Who are your experts?


Making the matter even worse is that the generalists believe that they have to dumb down the material for the laypeople. Clearly the information needs to be understandable, and anyone who's tried to explain security issues to a nontechnical friend or relative knows how low the bar has to be set sometimes. However, since (again) bad info often drowns out good info, many of these consumer computer experts are dumbing down previously dumbed-down information. Inaccuracies creep in, and the reader is left with bad information ... which, often, they still don't understand!

Newspaper reporters are not the only example of bad "experts." I've seen computer consultants whose security knowledge is even worse -- and maybe more dangerous. I once had a friend call me in tears, saying that she had a virus on her computer that deleted years' worth of digital photos. I told her to get antivirus software and recommended a data recovery service. She told me that she had a local consultant come in and that he'd used a piece of software to disinfect that virus, so she didn't need to buy antivirus software. The consultant told her he was saving her money by doing this.

I told her that since her primary concern was retrieving the pictures, she should not touch the computer and should send the drive out to the data recovery service before she wrote anything else to the disk. She told me that the "cost-effective" consultant had already reloaded the operating system.

While there was a chance that her data wasn't overwritten, an expert should have known that writing to the drive might overwrite otherwise recoverable data. He obviously didn't have a clue that he'd just disinfected the system but hadn't stopped future infections -- after all, a freshly reloaded operating system with no antimalware protection is just as big a target. Cost-effectiveness is nice, but it's no substitute for competence.

So, who are your experts? Questionable advice is very much out there. Generalists are selling themselves as experts on very specific topics, such as security. I saw one IT services firm that started reissuing business cards that changed people's titles from "systems analyst" to "security analyst". The people had received no special training and had never done any security work before. That was irrelevant -- a quick title change, and their consulting rates went up.