Why is it bad for me if my computer is infected, if I don't notice?

The situation I face is a family member whose position is the following:

I don't want to update something that works, updates may break something. Look at our old computer that runs Windows 98, I've been using it every day for everything for 15 years now and it works without any problem, even though there's absolutely no antivirus or anything.

Using the same reasoning, he strongly resisted installing any updates or service packs on his other computer running Windows XP, and now that XP is dead, I cannot even imagine how he will react to the choice of either

buying several Windows 7-s for his computers for serious money, or
switching to Linux and basically relearning how to use computers from scratch.

What facts can I use to convey to them that it's bad if the computer is infected with malware, even if they don't notice anything wrong?

marczellm

Posted 2014-04-09T20:02:48.817

Reputation: 521

1Your deliberate phrasing is a success. – Tomáš Zato - Reinstate Monica – 2014-04-09T20:08:56.493

3Why convince him? Put a firewall and antivirus software on the XP machine. They will continue to be updated even though XP itself won't. – EBGreen – 2014-04-09T20:09:23.463

@EBGreen Yep but it is said to be still unsafe.

– marczellm – 2014-04-09T20:11:34.720

I don't necessarily agree with that list, but you have that list to use so why are you asking a question that essentially already has an answer on superuser? – EBGreen – 2014-04-09T20:13:02.900

possible duplicate of What are the potential security issues when I keep using Windows XP?

– EBGreen – 2014-04-09T20:13:24.737

5Who cares? Tell them what you think, let them decide, and when they need help cleaning up, that's not your problem, and if it is, then say "See!? I told you so! Now about my bill for cleaning up your mess...". VTC as off-topic (not a computer problem). – Ƭᴇcʜιᴇ007 – 2014-04-09T20:13:30.730

2@EBGreen the list explains how XP is vulnerable to malware, but as long as they go unnoticed, he doesn't care. – marczellm – 2014-04-09T20:15:00.007

should I post this at security.SE? – marczellm – 2014-04-09T20:16:07.777

2IMO, No you shouldn't, since it's a question about convincing a person to do something they've stated they don't want to do. That's a personal/social/humanity issue, not a computer or security issue. The question EBGreen points to (and many other places on the Internet) explain WHY it's bad, you just need to figure out how to convey that information to the user in an effective way (or just chalk it up "done all I can, not my problem anymore"). :) – Ƭᴇcʜιᴇ007 – 2014-04-09T20:19:54.650

@techie007 I still need objective reasons to explain why malware is harmful, even though the computer is working. – marczellm – 2014-04-09T20:25:01.233

14Go paint "I'm a Nazi Child Molester!" on the side of his car, and then ask him to drive it around town and to work. "Who cares, the car still works, right?" ;) – Ƭᴇcʜιᴇ007 – 2014-04-09T20:35:41.393

A question about computer hardware and software would be asking what the hardware and software problems are. This in contrast is a question about people, and is another "How do I convince Dave?" question. If you want explanations of the ways that malwares running on one's own computer can be a problem to the rest of the world, then ask a question that says that. This question does not. At the very least you could be adding "What are the potential security issues when I keep using Windows 98?" to our Q&A database. (-:

– JdeBP – 2014-04-09T20:51:20.217

13What's his IP? >:) – Blackhawk – 2014-04-09T21:52:23.010

10You won't convince them with facts. They're clearly immune. You will convince them by an absolute uncompromising refusal to have anything to do with those computers in the state they're in. – Michael Hampton – 2014-04-10T03:25:52.680

3Sounds a bit like the anti-vaccination people. – liftarn – 2014-04-10T08:50:08.333

3The best way to explain to non-technical people is analogy, and this is analogous to keeping information in a shoebox on your open windowsill. It depends on your behavior whether or not the information in the shoebox is worth taking, or whether anyone will end up taking it, but the fact remains that anyone that has a half a mind to do so easily can. – Mejwell – 2014-04-10T12:57:07.713

@techie007: It depends. Does he store sensible data about me on his box? Like photographs of how I enjoyed pot-smoking sessions in my sinful youth and when he caught us in the act, or letters from school which say I have unconstructed my teacher's car? The tentacles of data are huge. Basically, this is the exact same reasoning about why you should care when Sony or some other big player is cracked once again. – phresnel – 2014-04-10T14:33:03.860

2Is it bad for me to have cancer, if I don't have symptoms? – Matthew – 2014-04-10T18:04:28.960

ignorance is bliss – kaptan – 2014-04-10T18:19:49.697

2Why is bad for you, personally, to be infected with herpes if you don't notice? Same answer for your computers. You also don't want them infected with herpes, even if you don't notice it right away. – HopelessN00b – 2014-04-10T20:08:56.370

Answers

The best and least refutable argument is, that if you have nothing else to protect, you have your reputation.

