So when will we admit that it isn't a blow against the Electronic Freedom Foundation to say: "Unlicensed users can use secure browsers on restricted 'information appliances' for surfing. But anybody who wants to run a machine that can be compromised has to demonstrate a minimum competence"?

Such a "restricted information appliance" already exists: It's called a Mac. :) Problem is, it's too expensive...

I've often though that the solution is to simply release a few old school virii into the wild - ones that render infected machine inoperable, and require a re-install. Not only will this decimate botnets, it would also make the affected users think twice about securing their machine next time they re-install windows.

Some serious views!

I agree that certain groups of the people do indeed need licensing to even approach a keyboard.

Unfortunately the society we live in allows anyone access the web nearly anywhere, anyhow.

Is this a bad thing? A large part of my income is generated by incompetent fools at the helm of an OS.

Think of the content that is provided to the world of IT literates at the amusement of others.

Did anyone think of BOFH!!

...some of the people I have to deal with shouldn't be let anywhere near a computer.

Same here. It's frightening really what some people clearly don't understand. Even more frightening are those who have no understanding, but think they are experts. Those kind of people are truly dangerous.

It's hard to know where to begin with this.

PC's are mqarketed/sold/presented as consumer appliances. Ever watched a PC World advert ? And I suspect the selling of security applications are seen in the same way as the 'extended gurantee' scam.

The car analogy is poor. You are forgetting that in 99% of cases the user is the *victim* of a crime - not a perpatrator. You are entering the murky realm of 'contributory negligence' at best.

Sure - it would be nice to turn the net back to the time it was the province of a handful of geeks and university students but .... aren't you the same Guy Kewney who wrote a long ranty article about the time his PC broke and he forgot to save his document ? Or was that Guy Goma ?

Users need (and deserve) secure networks, secure operating systems and the real criminals need to be punished.

(The article then seems to randomly leap onto the unrelated subject of corporate security - as opposed to individuals)

You cannot compare a driving test to a computer competence test. If you behave badly on the road, you may well kill someone. If you allow your PC to send out enlargement e-mails then you may annoy a few people.

Can you tell the difference?

In my university, anyone can walk in and plug their laptop (or even desktop) into the university network and, once the MAC has been registered, is free to do as they like. However, if your computer has one of a number of network spreading or botnet-zombie viruses detected on it, it's cut off until you prove it's infection free. They'll even help you reinstall it, if you want. Surely an ISP can do similar? I know that there'll be arguments of personal responsibility, and economics, but it hurts ISPs as much as the rest of us when a botnet strikes.

As for a secured browser, I've long thought that it might be worth having bank websites only respond to a certain type of secured browser, above and beyond the little padlock icon, in order to prevent phishing.

isn't there a joke about making things idiot-proof, and they'll just invent a better idiot.

Competency tests, and exams are all very well, but people still jump red lights, don't indicate, drive too close etc etc.

In this case, I'm sure the MoD have rules about securing MoD property (irrespective of whether it's a PC or a box of paper-clips) when off-site.

Why does my office have signs on the fire extiguishers : "Do not use these fire extinguishers to hold the fire doors open" ?

Utterly bonkers.

Utterly unpolicable.

There's so much wrong with this idea, practically and ideologically it's difficult to know where to begin. If you want to have a free internet, suggesting that massive government oversight of all users is the way ahead suggests that you regard freedom and security to be in perfect correlation, with security as the driver.

Presumably licenses would be revoked for catching a virus (aargh ! One click and that's my software business ruined !), it's the spammers that the ISP would send the bill when your 1p per email limit is breached and it would all be run by a benign and completely competent goverment organisation.

Unplug em all I say ! Especially those teenage game players.

Driving licenses require different tests for different vehicle classes. Do you propose a similar system based on some aspect of the equipment being used for net access? Would that be hardware? Operating system? Browser? Email client? Something else?

What if I build my own system or write my own software? Would the knowledge required to do this exempt me from any such testing or would everything I built and wrote have to go through some sort of 'networthiness' test? This all sounds like a bureaucrat's wet dream but I don't think the public or the ISPs would wear it.

Computer competence tests are something I've advocated in one form or another for most of my professional career thus far, some 12 years.

How many companies would improve their performance and morale, leaving the IT crew to get on with the important stuff (working on improving things rather than firefighting) if their staff were all competent to one decent, professionally competent level.

A lot of people would fail a common sense test and of course there will be those who complain about human rights being infringed.

