Is there anything that actually gets users to fix their computers?

Short of turning off their network access, why won't users fix
their computers when the computer is infected or needs a patch?

The University of Massachusetts posted bulletins, sent an email to
all incoming students, included an alert when they connected.
Nevertheless, almost three months after Microsoft released the
critical patch and almost two months after the first Blaster worm
was released over 1,600 students failed to patched their computers.

Eventually, the University started shutting off network access for the
students and charging $3 for the CD with the patch and $25/hour for
support to clean the student's computers.

http://www.dailycollegian.com/vnews/display.v/ART/2003/10/03/3f7cfeb12c8c2
  "Some students told the staff that they thought the University gave
  their systems a virus. "By no means was this a UMass internet problem,"
  said Fairey. "People were probably infected before they got to campus."
  One student threatened to sue OIT, arguing that the offices did not
  have the right to turn off her port. "We have policies that clearly
  state our right to shut off systems," mentioned Fairey. "It's not
  something that we want to do. It's a nightmare."

Hey, it's working! If it ain't broken ....

Related question for network engineers: When did you have your last
medical check-up? To what extent do you follow your physician's
recommendations?

Daniel

Daniel,

Short of turning off their network access, why won't users fix
their computers when the computer is infected or needs a patch?

Hey, it's working! If it ain't broken ....

I doubt this. Recently, I worked with a couple of people that each had their PCs infected. Their own virtual neighborhood complained to them, and they surely were embaressed about the situation, but... They just did not know how to fix it, i.e. where to start. Call it cluelessness, call it lack of education.

There is that too; but I have frequently observed people not doing it
even when provided detailed step-by-step instructions. On the other hand
they would proceed relatively quickly once "it stopped working",
e.g. the Internet plug was pulled. Some of them would use the instructions
provided, others would get help; but not before "it stopped owrking".

The most successful tactic I have seen is for providers is to block all
Internet access except the one to the site containing the instructions
and the fix. Of course that is often not a viable business proposition....

Daniel

Newspapers have published How-To instructions. In the US, even USA Today
published How-To instructions. The USA Today newspaper is known as
McPaper for a reason. ISPs sent out step-by-step directions, complete
with pictures and screen shots. In addition to full-page newspaper ads
Microsoft has an easy 3-steps to protect your computer.

Ok, not everyone is a computer expert. If their TV, VCR or car started
belching smoke and flames, and they didn't know how to fix it, what would
they do? Take it to a repair shop? If you get a flat tire, pull off to
the side of the road and either repair the tire or call the auto club for
help. You don't continue drive down the highway on the tire rims hoping
the noise and sparks will just go away.

Sean Donelan wrote:

I doubt this. Recently, I worked with a couple of people that each had
their PCs infected. Their own virtual neighborhood complained to them,
and they surely were embaressed about the situation, but... They just
did not know how to fix it, i.e. where to start. Call it cluelessness,
call it lack of education.

Newspapers have published How-To instructions. In the US, even USA Today
published How-To instructions. The USA Today newspaper is known as
McPaper for a reason. ISPs sent out step-by-step directions, complete
with pictures and screen shots. In addition to full-page newspaper ads
Microsoft has an easy 3-steps to protect your computer.

I have not seen much information on this in Dutch newspapers, but perhaps I am not reading the right papers. I surely think that news papers worldwide should publish on this.

Ok, not everyone is a computer expert. If their TV, VCR or car started
belching smoke and flames, and they didn't know how to fix it, what would
they do? Take it to a repair shop? If you get a flat tire, pull off to
the side of the road and either repair the tire or call the auto club for
help. You don't continue drive down the highway on the tire rims hoping
the noise and sparks will just go away.

Perhaps an "auto club" for PC-users: You call and within the next 24 or 48 hours, depending on your subscription, an expert would dial in or come by to get you on the virtual road again.

If this was a viable business proposition, it would exist. My experience
is that the product to be maintained is both too complex and too badly
designed and engineered to be readily maintainable. In other words:
This is more viable for cars than for personal computers and more viable for
MacOSX than for WIntel.

I speak from 10+ years of experience as friendly computer expert for the
virtual and physical neighborhood.

Daniel

PS: The health question in my original contribution was serious.

Digression 1: Cars have become less maintainable by the auto club because
of added *proprietary* complexity too.

