Monday, May 21, 2007

Everything You Know About Desktop Security is Wrong

This is what Ivan Kristic told an audience in Australia at their annual AusCERT conference. Kristic should know a thing or two, as he authored ''The Official Ubuntu Book". Here's some of the more interesting things he had to say during his keynote.

"Everything you know about desktop security is wrong. Desktop security is about the user not protocols and algorithms," he said, adding that 75 percent of machines are infected with malware.

"Today, there are more than 100,000 known viruses, not to mention spam and phishing and that is because we rely on users to make choices about things they don't understand."

To reinforce his point, Krstic showed how a user interprets a pop-up dialogue box that appears on their screen.

"To a user it simply says: "Blah blah, technical terms, I don't understand, blah blah."

"Then it will ask the user to press 'yes,' 'allow,' or 'permit'.

"Of course they will click on 'yes,' 'allow,' or 'permit' because it rewards them by letting them get back to work. We are training users to ignore security and rewarding them for it," Krstic explained.

Kind of makes the Mac ad where PC is constantly interrupted by a security "agent" a lot less humorous, doesn't it? Kristic asked "how did we get here", probably in reference to Linux specifically. The answer would be, "By following Microsoft." Instead of doing the hard work of either writing secure code to begin with, or the somewhat more difficult work of setting default behaviors with security in mind, Microsoft shoves the entire burden of system integrity to end users who barely know how to set headers and footers in Word.

I have no expectations that Microsoft market share will erode significantly this decade, but if past performance is an indicator of future behavior, I think it's safe to say that Microsoft will never get it...leaving itself open to marginalization by whomever gets this stuff right. Easy. Inexpensive. Secure. Feature-rich. Powerful. Fast. It simply has to happen.

No comments: