I try not to be depressed by the following thought: Protecting a computer against viruses and similar problems is like protecting a country against bombings and similar terrorist threats. Worry too little about the danger, and you end up exposed to risks you might easily have avoided. Worry too much, and you end up sacrificing the very things—flexibility, freedom, simple peace of mind—you were trying to protect.
Here is the thought that helps me avoid being depressed: In our individual computing lives, we have tools that allow us to set the balance of worry in a way that suits our own risk tolerance and taste. Not all users know about these tools, so here is an overview of some of them, plus guidelines about which threats are serious enough to worry about.
I am talking here about purely personal computers, not those that are part of a big corporate network, where the emphasis will always be on security. And I am talking about PC-style and Macintosh alike. For years, Mac users have felt either sympathetic or (more often) smug about the virus and “malware” concerns that plagued the Windows community, imagining they would remain immune. The reality is that the era of serene isolation is ending, partly because the Mac’s rise in popularity makes it more attractive to virus writers and partly because of technical changes (not worth detailing here) that increase a Mac’s vulnerability to infected documents—and even programs—originally created on a PC.
I take computer security seriously, because twice in nearly 30 years of computing I’ve had big problems caused by infected files. About 10 years ago, someone e-mailed me a Word document containing a virus that the antivirus program I used did not detect. (People use these terms in various ways, but I am using virus to mean malicious code that infects a file and then replicates itself to other files opened or created on the same machine. In theory a virus might be benign, doing no more than propagating itself to other files. But it’s never good when a file is changed without the owner’s knowledge or control. I am using malware to refer to code designed explicitly to cause actual damage, like deleting or corrupting files, or turning your machine into a “zombie” that can be remotely controlled to send out spam or do other bad things.)
I had no warning that anything was wrong, but for days every new file I created in Word—and every old file I opened—acquired the virus too. (That old virus lurked in Word’s “macro” function, a barn door Microsoft has long since closed.) Files I e-mailed to others spread the virus to their machines, unless they had better antivirus software than I did. I never really solved this problem until I started over with a new computer, transferring files only after running them through a high-power debugging program.
The second incident occurred a few years later, when a malware program made its way onto one of my family’s computers and corrupted many program files so they wouldn’t run. Eventually I had to reformat the hard disk, after backing up the data files, and reinstall the programs from their original disks. What a nightmare!
But I have also encountered security systems so intrusive that I simply stopped using them. The latest example is the “User Account Control” feature built into Windows Vista. It is meant to compartmentalize the computer’s functions, so that an intruder who gets control of part of the machine can’t take over the whole thing. But this also means that a normal, legit user has to go through security hoops many times a day, sometimes even for routine operations like copying a file. I finally disabled the function, despite numerous “Mayday-style warnings from Vista, and I see from tech blogs that many other people are doing the same.
Any security policy requires consideration of priority and proportion. Priority: working first on the biggest threats and learning to live with some smaller ones. Proportion: taking some safety measures but knowing when to stop. Think if the Transportation Security Administration grasped these concepts! In the meantime, here is what they mean for computers.
Passwords. By far my biggest worry in my computing life is the loss or theft of financial information. My transactions in China, where I am now living, are nearly all in cash, but virtually every other part of my economic life is online. A decade ago, few people would have predicted that Americans would willingly entrust so much of their wealth, welfare, and credit-card information to online sources. Financial institutions keep coming up with new security tricks, as they should. But the main tool on the individual’s side is the proper use of passwords.
I use the same password for all my financial accounts, because otherwise I would go nuts. But the password is “strong”—at least eight or 10 characters, with upper- and lowercase letters, numbers, and symbols. It follows the rule that it is easy for me to remember but very hard for anyone else to guess. Many people neglect to create strong passwords because they think it’s complicated. But it doesn’t have to be. Take a name and a number that mean something to you and alter them in some systematic, minor way—turn the E’s into 3’s, say, or insert a character like & in the middle or at the end of the word.