My dad forwarded me an opinion piece from the eWeek newsletter called Idiocy Imperils the Web. Jim Rapoza argues that – especially by now – people should really have figured out not to click on unknown attachments. My favorite quote: “Most people figure out that if they keep grabbing the electric fence, they’ll get a shock every time.”

I’ve thought along these lines for several years now. [Update: Not anymore (see below)] Once the first two waves of high-profile email viruses hit, it was time for people to wise up. Instead we have a variation on the classic joke:

Three guys walk into a bar. You’d think the third one would have ducked.

Except it’s more like “Ten guys walk into a bar. You’d think the third, fourth, fifth…”

Although I’m also reminded of a quote from Jakob Neilsen’s “Alertbox” usability column from April 1996:

The fact that the Internet doubles every year implies that at any time half of the users will have been on the net for less than a year. In other words, we are doomed to have 50 percent novice users for the foreseeable future.

This has, of course, slowed down since 1996 – recent statistics show Internet growth in the US has dropped to 5% – but it seems very unlikely that newbies can account for all – or even most – of the virus spreaders.

Yes, the responsibility rests ultimately on the jerks who write these things – but they wouldn’t be able to get anywhere without the idiots who click on them.

Update March 2023: In the 20(!) years wince I wrote this, I’ve come around to agree with Bruce Schneier’s remarks on the subject from 2011:

People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer. (emphasis added)

Yes, people absolutely need to be careful with storage they plug in, with files they download, with apps they install. Of course they do. But that only gets you so far. In addition to unintended security vulnerabilities, the software and hardware makers need to do better at not building glaring holes like auto-running malware.

I mean, just yesterday the YouTube channel for Linus Tech Tips — a channel that’s all about the tech — was taken over through malware that installed itself from a malicious PDF file and collected the session tokens from the computer’s web browsers, enabling the hackers to clone their login session and replace the channel with one promoting cryptocurrency. If YouTube — owned by Google, one of the biggest tech companies in the world — had flagged the IP-hopping or region-hopping of the login session, it could have at the very least thrown up some roadblocks.

(The number of things I just typed that wouldn’t have made any sense back in 2003…)

Admittedly, it’s hard to blame Microsoft or Google for exploding USB sticks, but I certainly wouldn’t blame the victim for it either.