If your account starts sending virus spam, you have to answer to everyone in your address book.

If the FBI starts asking why your PC engaged in a coordinated DDOS attack on a bank's website (because you got enrolled in the Zeus botnet), you have to let them sift through all your personal artefacts to (hopefully) prove you are not a cyber-criminal suitable for imprisonment for 30+ years. or worse yet, someone used your computer as a proxy for downloading child pornography, stealing and selling credit card data, or selling drugs on the silk road.

everyone has their reputation (and potentially their freedom) to protect. emphasizing that is one of the more effective ways to teach people (patching) religion. Just an investigation on some of these topics is enough to show up in background checks, which can follow you the rest of your life.

Frank Thomas

Posted 2014-04-09T20:02:48.817

Reputation: 29 039

11This is unrealistic. The suggestion to hand over evidence to the police in an attempt to convince them of your innocence is far more likely to put you in jail than running an outdated operating system (and you should do neither). – Marcks Thomas – 2014-04-09T22:20:14.030

10perhaps "asking" was a poor word choice. they 'ask' with warrants, guns, and large people who haven't learned the definition of the words 'civil liberties'. You don't 'let' then sift through your artifacts so much as they just don't lift their boot off your neck until their colleagues have removed all electronics from your home. – Frank Thomas – 2014-04-09T22:56:11.947

6Then perhaps 'unrealistic' was a poor choice of words on my part, because indeed what you describe can happen and has happened, but something so easily dismissed as unlikely, won't be a convincing argument. In determining whether to get a newer OS, no one writes 'avoid possible jail time' and 'may get hit by bus on way to computer store' on a pros and cons list. – Marcks Thomas – 2014-04-10T00:33:00.940

2Heh, all you have to be is single, a man and over 40 for child porn distribution charges to stick. Somebody hacks your system, uses it to distribute some pretty awful stuff and you are too tech ignorant to defend yourself when SWAT hits the door with the requisite warrant. Better have a really good lawyer on retainer. – Fiasco Labs – 2014-04-10T04:25:06.057

He says

I don't want to update something that works, updates may break something. Look at our old computer that runs Windows 98, I've been using it every day for everything for 15 years now and it works without any problem, even though there's absolutely no antivirus or anything.

Clearly it works for him. His argument is good.

If somebody is not going to dodgy websites, not installing software, let's say they just use Word, and Outlook Express and they don't open attachments.

I have seen middle aged non-computer users in the family that use a computer minimally, and some elderly in the family, just don't get malware on their computer. I suppose they could misspell a URL but they manage with the one or two URLs they visit, or the URLs come up in the address bar. Or they have a button on the bookmark bar that sends them to the URL.

If somebody can survive in this day and age with Windows 98 and not get anything in 15 years, they are doing better than others with lots of "protection".

I may be flamed or downvoted for saying this but i'm inclined to agree with him. Not that it works for anybody but that it works for him, with his style of computer use.

One way you could show a flaw in his argument, is by taking down his computer yourself, remotely, without installing any special software or malware on there (and without social engineering that abuses his trust in you), and it should be realistic i.e. something that really could happen that you see happening. Good luck trying to do that!

You should also educate him as to the risks of our times, like he may get email purporting to be from people he knows, telling him they've lost all their money. And he shouldn't fall for that.

I'm sure many people know some cautious computer users in their 60s and even those in their 80s/90s who do not "browse" the web, and are just not getting malware on their computer! Like somebody that only uses the television to watch the BBC News, somebody might only use their web browser to go to the BBC News website. There are people like that believe it or not, and it'd take a miracle for them to get malware on their computer!

Added- David has mentioned there were days when IE and OE ran Active X without asking(though it could be configured to disable active X). And one could use Chrome and web mail. The former being a fast browser anyway, and the latter being very portable.

barlop

Posted 2014-04-09T20:02:48.817

Reputation: 18 677

2I remember to the early days of the Windows XP pandemic when viruses spread through port 135 / RPC, and computers got infected the moment you attached them to the internet, so you could update them. – David – 2014-04-09T22:50:40.397

@David A NAT Router should stop access to whatever port. And the Windows XP Firewall should be stopping that too. One can always go to grc.com or whatever online port scanning site and make sure they don't have ports showing up. Could be an early XP had a bad firewall setting, particularly bad if on dial up so directly exposed. But behind a NAT Router and XP Firewall properly set, that wouldn't happen. Very trivial to check no ports are exposed. – barlop – 2014-04-09T23:00:57.487

1This was in the pre WinXP sp1/sp2 days, when everyone connected their computer direct to their DSL/Cable modems. Before when everyone had NAT routers. My point being that there will always be some sort of exploit, and the older the software the more well known those exploits are. – David – 2014-04-09T23:07:20.940