I could start on about how people should pass a test before being allowed to breed, as that would be a more useful step in improving society.

One might be missing the point that it isn't a perceived threat nor inconvenience to the user that the author is debating - rather the addition of the users computer to a botnet that can be used again more significant (read valuable) targets.

I'm sure no one here is suggesting that people should be licensed simply so they can prevent a small and usally completely insignificant inconvenience to themselves (as if they cared/noticed I'm sure they would take it upon themselves to do something about it if it were a significant enough problem) as this would obviously be down to them. However, their participation (willing or otherwise) in botnets, etc. is something that needs to be addressed or at least discussed as evidenced by the massively increasing frequency and organisation behind this style of attack (mallicious or otherwise).

Any PC on the ISP's network that is "doing bad things" should have their connection redirected into a sandbox. The user would then be required to submit the machine to an MOT style test - is it fit to be connected to a public open network (road worthy). This check is chargeable, and any "repairs" are also chargeable. If the machine was not "doing bad things", then the ISP must pay compensation.

All machines must have a annual MOT test (just like cars).

All People must have a proficiency test, could be an on-line or VOIP test, to ensure they understand how to "drive safely", "perform routine maintenance" and fix basic problems "change a wheel". This could be taught in schools, like cycling proficiency - teach them when they are young, before they get any bad habits.

What "doing bad things" means in reality is open to discussion - but would be acting as a bot, spamming, spreading malware, etc. It would not be using P2P apps, or playing games.

ISP's would need to be regulated by an organisation with teeth who are not afraid to punish.

There are lots of problems implementing such a scheme, and maintaining it, but just because something is hard to do does not mean we should not try.

"I've often though that the solution is to simply release a few old school virii into the wild - ones that render infected machine inoperable, and require a re-install. Not only will this decimate botnets, it would also make the affected users think twice about securing their machine next time they re-install windows."

I like it. In fact, I think I love it.

Job security!

everyone should be banned from using computers unless they can prove that they are capable of using them competently.

i have the unfortunate job of maning a helldesk and i want to cull my entire user base.

In five years time users will connect through voice or portable devices. There will be even less awareness of security because of the originating metaphor of the telephone.

At the same time, if TelCos hold their control as they do nowadays, those mentioned restrictions could apply simply because they are already built-in by design and nobody complains about that.

I guess the problem is that, in IT, we always looked to translate one experience to another, how many times I heard:Internet <--> Freedom of Expression which does not fit very well, especially now that the Internet has become a commercial workplace.

As for users being held responsible: I do not agree. A car is simple to start and drive. The same should be for computers and their security tools. The fact is that we use mediocre technologies and the level of complexity of modern OSes is rarely understood by their creators themselves. Not that I would go back to the Speccy but... Well 48Kb seemed so much to me!!

G B

No one needed a license or tests when the first cars came along, either, but imagine if no one had to take any tests or get any education about cars these days...

A very partisan and elitist opinion. There is much truth in what you say, but in pandering to your sites demographic, you have comprehensively failed to address the ramifications of your suggestions. A restriction on computer use would result in the stagnation of the technological development that has resulted from the proliferation of PCs across the World. Much fewer and more expensive Killer Apps' would be available, game and CGI development would never have been able to proceed to the levels that they have now due to more archaic technology and higher cost due to fewer sales. Think of the impact of cost and logistics on schools and universities. Also, bear in mind that many of the malware that untraps these less "non-IT industry" mere mortals was written by highly talented, if unscrupulous, software engineers who will just work harder to entrap the brave new breed of licenced users. What is needed in not legislation to stop less talented people from using information technology, but for a worldwide consortium that REALLY takes ownership of problems such as botnets, ID theft and viruses, while relentlessly persuing and prosecuting the perpetrators. Anything else is pure fantasy. If you don't like it, stay beardy, fire up that old 386, and log on to Usenet.

Matt wrote "As part of our SOks compliance all users in the company now have to do a "data protection" test."

Same here - and they add the "if you're found to be willfully ignoring this advice then you're sacked/prosecuted" type notes too - just to ram the point home.

Here's a thought for SteveB/BillG etc - if we have to endure the "Take a tour of Windows XP", why not similarly force users of new installs to take a basic "this is how to operate safer" presentation, (please no flames about MS supplying such a presentation - I run Linux too). And for all those folks who have to reinstall their OSs (journo's etc) just add a small tick-box on the install process that says "Skip security presentation" (default=no). If you're smart enough to want to reinstall, then it's likely that you should be smart enough to know what's good operating procedure.

