Skepticism and Safety
Welcome to the Internet. Trust no one.
Living in my bubble of tech-savvy friends and acquaintances, it's easy for me to forget that people need to be told this. But then, I get an e-mail from a particular person (who shall remain nameless) warning me about a virus going around in the form of an e-mail attachment entitled "Life is Beautiful." Of course, it's a forward, and I can see the chain of suckers going back several generations. I'm admonished not to open this attachment, because it will (of course) "erase my entire PC!!!"
Now, some of you may remember this little gem. It's one of countless hoaxes that have made the e-mail rounds. Thing is, this one is six years old. No one in this chain of forwards thought to go to Google and search for "life is beautiful" and "hoax." If they had, they would have had ample evidence that they should drop this nonsense. But many people just aren't that skeptical. Luckily, in this case, the worst harm done is a little extra clogging of people's e-mail inboxes.
This lack of skepticism, however, is perhaps the biggest and most intractable security problem we face. You can't code it away. This is the weakness targeted by phishing scams, and it's the reason people give up their passwords when someone claims to be calling from the IT department.
Skepticism, in this context, is a particularly tough thing to teach. Take my friend, here. How do I tell this person not to pay attention to chain e-mails warning of viruses, but do pay attention to legitimate warnings from reputable sources? To the uninitiated, all internet sources look alike. How many times have you heard someone answer the question "Where did you read this?" with the vague "on the Internet"?
And lest you think this just a generational thing, teenagers do this just as much, if not more, than older folks. Just ask a high school teacher. The wacky, disreputable web sites referenced in high school English essays boggle the mind. Maybe these kids as they mature will learn to tell reputable sources from unreliable ones. But maybe they won't. The MySpace generation places enormous trust in the Internet. The amount of personally damaging information they voluntarily post is evidence that they may not see consequences clearly when it comes to the Internet. I'm not sure we're doing a good enough job of teaching them this concept.