@David yes but my point was that nowadays people have NAT Routers not dialup. And even if his XP was an early release, he could still have the firewall configured properly. And I am saying he should make sure no ports are exposed onto the Internet, that rules out a ton of exploits. The fact that you had to pick one that was only relevant on a badly configured firewall and a computer on dial up with ports exposed, and does not require an anti virus or installing updates to defend against. Just the basics of a NAT Router.. and a sanely configured XP Firewall – barlop – 2014-04-09T23:21:45.317

I remember reading about the Windows 98 ping of death, crashing a computer remotely but even that wasn't malware, just a crash. And since windows 98 didn't have a firewall(and if it did then a terrible one I didn't even know of!) then yeah it'd have been worth upgrading 98 to 98 SE. XP has a decent firewall though. Your argument is basically. 'you never know' 'better safe than sorry'. But I am talking about -in practice- so XP, no reason for dialup and firewall not sanely configured and no NAT Router. – barlop – 2014-04-09T23:30:06.450

he strongly resisted installing any updates or service packs -- by your same logic, nowadays people patch their systems regularly. What about the days when Outlook and IE would run any arbitrary active-x components. These security holes have largely be been fixed through patches, by having software firewalls, and more sophisticated home networks. These old folks are likely to be running unpatched routers: http://it.slashdot.org/story/14/02/19/1435202/routers-pose-biggest-security-threat-to-home-networks – David – 2014-04-09T23:30:07.953

Security is a layered approach, and if you remove software patching, then you are removing a very significant layer. – David – 2014-04-09T23:31:03.963

@David Probably a fair point regarding the active x problem with Outlook and the checking of email in IE. But pretty much any edition of Chrome has never had that problem. And in practice, it wouldn't be hard to get somebody to use Chrome.. the person is resistant to installing updates of service packs but nobody said he was resistant to using Chrome or a web browser other than IE. – barlop – 2014-04-09T23:35:47.673

1But Chrome is a patch or a fix. It no longer is part of the default software. On our firewalls at work, we see loads of random attacks, port scans, on our firewalls that are on otherwise unpublished ip addresses. These attacks originate from all over the world. There are folks on the internet looking to get access through published exploits all the time. I see this everyday on the logs. Not installing patches is just putting your head in the sand. – David – 2014-04-09T23:39:22.760

@David when you have a very simple machine, simple usage, it narrows things down. I remember the Active X running automatically by default problem, and disabling it and having the option to ask for confirmation. And by Win XP SP2 that was gone(and if not then people addressed it then and it was gone). A lot of people use Web mail, no Outlook, and use Chrome even though it doesn't come with Windows. It's not that Chrome is a patch or fix, it's just avoiding a rubbish browser like old IE. – barlop – 2014-04-09T23:46:46.913

I get what you are saying, however, my point is simply that a.) even with very simple systems, they are open to security holes, even if the attack surface is reduced by keeping it as basic as possible. b.) that you are asking for trouble by not patching for known holes. and c.) that your argument is inconsistent, either you patch your system, or you do not. You seem to advocating, I'll patch my system sometimes, when I think it is best (eg use Google Chrome), but I won't bother when it doesn't suite me, because I am keeping my computer simple (not loading Outlook). – David – 2014-04-09T23:54:42.743

I think you accepted that the default behaviour of Windows XP as it shipped in 2001 is not secure, so is it just not easier to load the updates, so the OS is put into a default secure config as possible? – David – 2014-04-09T23:56:00.653

I have had updates from MS and other vendors go wrong, but because I can't (and do not want to audit) the code, I am not in a place where I can make informed, intelligent decisions as professional about what patches to apply or not to apply. If I can't informed decisions about what patches to apply, how can a lay user ever hope to? They are not just making the internet worse for themselves, but making it worse for the rest of us. Their system may very well be infected and they do not even know it. – David – 2014-04-10T00:04:03.303

@barlop I agree that 99% of virus avoidance is usage patterns. My Mom used a computer on the Internet without AV for years and never had to call me because of weird malware-type problems. Yet my dad can't be on the Internet for more than 15 minutes without contracting something even with up-to-date AV (he's gotten better the last couple years). My Mom hung out on Oprah's forums and did some online shopping, news reading, etc. My dad likes porn. The math is easy. ;) – Ƭᴇcʜιᴇ007 – 2014-04-10T15:03:24.133

The only safe and secure computer is one locked in a closet, switched off. What you are talking about by reducing the complexity and usage patterns is called 'reducing the attack surface.' Reducing the attack surface does nothing to protect against known security holes and vectors that exist in default configuration. Maintaining patches and fixes from vender is the best protection that you have for the /default/ software. – David – 2014-04-10T19:56:52.733

Well, tell him to think about it like this:

If a human catches a biological virus and doesn't notice, then they'll probably end up spreading it everywhere and hurting other people. So maybe you shouldn't go around licking toilets (using XP), even if it doesn't bother you specifically.

