Can We Bridge The Security Divide?

This week I spent some time at the Boston Source Conference, attending Christopher Hoff's balanced discussion of cloud computing security and Jeremiah Grossman's take on making money the black hat way, among other sessions. Great quality content, well worth the time, and I'll never look at online banking the same way. This "a little knowledge equals a lot of fear" syndrome isn't new for me -- for years, I've edited security experts like Mike Fratto and Greg Shipley. But Source drove home just how wide the gap has gotten between those who know what goes bump in the dark reaches of the Internet, and everyone else.The other half of that equation is a conversation recently overheard at my daughter's basketball game (names changed to protect the stupid).

Seems Wilma's neighbor, Betty, lost her job. To scrape by on just Barney's salary, economizing had to be done, and the first vendor to go was Comcast cable TV and Internet. Wilma was recounting how terribly bad she felt about Betty's kids having to go to the library to do their homework, while she had just gotten Verizon FiOS installed. All that lovely bandwidth, just sitting there!

So Wilma sent Fred down to the local Best Buy for one of those wireless access points, one that would reach next door to Betty's house. The nice Best Buy associate sent Fred home with "the latest technology" (presumably 11n), and it took just 10 minutes to set it all up (presumably with no security enabled).

In case you're wondering, no, I didn't ask. First because eavesdropping is socially unacceptable, but also because I've spoken up before in similar circumstances and the result is invariably either A) an invitation to come by and fix the problem, or B) strange looks and speculation on what kind of weirdos she must hang out with.

Still, the episode stuck in my head, and after about 20 minutes at Source it hit me that the "security divide" is roughly equivalent to the gulf between smart economists who had a frighteningly good idea of the likely outcome of those credit default swaps but lacked a forum to sound the alarm, and the schlubs on Main St. happily taking out second mortgages to buy new F150 dual-cabs and flat screens. Like sheep to the slaughter.

What's the answer? The general media could do a much better job of education. I can find hundreds of reviews of the new Kindle. Could we devote some ink to the real risks of unsecured APs and expired antivirus? Sure, WEP/WPA and AV aren't going to stop serious attackers, but we must raise awareness. Maybe we send Mike Fratto to the Today show. Matt Lauer could do the interview -- the discussion would certainly be worth 50 segments on how to get $200 worth of groceries for $3.27 using coupons.

Or, maybe vendors of consumer-grade devices need to embrace the default deny ethos and do what it takes to protect their customers from themselves. Setting a bunch of 15-year-olds up with a wide-open FiOS link and zero intelligent parental supervision strikes me as the digital equivalent of handing a toddler a book of matches. Sure, controls and education are expensive. But we've seen where ignorance has gotten us.

What do you think? What responsibility, if any, do security practitioners have to the great unwashed masses yearning to not have their bank accounts cleaned out?