Or another approach - have your new system operate in a very restrictive mode from day one and then only open up as you show that you need more capability. After all, my ZoneAlarm firewall supposedly watches what I do and then figures out settings accordingly, so I'm just asking for the OS to follow this idea.

@Ken Hagan: I'd willingly give up Admin rights on my XP system if there was someway to "su" when I needed to. Yes, I know I could probably have a separate "Admin" account and use that for software installs, but unfortunately there's a lot of XP programs that just plain fall flat on their ass if you use a non-privileged account. I like Debian's approach in this.

Lastly, what worries me (slightly) is that with more stuff being net connected that these bot nets might - at some point - be used as a vector for cyber terrorism. Hack a 777 and threaten to drive it into the ground, etc. In which case if we all operate with a bit more savvy then, as Guy says, we'll all benefit from a better environment.

"Why does my office have signs on the fire extiguishers : "Do not use these fire extinguishers to hold the fire doors open" ?"

It's because some idiot decided that, because fire doors should always be closed after use, they should not have any way to latch them open during use.

Then, when normal use turns out to involve leaving them open for a few minutes to load or unload heavy stuff by hand, people use the nearest heavy weight that's to hand. Which turns out to be the fire extinguisher.

In other words, it's a consequence of proscription without proper thought towards need. You see it every day in any sufficiently large organization.

Then to "fix" the problem they put stickers on the fire extinguishers but again fail to provide a solution to the *actual* problem of the doors not having latches or wedges provided.

It's at this stage that it all seems not so much a lack of foresight but a lack of any kind of sight at all.

This is why employees sometimes buy their own door wedges.

I have always had a good idea for a common sense test...

You take somebody in to a canteen and get them to choose a hot meal of their choice. The person serving them puts the plate on to their tray and says, "Be careful, the plate is hot." If the first they do is touch the plate then they fail. Simple!

Amen to that!!!

I've long held the opinion that people should have to pass the following basics of being able to use a computer before they are allowed to purchase one:

1. Be able to set up an email account from scratch

2. Be able to install and uninstall a program from a PC

3. Know what a web browser is

4. Know how to add and remove a printer

5. Know the difference between POP3 and IMAP accounts

6. Understand what an SMTP or outgoing server is

I've heard the horrendous howls of the left wing "do-gooders" chanting that this is an elitist view; how many of these people have honestly had to walk people who have no clue beyond how to turn on the computer through the 10 or so minutes to set up an email account which if they had the above skills they would be able to do it inside 2 minutes?

Every day I deal with this and let's not even begin to pretend to understand the amount of people who want to register a domain and have a web site but don't even have basic skills or understand what FTP is or how to write a web site and it's just getting worse. The next person who calls asking me for assistance to upload a site using MS Publisher should be publicly flogged and have the wounds scrubbed with peroxide and steel wool.

Yes, I agree that licensing would take away a large segment of the economy supporting these 'idiots' and their ineptitude to do the basics but I have other things to do over the course of the work day asides from "hand holding and nappy changing". Some of these things that I would be freed up to do would be, chasing users who regularly breach disk quotas, follow up on outstanding accounts and developing documentation.

Irrespective of what your opinion is on this subject; the matter is a problem and one that I believe that must be addressed. It's not an easy subject but one that needs to be tackled all the same.

And you seemed like such a reasonable gentleman when you were on the telly discussing Ipods and such.

Now you're just a mean man who wants to stop anyone who isn't like him from accessing the internet.

Of course - similar requirements for a blogger ... sorry journalist would be useful. The ability to construct a rational and logical argument rather than pandering to an elite group's inflated sense of their own expertise/importance would be a start.

I agree with Mark on this; any restriction on internet use would simply drive the majority of people off the Net, reducing its value as an advertising and marketing platform (thats its main function now), this would drive up the cost of internet access for those still using it.

Most people are actually victims of their computers, it's just they don't know it.

Many laws are framed with a criterion of reasonableness - such as "would a reasonable person expect to know if their computer was being used to help crack the launch codes of ICBMs" Of course the answer is yes - get these morons off the net.

> Indignation is the immediate response if you suggest to any computer user that they should be given a licence to use their PC only if they pass a test. Why is this?