Digression 2: I also help maintaining computers at the primary school my
kids attend. When I started this, the soloution that could be
maintained by professionals was all new WIN NT servers and all new WIN
2K workstations. Luckily (sic!) the school could not afford this by a
fair margin. The mainenance offer was "all-in" for a periodic fee.

Now the professionally maintainable soloution is based on Linux servers.
This is moving in the right direction both from an enginieering and cost
view point. However the maintenance offer is now "buy blocks of support hours
at a discounted rate". My guess is that the substance of the maintenance deal
has not changed; they have just become more honest in selling it.
So even for a small business this option does not really exist yet.

Back to work

Daniel

Sean,

Ok, not everyone is a computer expert. If their TV, VCR or car started
belching smoke and flames, and they didn't know how to fix it, what would
they do? Take it to a repair shop? If you get a flat tire, pull off to
the side of the road and either repair the tire or call the auto club for
help. You don't continue drive down the highway on the tire rims hoping
the noise and sparks will just go away.

You've put your finger on it. ISPs have to help users understand that their
machines are broken in a way that makes them unable to gain access to the
Internet -- then most will take them to the shop PDQ, and hopefully get them
back with some protection installed.

Recently my ISP, Time-Warner Roadrunner sent me a letter (in the mail!)
informing me that portscans were coming from my cable modem, and asking me
to respond to them within 48 hours to tell them what action I had taken. I
took care of it, and complimented rr.mn.com on their service in telling me
about the problem.

I don't know what RR's next step would have been had I not acted, but I hope
they would have suspended my service promptly. That may seem harsh to some
users, but they have to realize it when their machines are broken in a way
that may not be obvious to them as users, just as, in some states, people
are
forced by law to spend real money to clean up auto emissions. The resulting
widespread outrage might eventually result in better computer software.
Over
the last 30 years or so, new-car reliability has improved dramatically for a
similar reason.

My opinion only, not my employer's.

John Renwick wrote:

You've put your finger on it. ISPs have to help users understand that their
machines are broken in a way that makes them unable to gain access to the
Internet -- then most will take them to the shop PDQ, and hopefully get them
back with some protection installed.

While suspending service is a harsh step, sometimes it is required to get the user's attention. More than that, and as explained to my customers, their service was interrupted because their computer was insecure. The level of that insecurity is unknown by us and we try to protect our users. After all, does the user just have Virus X, or do they have Virus Y which includes a keylogger?

My customers are learning what keyloggers are and what viruses are capable of. Wouldn't you want to know that your bank details can be learned despite the SECURE connection to your bank because a virus placed a keylogger on your computer? It's true. It scares them. Then again, they should be scared. Insecure systems are nothing to joke about. They can cause real damage.

-Jack

Daniel Karrenberg wrote:

There is that too; but I have frequently observed people not doing it
even when provided detailed step-by-step instructions. On the
other hand
they would proceed relatively quickly once "it stopped working",
e.g. the Internet plug was pulled. Some of them would use the
instructions
provided, others would get help; but not before "it stopped owrking".

Indeed. It seems to be a motivation problem.

"Also, using the net registering system we posted a virus alert and made
information available," said Cunningham. "Most people probably skipped
through it though."

Obviously, this is by no means specific to computer patching. People
are either "busy", lazy, apathetic, etc. Most don't pay attention until
they're forced to; i.e., when their system stops working because a virus
broke it or because their network access is shut off. You can ask
nicely or post warnings a billion times to no avail. Human nature,
perhaps.

-Terry

Terry Baranski wrote:

Obviously, this is by no means specific to computer patching. People
are either "busy", lazy, apathetic, etc. Most don't pay attention until
they're forced to; i.e., when their system stops working because a virus
broke it or because their network access is shut off. You can ask
nicely or post warnings a billion times to no avail. Human nature,
perhaps.

There may be another factor.

Some people do not buy computers to "run firewalls", "get the latest
definitions for their AV software", or "download the latest patches"
anymore than they buy a car to "check the oil", "take it in for the
most recent recall", or "get the radio repaired again".

No matter how many times they are told those are the most important
things about ownership by the people that seem somehow to profit
from their doing so.

