Re: Security and the User experience



Ok, we'll just have to agree to disagree.

I believe someone recently released a "crank" operated PC (wireless) for
<$100. Still a lot of money for some parts of the world but I don't think I
suggested reaching everyone -- just increasing from 1 in 5 people to 2 in 5
people would be huge success and boom for the industry. You may not believe
in a nanny state, but we very much live in a nanny state (certainly in the
US anyway) where <5% of the populate have graduated from college/university.
Continued ignorance is not going to be bliss for our industry.

The non-enterprise user is growing, especially in a world of remote
computing and more and more of the work force working at home or off site.
But regardless, why cut them out of the equation when a solution is very
doable?

Rob.

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OamkXHNsGHA.200@xxxxxxxxxxxxxxxxxxxxxxx
Hi Rob.

I have to respectfully disagree. The non enterprise user will always need
to take ultimate responsibility in securing the operating system and in
most anything else that impacts their life. I don't believe in a nanny
state and the resulting unintended consequences. However software
publishers, including Microsoft with it's operating systems, should make
reasonable efforts to make it easier for the end users to secure their
operating system and doing so can be a competitive advantage which is an
impetus for them to do so. For the enterprise much of what you want can
already be implemented with Software Restriction Policies and Group Policy
Software Installation. As far as a flat market I think that has more to do
with the fact that the remaining population on earth that do not have
computers is constrained by lack of infrastructure [communications and
electricity] and economics.

Steve


"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:Oyk0ZaMsGHA.1580@xxxxxxxxxxxxxxxxxxxxxxx
Steve,

Verisign and other SSL companies already have similar structures in
place. Yes, there would be a review process and yes the cost will be in
part passed on to the development company. But think about the
savings -- we would gladly pay $1000/yr for a subscription to an
application authentication because it would save us $50,000/yr
(conservative) in time spent on support calls from users that didn't
block/unblock correctly and/or just have no clue what the various
security warning message means.

The OS can handle "unauthorized" applications -- this is where the user
will be informed (has to make a decision similiar to what Vista does now
and prevent the app from running is a high security context), so it will
be up to the "little" guy to decide if they care about the end user
experience and if they need their app to have a high security context.
There could also be application classifications, if your little app
doesn't communicate across any public ports then authotentication cost
could be significantly reduced to $100/yr (or whatever the pricing
structure ends up being).

But regardless of the implementation, the end result is that we NEED to
remove the security from being a user responsibility. If you refuse to
accept that, then we're stuck in a flat market and will continue on with
security flaws/problems -- Vista is definitely not the answer to end user
experience nor the answer to all our security issues.

Rob.

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uNYiswFsGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Appreciate the fact that you are thinking of solutions but let me play
the Devil's advocate. So if I write a malware program then I just need
to register it? No? Well then that probably means you are talking about
a review and approval process. If that is so WHO will have the final say
if my software can be registered or not, by what criteria, how long will
it take [hey Joe get started on that list of 2 million applications],
will I have to have every update/version approved, what is involved with
the appeal process, and who will pay for litigation costs? Such a
process would undoubtedly have a cost involved and most likely it will
have to paid by the software publisher and no refunds for software that
it rejected that would hurt the "little" guys that write so many of the
popular and helpful utilities that are found on the internet.

Steve


"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:OV2maQAsGHA.4004@xxxxxxxxxxxxxxxxxxxxxxx
The problem:

User installs an application that needs to communicate to SQL servers
and/or FTP servers and/or web services. Being a good user they have
some type of firewall and anti-virus software (most of the time it is
preconfigured so the user doesn't even know what they have). The
problem, whenever the user installs any applications (or even games)
they are either presented with a message saying "block/unblock" message
and sometimes even messages suggesting the application could be a
virus. So the user doesn't really understand this message at all and
could pick either option or just ignore the message entirely (and in
many cases with games, the message is hidden behind the full screen DX9
game so the user is completley unaware until after then exit the game
wondering why it doesn't work. In some cases the firewall/anit-virus
software will not even provide a prompt and just block the application
24/7. As a result the application may not work and/or the user can't
play online and you get one very frustrated user (either in a work
environment or a home environment). In fact, users get so frustrated
that they stop using their PC and move on to other things in life.

Microsoft do seem to be aware of this user experience problem after my
initial look at Beta 2 of Vista and how it grays out everything except
the program needing communication. Unfortunately, this is still "in
the way" for your average user and I don't believe this will help
increase the PC base of users. We've been hovering at 1 in 5 people
having computers for a long time now so there is obviously a large
"market share" to tap into.

I have a possible solution:

Any application that will be released on a public level should register
itself with an authority. The OS will then query the authority
whenever any application is installed, if the application has been
validated by the authority installation, then communications will be
permitted for that application. This process could become automated
(similiar to how SSL certifications are aquired) at trusted
companies/sites. What this does is provide user confidence and at the
same time insulates them from having to deal with security.

I think Microsoft really need to smell the coffee here, because their
path of "that's just the way it is" does nothing for anyone involved in
the business of PC's and software development. What I'm seeing in
Vista is better, but doesn't go far enough to insulate the user from
security. In fact, in Microsoft's own book(s) on security, they clearly
identify that security should NOT be in the way. I for one would like
to see even a modest increase in market share from 1 in 5 people to 2
in 5 people (that's effectively doubling market share) -- this is good
for everyone. What Microsoft are failing to do is accept the reality of
their situation (you can't tell the user it's their job to ensure their
secure, they will just simply say no it isn't and stop using the PC --
not up for debate period), sure it will require more work, more money,
and new "entities" to manage my proposed solution but the long term
benefits will easily pay off and since we already have entities that do
very similar functionality (Verisign, Networksolutions, etc. etc.).

What do you think?

Rob.









.