If you’re like me, you get lots of spam, and a lot of it harbors a malicious intent. People are constantly trying to get me to cough up user ids and passwords, bank accounts, or unwittingly install malware on my computer. I’m pretty skeptical about email and so far (knock on wood) I’ve managed to avoid falling for them.
For the most part, that’s not hard to do. Most people sending phishing email do an incredibly bad job of mimicking the real thing, so it usually doesn’t look good. Every once in a while one looks really good, but that just gets me more excited to find its tell. And they all have tells … which means that, if you’re really good at looking for them, and extremely diligent, you should never fall victim to one of these scams.
So what does it say if someone does fall for a scam? That they were not diligent? They’re not good at looking for them? That they’re not careful? That they’re untrustworthy? No, it just says they’re unlucky. Because the real people who are not diligent, careful, or trustworthy are those of us who make up the IT community.
Think about cars, for a moment. Who is responsible for the deaths and injuries in auto accidents? We usually look for a driver at fault, of course. Someone who was drunk, distracted, or aggressive who makes the wrong move. They bare the blame and receive the scorn. People take comfort that their own driving skills are superior because they’d never make that mistake.
Yet the auto manufacturers have also deserved a lot of the blame. Ralph Nader railed against the shoddy safety standards of manufacturers in front of congress and in his book “unsafe at any speed.” Steering columns would impale drivers in accidents, even though the designs for a collapsing column were known since the 1930s. Sweeping federal regulation introduced in the late 1960s to impose safety standards have saved over a half-million lives, even of people who were “at fault”.
Right now, personal computers are at the point cars were in the 1950s, with seat belts that don’t do much (when worn!) and IT occasionally throwing its arm in front of users in the other seat to try to save them in a crash.
Sure, It’s easy to blame the driver for all the carnage in auto accidents. Just like it’s easy to blame hapless phishing victims who have a moment of inattention or lack of skepticism and fall down a security rabbit hole. We all feel like we’re smarter than that. Regardless, software vendors can and should do a whole lot more to make their customers safe, so that a momentary lapse doesn’t have such dire consequences.
You may say that computers, like cars, cannot be made perfectly safe. That’s true. But just like auto manufacturers were more interested in more chrome and bigger fins instead of hard to see safety improvements, the software industry is more interested in the next unicorn than dull work making payments safe, identity secure, and home computers resistant to malware.
Until Windows won’t run programs sent in email, until Adobe doesn’t have another zero-day exploit, until banks all require e.g. two factor authentication to move money around, then computers are also unsafe at any speed. We in tech can train people to try to be safe. We can tell them about the risks. We can chide them when they’re scammed. But we cannot wash the spot of blame from our own hands, no matter how hard we scrub. Blaming the victim is just a way to distract ourselves from our culpability.