I've played the user-notification game myself in fighting hoaxes (do a search on wormalert@somewhere.com sometime--and consider what happens when tens of thousands of people add it to their address book and then forward the latest joke/hoax/virus to everyone in their address book). I used to send auto-replies debunking the hoax--but then they'd report them as spam to their ISP, and their ISP would block my domain. Others would just delete them. Often the only way to get their attention was to send mail to everyone they'd cc'd, and ask *them* to contact the offender.

There is no question that people don't understand their computers. It's all magic to them. The idea that the energizer bunny will appear on their screen when they send mail to five friends is no less likely than the idea that dropping a file on their email icon will bring up a compose window.

But in fairness to the users, this isn't all their fault. They've been told right and left not to open mail from strangers (a completely bogus concept, given that viruses tend to come from friends). What I found was that they take that quite literally. Mail from mailer-daemon (now there's a scary name), mail from postmaster, mail from anybody they don't personally know; gets deleted. And that includes mail from their ISP. They can't tell spam from purchase receipts from viruses from fake warnings from legitimate warnings. Consider the latest "microsoft patch" virus. That was a professional looking job. Do you really expect the user to know not to open that, but to know that the notification from their ISP about their machine being infected is legit?

They either need to be contacted out of band, or their email software needs to support a secure channel of communications that they can really trust.

Kee Hinckley [04/10/03 13:01 -0400]:

I've played the user-notification game myself in fighting hoaxes (do
a search on wormalert@somewhere.com sometime--and consider what
happens when tens of thousands of people add it to their address book
and then forward the latest joke/hoax/virus to everyone in their
address book). I used to send auto-replies debunking the hoax--but

For more fun, consider that you are postmaster@somewhere.com, and get those
horrible automated notices sent out by SpamKiller (now Norton [something],
since NAV 2003.

The one that generates complaints with subject UCE Complaint (Original
Subject) and "I have received the attached unsolicited email ..." boilerplate
in the body.

Reply to that and you will, as likely as not, get your reply sent back to you
and your upstreams as a spam complaint.

Sending autoreplies to anything that the teeming mass of lusers out there
send out is practically guaranteed to produce such an effect.

then they'd report them as spam to their ISP, and their ISP would
block my domain. Others would just delete them. Often the only way
to get their attention was to send mail to everyone they'd cc'd, and
ask *them* to contact the offender.

First, you'd get your email address added to a whole lot of other "cc
everybody on my address book" type lists. Another thing is that you stand a
good chance of mailing a significantly non trivial number of people who are
on that cc list for the same reason that you are - Outlook Express being set
up to add all people that you reply to, to your address book.

been told right and left not to open mail from strangers (a
completely bogus concept, given that viruses tend to come from
friends). What I found was that they take that quite literally.

Say what? I have received virii from people I don't know from Adam, from
countries where I don't know anyone at all.

They either need to be contacted out of band, or their email software
needs to support a secure channel of communications that they can
really trust.

Hotmail, for example, clearly marks mail from hotmail staff (service
announcements etc) with a different colored text in the inbox ... I guess if
you control the client your user uses (using a custom built web interface is
one way, a customized browser / mail client is another way) ...

But other than that, you could well ask for the moon.

  srs

For more fun, consider that you are postmaster@somewhere.com, and get those

It's the anti-virus ones that drive me nuts. "Someone in your domain sent us a virus which always forges the from line, but we're going to tell you anyway because we'd like you to buy our software..."

Reply to that and you will, as likely as not, get your reply sent back to you
and your upstreams as a spam complaint.

When I moved somewhere.com to a new ISP, the very first thing I did was contact the abuse desk there and warn them what to expect. That was helpful when Universal Studios tried to come after me because someone at somewhere.com (literally had posted a stolen movie on usenet. (Only one?)

on that cc list for the same reason that you are - Outlook Express being set
up to add all people that you reply to, to your address book.

> been told right and left not to open mail from strangers (a

completely bogus concept, given that viruses tend to come from
friends). What I found was that they take that quite literally.

Say what? I have received virii from people I don't know from Adam, from
countries where I don't know anyone at all.

Those of us who post widely get that. But your average "just use email to talk to friends and family" is more likely to get it from friends--unless of course they forwarded a joke to everyone in their address book, who forwarded it....

> They either need to be contacted out of band, or their email software

needs to support a secure channel of communications that they can
really trust.

Hotmail, for example, clearly marks mail from hotmail staff (service
announcements etc) with a different colored text in the inbox ... I guess if
you control the client your user uses (using a custom built web interface is
one way, a customized browser / mail client is another way) ...

