure they clicked on whatever they needed to in order to install the patch. This was virtually a weekly occurrence for a while. Then, I’d always have to worry about who’s anti-virus subscription had run out. It wasn’t fun to tell that person they had to pay money for a subscription to “keep the bad guys away”. Add to that the advent of “spyware”, and new anti-spyware tools with their own subscriptions to remove said spyware.
Managing all of this was a LOT of overhead for me. Sadly, I came to accept this as just ‘normal’ and part of life dealing with technology.
Things were pretty bad in the early 2000s. A lot of blame was laid at Microsoft’s feet for these issues. I know, as I was at the receiving end of many multiple jabs from friends, family, and customers over the years. Even I, the Microsoft guy, couldn’t defend the security problems that were occurring in products like IE 6. My Microsoft Consulting co-workers and I were all feeling the pain. Not only did we have to personally deal with our “friends & family” networks at home, but also those of our largest customers at work! There’s no other way to put it, it was a nightmare.
These days, I can’t complain much about security issues. It took a while for that to happen. In 2002, while the bullets were flying everywhere, Bill Gates wrote the now famous, company-wide, “Trustworthy Computing” memo. In it Bill said:
“Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing [emphasis mine] - or able - to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.”
He then went on to describe some of the actions Microsoft was taking as a company to regain its customers’ trust. Microsoft went through a historic three month halt in development on Windows in order to train their engineers on secure programming. People wanted results overnight. But things never happen overnight. The bullets kept on flying.
Then, in August 2004, things changed. That’s when Service Pack 2 for Windows XP came out. XP SP2 was a game changer for my “friends & family” network. My life suddenly started to get easier. Sure… nothing’s a perfect fix when it comes to security. Security is an arms race, and there will always be the need for a bigger and better mouse trap. However, the monthly, weekly, and daily security incidents started receding. I still stressed every time a new patch came out. I still had to make sure everyone got the updates. I still had to be on top of those anti-virus subscriptions. I still had to keep running all those anti-spyware tools. Even as a Microsoft employee, my trust was still frayed and tattered.
But then… over time, I noticed something. Each visit to “check up” on machines in the “friends & family” network started becoming a non-event. Auto-update was taking care of all the latest patches. The Windows Firewall was blocking out worms. The anti-virus & anti-spyware apps were running, but they weren’t finding anything. Nothing. Nada. Zilch. Zero. Aunt Betty’s machine hasn’t been ‘re-paved’ since September 2004 when I first installed XP SP2 on it! We’re talking about a woman who participates in the proliferation of more chain e-mails than anyone I know! (In fact, I think she discovered LOLCats years before anyone had ever heard of them!)
In 2007, Vista entered the picture. Vista brought a bunch of new security features with it to the table, including the much-maligned User Account Control (UAC) feature. I’ve shared my opinion on how I think UAC is the bomb here earlier. UAC limits application software to standard user privileges until an administrator authorizes an increase in privilege level. A user account may have administrator privileges assigned to it, but applications that the user runs do not also have those privileges unless they are approved beforehand or the user explicitly authorizes it to have higher privileges. A side benefit of UAC is that it makes it easier to use a standard user account for everyday use, and then have the user elevate privilege levels for an application when necessary by entering an administrator password.
My mom is set up as a standard user. A UAC prompt will ask her to enter a password whenever she installs software. She knows what that password is. But she also knows that when that prompt comes up and she was NOT explicitly installing something, it’s time to call the family “tech guru” (me). My mom’s been running Vista since January 2007. I’ve received exactly TWO calls about ‘having to enter a password’ on her machine since that time. Just TWO! Yes… I know that must be shocking to those who criticize UAC. Again, I refer you to my earlier post on this.
Note: For the record, one was when she attempted to install Skype to talk to her grandchildren. The other was when a website she needed to visit for work wanted to install Adobe’s Shockwave player.
Anyway, needless to say, my life as a “friends & family” network administrator has gotten much easier since August 2004. The overhead of managing this stuff is minimal to the point where I don’t even think about it. That doesn’t mean things are perfect. I DO read the stories about security issues. Not as often as back then, but I do read them. They seem to be more about vulnerabilities versus actual exploits. I haven’t read too many stories about massive computer attacks taking out a company in the past couple of years. That’s not to say that it doesn’t happen secretly behind the scenes. (I’m sure it does.)
I may be accused of putting on rosy colored glasses. But just looking at my own “friends & family” experience, it’s been pretty good. Perhaps I’m suffering from WOMS (works on my machine syndrome)? Who knows? It’s possible. However, my own anti-virus has not found a SINGLE virus EVER since at least 2001! (Granted, I know not to visit seedy areas of the Internet.) But then again… Aunt Betty (who likes to click on every single chain email she gets), same thing! No virus or spyware issues since XP SP2 in 2004!
Trust can be lost in an instant, but it takes an eternity to earn it back. It took a while for me to trust some of the products my own company made. Even though things are better in every objective measure since the early 2000s, I accept that some folks will always be skeptical of Windows security. That’s okay. But then I read articles like this one from Christopher Dawson at ZDNet:
I really don’t want to use Windows anymore
“Every week, more and more bits of malware seem to be making their way past commercial anti-virus, firewall anti-virus, and ISP anti-virus software. New patches and downloads abound, and I’ve still re-imaged 3 computers in the last 2 weeks due to massive infestations. This is to say nothing of the home computers about which my users are complaining (I feel like getting one of those ThinkGeek T-shirts that tells people, “No, I won’t fix your computer.”)”
Upon first read of Dawson’s article, I had to say, “Really?! I mean… seriously… Really?!!” Dawson claims he doesn’t want to use Windows anymore. That’s fine in itself. There are other options out there. But the reason he gives is the increasing time and overhead he has to spend to manage security issues with his Windows machines.
I’ll add a disclaimer here and say that I may be naive to the overhead in managing the security of a network of machines in an academic environment. However, I think my experience with my “friends & family” network, as well as some of the larger Microsoft customers I’ve helped in the past lends me some credibility here. I have to admit, Dawson’s article makes me question my own sanity and experience, because his experience doesn’t jive with what I’ve been seeing.
So… what is the point here? I’m not trying to criticize anyone or deny Dawson’s experience. It’s possible he does still have a painful time managing his network. That’s a not a good thing for my company if folks are still feeling that type of pain managing malware. I guess what I want to know is, am I the only one who doesn’t see this as as big of a problem as it use to be? What have been YOUR experiences managing your “friends & family” networks? Are you still dealing with a lot of overhead in managing malware on your mom’s machine? Your customers’ machines? Let me know in the comments!