Because it's a stupid idea Guy. As stupid as your delusions about your own ability and competence are. As stupid as your prejudices about other drivers and computer users are. As stupid as the over inflated estimates of the number of machines compromised and part of the so-called "armies of bots" there are. As stupid as sitting pouring over pointless firewall logs bemoaning the "attacks" your computer is fending off are. As stupid as your belief that somehow "online idiots" are disruptive to your life at all, let alone comparable to getting hit by a lorry or crash landing in a plane. As stupid as your belief that you could derive a "competence test" and that it would make any sense or make any difference given that the only thing you could find to compare using a computer too already has a test, several for the 30 ton truck, and is the biggest killer of kids worldwide.

My 8 year old, special to his parents but just an ordinary child, uses a computer, without any AV software installed, and, with nothing more than simple advice. He's never installed a virus, clicked a link that took him to some mythical ha><0r page, clicked a link that asked him for his details which he then has given away. He's never "accidentally" viewed hardcore porn nor has he been subject to any grooming attempts by, you'd imagine, one of the millions of paedophiles that Carol Vordermann thinks is lurking in every online game and website.

He's been using a computer for over 5 years - linux and windows, without any major scene or incident. He can't drive. Think about that. He doesn't own a car. Do the f**king math. Yes, there are 2 reasons why he is allowed to use our computer and doesn't have the keys to the Ferrari. The first reason is obvious to any idiot. Or at least I'd have thought it obvious before reading your article and realising they've come up with a better class of idiot. The 2nd reason is because we don't own a Ferrari.

The number one proof of IT incompetence is using a car analogy. Viz the following from the "Operational Medicine 2001 United States Naval Flight Surgeon Handbook 2nd Edition 1998" - "a person, when talking about IT, computers or the internet, who makes an analogy to driving or cars is de facto clueless about both and yet, ironically, usually believes the opposite. Keep the patient talking, remove sharp implements, call for backup. On no account allow the person near any vehicles or computers you may have on the premises. If all else fails, leave him sitting in reception waiting and deftly take someone else sitting nearby by 'mistake' "

The truth is, any 8 yo kid can use a modern computer safely. It's easy. It's easy precisely because people like you, Guy, have been writing about how difficult it is for decades. You, the computer IT press, are the idiots that MS and others have strived to make the computer usable for. You might have kidded yourself that you were writing on behalf of some other mythical idiots and that you still are now. We're not fooled. We know who you are writing about. Now, the IT industry may not have made a computer or network simple enough for you to use yet, but their years of effort does mean folk of average or above intelligence have no problems now - and haven't for years. Even school kids can manage it now.

The BBC proved beyond any doubt that any buffoon dragged out of BBC reception could answer questions as well as you. If you're lucky enough that they want someone called "Guy Kewney" and you qualify for that I'd keep stum about competence.

What about a licence to use, let's say, a fork? It's immediate danger is a lot worse than the one stemming from using a computer...

MC

Originally my thought was yes, users should have to get a license to use a computer, after dealing with hundreds of people who clearly should not be allowed to use a computer.

Then I started thinking ...... Is it actually the users fault that their computer is infected with malware and currently being used as part of a botnet attack on a large business to extort money from it?

Common sense keeps keeps you infection free, like not clicking on the Free Viagra emails or clicking ok on dialog boxes that say things like "Press OK to close this dialog box" (how many times do I have to tell my users to always use the damn upper right hand cross to close anything that looks fishy) Some people (alot) don't have common sense, and there is not really much we can do about that.

Why do we have operating systems (Microsoft *cough* *cough*) that automatically run anything, allow processes to hide themselves and have "allow all" as a default security rule? Why do we have e-mail clients (Outlook Express *cough* *cough*) That automatically download files, run hidden scripts and generally execute things that should not be able to execute? Why do we have any web browsers (Internet Explorer *cough* *cough*) that allow ANYTHING executable on a web page to be secretly downloaded onto a computer and executed?

Why don't we just get ISP's to issue fines for every spam e-mail relayed from a computer, for every flood packet sent out and any malware that is distributed. That would stop user ignorance to the problems their computers are dishing out. If they have to pay then they will learn about security quick enough

Even if all the questions asked could be answered, I think there are a couple of major flaws being overlooked when controlling access to sites/services online:

1. It would cripple innovation. How can the next facebook* be successful if 'limited' users can't access it without first being authorised by their ISP/security software?

2. People would want to 'unlock' their experience. And this would feed the market for cracked software/machines/ISP accounts. And in those circumstances, those users would then be more at risk of hackers than they are at the moment.

* I use facebook as an example based on it's rise in popularity, not on what I personally think about the site ;)