Even if he doesn't notice his computer has become part of a botnet, he'll still be sending spam everywhere.

Aahuehaueaheuhau

Posted 2014-04-09T20:02:48.817

Reputation: 107

1Except he won't care if it doesn't hurt him, and he'd be right not to. – Pierre Arlaud – 2014-04-10T14:59:15.867

Just because the user has not noticed any inclement behaviour yet does not mean they can expect that trend to continue in the future. Especially in a digital environment, where we have seen many times that security flaws are manipulated to extract useful information.

What's to stop your user from visiting a new website tomorrow that installs a keylogger on their machine? And soon after, noticing some unexpected purchases on their credit card. Not only is it possible, it's got significant enough probability to be a threat worth taking preemptive action over.

The important thing to realize is that anti-virus and other security is to stop your system from getting infected in the first place, not to fix problems when you notice them.

Like the old saying goes, an ounce of prevention is worth a pound of cure.

Devon Parsons

Posted 2014-04-09T20:02:48.817

Reputation: 504

2I think this is actually the best answer for this situation: if you have cancer, you could die from it no matter if you know about it or not. – evilcandybag – 2014-04-10T06:04:26.510

The answer is two fold: 1 It is the responsible thing to do - ie part of treating fellow life with respect (those you know like your friends and family and those you don't know like the guy down the street, in the next state, or the country over there).

2 To protect whatever you may have that you expose to your computer (money, personal information, photos etc).

Ram

Posted 2014-04-09T20:02:48.817

Reputation: 977

Seems like this user needs the wiifm (what's in it for me?) angle. Is the computer used for storing anything of value (pictures, documents, anything he/she wants)? Is the use of the computer itself valuable (e.g vs the time/effort to reinstall and start fresh)?

Then he absolutely wants to stay up to date and protected and here's why:

Malware generally invites other malware. It's not only the guest that never leaves, but the longer he's there, the more friends he invites.

Ever notice how a malware infected PC generally has more than one "thing" infecting it? That's because as soon as the one things gets in it usually 'phones home' and gets more malwares. Typically there will be one component that is [basically] a downloader and that piece gets it's instructions from a server which tells it what nasties to bring in. The operator of that server can change that list at any time so just cuz "it's not bothering" him today, doesn't mean that won't change tomorrow.

Still, what's the worst that can happen, right? So let's forget about spamming and DDoS botnets for a moment and look at something like Cryptolocker. There's a nice bit of digital "F**k You" Would your user be happy having his entire hard drive and any attached drive (external or mapped network) be held for ransom? Cryptolockers gotten so 'famous' there's now not only variants but I believe copycats too. So will he be satisfied to just walk away from it all (not to mention investing hours to at least format everything and reinstall XP (if he can even find the disc) from scratch?) Or will he gamble on paying some douche in a far away country, via bitcoin or wiretransfer or something, some $300-$900 on the chance he'll get his data back?

dunno about your user but lazy as I am, that's still enough to get me off my ass... And if he needs any proof, there's a few cool youtube vids showing cryptolocker in action.

JoelAZ

Posted 2014-04-09T20:02:48.817

Reputation: 537

I really don't know, why people are so scared of "XP's death". It's not dead - it's no longer supported, that's all.

I'd say it is reasonable to stay with it, even without any protection software, if you're a reasonable user. And like others said, being reasonable user doesn't mean you have to know everything about computers, systems, or be up-to-date with virus threats and so on.

There are lots of people using Windows XP, big companies all over the world with thousands of PC's not capable of runnnig Win7. Do you really think they will all buy new PC's? I doubt, I really do.

And to answer your question, after all, I'll stick to the "carrier" sort of thing, your computer being distributor of malware. But if that person isn't filled with sympathy and/or compassion, will he/she really care?

wojciech_rak

Posted 2014-04-09T20:02:48.817

Reputation: 111

If he does any kind of online banking (even checking his balance), he is susceptible to losing his life savings and/or identity... apathy won't protect you against malware.

I've never had my house broken into but you can bet I have a hand gun around, just in case.

thepip3r

Posted 2014-04-09T20:02:48.817

Reputation: 281

His argument is based on laziness and desire to maintain the status quo. So explain why malware threatens the status quo:

Malware uses the computer more than it otherwise would, which not only hits him in the wallet via electric bill, but also wears components faster than they otherwise would, leading to a computer dying before its time. Not only is buying a new computer an expense, but rescuing data from the failed one is a lot more work than installing patches.
Malware may consume all his storage with illicit content. Quite apart from someone discovering it there (generally after tracing transmission), when free space hits zero, he's in for a world of hurt. (Programs not starting, possibly even Windows not booting) Cleaning up a disk full of warez is a lot more effort than installing patches.

Ben Voigt

Posted 2014-04-09T20:02:48.817

Reputation: 6 052