But other than that, you could well ask for the moon.

Bringing this back to the more relevant topic. Is there something that ISPs could do to notify users and get in their face more without shutting off their connection? Perhaps a custom piece of notification software that only took signed messages, and made some attempt to keep its bits secure? Unfortunately I don't see much way to keep it from being subverted without OS support. If it became common enough, then the virus writers would just simulate messages from it and disable the real one.

Kee Hinckley [05/10/03 00:57 -0400]:

Bringing this back to the more relevant topic. Is there something
that ISPs could do to notify users and get in their face more without
shutting off their connection? Perhaps a custom piece of

I have seen corporate and university networks that make every PC have PC
Anywhere or its equivalent as part of the standard install, for activity to
be monitored.

In the case of ISP, stuff could be set up in broadband routers that
automatically quarantine a PC if they see any suspect traffic - restrict it
to a subnet where antivirus and OS patches are about the only thing
available, along with a chat window (messenger, or a java applet, or
whatever) that opens up to put you in touch with an ISP tech support guy.

Involves far less work in the long run, if infected boxes can get isolated or
quarantined automatically, as soon as the problem starts.

What is needed is a cheap and reasonably idiot proof IDS plugin - broadband
"routers" anyway do just about everything else, DHCP, NAT, Port Forwarding
etc.

  srs

There are some differences between private networks and public networks.
In a company, the company is the "owner" of the PCs and employees (in the
US) have little expectation of privacy using company computers. On the
public network, generally the customer owns the computer not the ISP.
How far should an ISP go monitoring the activities of their customers?

ISPs can and do notify customers by many methods such as popups, email,
mail, phone calls, knocking on the door, etc. Notification doesn't seem
to be the problem, but of the customer taking action.

And even if the customer is willing, its difficult for them to tell
if they have actually fixed their computers. Windows XP System Restore
and anti-virus programs don't get along well. Booting Windows in
"Safe Mode" requires dexterity. Most people don't have sniffers
to check what their computers are transmitting. Sometimes it takes
a non-expert several attempts to completely fix things.

So from an ISPs point of view, is there a way for the ISP to quickly
tell the customer if the particular computer is fixed without unduly
intruding on the privacy of the customer? With home networks, there
may be multiple computers behind a NAT/router/firewall. So a simple
network scan doesn't always work.

Sean Donelan [05/10/03 16:49 -0400]:

There are some differences between private networks and public networks.
In a company, the company is the "owner" of the PCs and employees (in the

Very true - and that was the context I mentioned this in.

So from an ISPs point of view, is there a way for the ISP to quickly
tell the customer if the particular computer is fixed without unduly

Isolate his IP and have all outbound http redirected to a page that
says "please call [escalated tech support number]" to get this fixed.

Seems to be the only reasonably foolproof way.

I think you missed the point. The problem isn't notification.

Customer calls the escalated tech support number is swears the problem
is fixed. Should the tech support person just take the customer's word
that the problem is fixed and turn their connection back on?

What happens a few hours later when you start getting complaints again
about the same customer? Do you turn the connection off again. And
then the customer again swears they have the problem fixed. How many
times do you repeat the process? Other than taking the customer's
word, is their any way for the ISP to verify the customer has fixed
their computer before turning the connection on again?

Sean Donelan [05/10/03 17:44 -0400]:

What happens a few hours later when you start getting complaints again
about the same customer? Do you turn the connection off again. And

Sure, turn it off again. And again.

Sooner or later, it will dawn on the customer that no, his system is not
fixed. And in the meantime, both his bandwidth quota (if any) and the ISP's
pipes avoid getting saturated with worms.

Suresh Ramasubramanian wrote:

Sean Donelan [05/10/03 17:44 -0400]:

What happens a few hours later when you start getting complaints again
about the same customer? Do you turn the connection off again. And
   
Sure, turn it off again. And again.

Sooner or later, it will dawn on the customer that no, his system is not
fixed. And in the meantime, both his bandwidth quota (if any) and the ISP's
pipes avoid getting saturated with worms.

We have a better way - first time they get turned off.

Second time they get turned off and told if it happens again you will be told to get service elsewhere.

Third time their account is deleted.

I am yet to have one that has reached the third time - 85k users here.

/ Mat