Re: Security and the User experience
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Jul 2006 11:37:53 -0500
Hi Rob.
I have to respectfully disagree. The non enterprise user will always need to
take ultimate responsibility in securing the operating system and in most
anything else that impacts their life. I don't believe in a nanny state and
the resulting unintended consequences. However software publishers,
including Microsoft with it's operating systems, should make reasonable
efforts to make it easier for the end users to secure their operating system
and doing so can be a competitive advantage which is an impetus for them to
do so. For the enterprise much of what you want can already be implemented
with Software Restriction Policies and Group Policy Software Installation.
As far as a flat market I think that has more to do with the fact that the
remaining population on earth that do not have computers is constrained by
lack of infrastructure [communications and electricity] and economics.
Steve
"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:Oyk0ZaMsGHA.1580@xxxxxxxxxxxxxxxxxxxxxxx
Steve,
Verisign and other SSL companies already have similar structures in place.
Yes, there would be a review process and yes the cost will be in part
passed on to the development company. But think about the savings -- we
would gladly pay $1000/yr for a subscription to an application
authentication because it would save us $50,000/yr (conservative) in time
spent on support calls from users that didn't block/unblock correctly
and/or just have no clue what the various security warning message means.
The OS can handle "unauthorized" applications -- this is where the user
will be informed (has to make a decision similiar to what Vista does now
and prevent the app from running is a high security context), so it will
be up to the "little" guy to decide if they care about the end user
experience and if they need their app to have a high security context.
There could also be application classifications, if your little app
doesn't communicate across any public ports then authotentication cost
could be significantly reduced to $100/yr (or whatever the pricing
structure ends up being).
But regardless of the implementation, the end result is that we NEED to
remove the security from being a user responsibility. If you refuse to
accept that, then we're stuck in a flat market and will continue on with
security flaws/problems -- Vista is definitely not the answer to end user
experience nor the answer to all our security issues.
Rob.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uNYiswFsGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Appreciate the fact that you are thinking of solutions but let me play
the Devil's advocate. So if I write a malware program then I just need to
register it? No? Well then that probably means you are talking about a
review and approval process. If that is so WHO will have the final say if
my software can be registered or not, by what criteria, how long will it
take [hey Joe get started on that list of 2 million applications], will I
have to have every update/version approved, what is involved with the
appeal process, and who will pay for litigation costs? Such a process
would undoubtedly have a cost involved and most likely it will have to
paid by the software publisher and no refunds for software that it
rejected that would hurt the "little" guys that write so many of the
popular and helpful utilities that are found on the internet.
Steve
"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:OV2maQAsGHA.4004@xxxxxxxxxxxxxxxxxxxxxxx
The problem:
User installs an application that needs to communicate to SQL servers
and/or FTP servers and/or web services. Being a good user they have
some type of firewall and anti-virus software (most of the time it is
preconfigured so the user doesn't even know what they have). The
problem, whenever the user installs any applications (or even games)
they are either presented with a message saying "block/unblock" message
and sometimes even messages suggesting the application could be a virus.
So the user doesn't really understand this message at all and could pick
either option or just ignore the message entirely (and in many cases
with games, the message is hidden behind the full screen DX9 game so the
user is completley unaware until after then exit the game wondering why
it doesn't work. In some cases the firewall/anit-virus software will
not even provide a prompt and just block the application 24/7. As a
result the application may not work and/or the user can't play online
and you get one very frustrated user (either in a work environment or a
home environment). In fact, users get so frustrated that they stop
using their PC and move on to other things in life.
Microsoft do seem to be aware of this user experience problem after my
initial look at Beta 2 of Vista and how it grays out everything except
the program needing communication. Unfortunately, this is still "in the
way" for your average user and I don't believe this will help increase
the PC base of users. We've been hovering at 1 in 5 people having
computers for a long time now so there is obviously a large "market
share" to tap into.
I have a possible solution:
Any application that will be released on a public level should register
itself with an authority. The OS will then query the authority whenever
any application is installed, if the application has been validated by
the authority installation, then communications will be permitted for
that application. This process could become automated (similiar to how
SSL certifications are aquired) at trusted companies/sites. What this
does is provide user confidence and at the same time insulates them from
having to deal with security.
I think Microsoft really need to smell the coffee here, because their
path of "that's just the way it is" does nothing for anyone involved in
the business of PC's and software development. What I'm seeing in Vista
is better, but doesn't go far enough to insulate the user from security.
In fact, in Microsoft's own book(s) on security, they clearly identify
that security should NOT be in the way. I for one would like to see
even a modest increase in market share from 1 in 5 people to 2 in 5
people (that's effectively doubling market share) -- this is good for
everyone. What Microsoft are failing to do is accept the reality of
their situation (you can't tell the user it's their job to ensure their
secure, they will just simply say no it isn't and stop using the PC --
not up for debate period), sure it will require more work, more money,
and new "entities" to manage my proposed solution but the long term
benefits will easily pay off and since we already have entities that do
very similar functionality (Verisign, Networksolutions, etc. etc.).
What do you think?
Rob.
.
- Follow-Ups:
- Re: Security and the User experience
- From: Rob R. Ainscough
- Re: Security and the User experience
- References:
- Security and the User experience
- From: Rob R. Ainscough
- Re: Security and the User experience
- From: Steven L Umbach
- Re: Security and the User experience
- From: Rob R. Ainscough
- Security and the User experience
- Prev by Date: Re: Security and the User experience
- Next by Date: Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
- Previous by thread: Re: Security and the User experience
- Next by thread: Re: Security and the User experience
- Index(es):
Relevant Pages
|
