Re: Security and the User experience

Steve,

Verisign and other SSL companies already have similar structures in place.
Yes, there would be a review process and yes the cost will be in part passed
on to the development company. But think about the savings -- we would
gladly pay $1000/yr for a subscription to an application authentication
because it would save us $50,000/yr (conservative) in time spent on support
calls from users that didn't block/unblock correctly and/or just have no
clue what the various security warning message means.

The OS can handle "unauthorized" applications -- this is where the user will
be informed (has to make a decision similiar to what Vista does now and
prevent the app from running is a high security context), so it will be up
to the "little" guy to decide if they care about the end user experience and
if they need their app to have a high security context. There could also be
application classifications, if your little app doesn't communicate across
any public ports then authotentication cost could be significantly reduced
to $100/yr (or whatever the pricing structure ends up being).

But regardless of the implementation, the end result is that we NEED to
remove the security from being a user responsibility. If you refuse to
accept that, then we're stuck in a flat market and will continue on with
security flaws/problems -- Vista is definitely not the answer to end user
experience nor the answer to all our security issues.

Rob.

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uNYiswFsGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Appreciate the fact that you are thinking of solutions but let me play the
Devil's advocate. So if I write a malware program then I just need to
register it? No? Well then that probably means you are talking about a
review and approval process. If that is so WHO will have the final say if
my software can be registered or not, by what criteria, how long will it
take [hey Joe get started on that list of 2 million applications], will I
have to have every update/version approved, what is involved with the
appeal process, and who will pay for litigation costs? Such a process
would undoubtedly have a cost involved and most likely it will have to
paid by the software publisher and no refunds for software that it
rejected that would hurt the "little" guys that write so many of the
popular and helpful utilities that are found on the internet.

Steve


"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:OV2maQAsGHA.4004@xxxxxxxxxxxxxxxxxxxxxxx
The problem:

User installs an application that needs to communicate to SQL servers
and/or FTP servers and/or web services. Being a good user they have some
type of firewall and anti-virus software (most of the time it is
preconfigured so the user doesn't even know what they have). The
problem, whenever the user installs any applications (or even games) they
are either presented with a message saying "block/unblock" message and
sometimes even messages suggesting the application could be a virus. So
the user doesn't really understand this message at all and could pick
either option or just ignore the message entirely (and in many cases with
games, the message is hidden behind the full screen DX9 game so the user
is completley unaware until after then exit the game wondering why it
doesn't work. In some cases the firewall/anit-virus software will not
even provide a prompt and just block the application 24/7. As a result
the application may not work and/or the user can't play online and you
get one very frustrated user (either in a work environment or a home
environment). In fact, users get so frustrated that they stop using
their PC and move on to other things in life.

Microsoft do seem to be aware of this user experience problem after my
initial look at Beta 2 of Vista and how it grays out everything except
the program needing communication. Unfortunately, this is still "in the
way" for your average user and I don't believe this will help increase
the PC base of users. We've been hovering at 1 in 5 people having
computers for a long time now so there is obviously a large "market
share" to tap into.

I have a possible solution:

Any application that will be released on a public level should register
itself with an authority. The OS will then query the authority whenever
any application is installed, if the application has been validated by
the authority installation, then communications will be permitted for
that application. This process could become automated (similiar to how
SSL certifications are aquired) at trusted companies/sites. What this
does is provide user confidence and at the same time insulates them from
having to deal with security.

I think Microsoft really need to smell the coffee here, because their
path of "that's just the way it is" does nothing for anyone involved in
the business of PC's and software development. What I'm seeing in Vista
is better, but doesn't go far enough to insulate the user from security.
In fact, in Microsoft's own book(s) on security, they clearly identify
that security should NOT be in the way. I for one would like to see even
a modest increase in market share from 1 in 5 people to 2 in 5 people
(that's effectively doubling market share) -- this is good for everyone.
What Microsoft are failing to do is accept the reality of their situation
(you can't tell the user it's their job to ensure their secure, they will
just simply say no it isn't and stop using the PC -- not up for debate
period), sure it will require more work, more money, and new "entities"
to manage my proposed solution but the long term benefits will easily pay
off and since we already have entities that do very similar functionality
(Verisign, Networksolutions, etc. etc.).

What do you think?

Rob.





.

Relevant Pages

  • Re: Security and the User experience
    ... So if I write a malware program then I just need to ... User installs an application that needs to communicate to SQL servers ... games, the message is hidden behind the full screen DX9 game so the user ... but doesn't go far enough to insulate the user from security. ...
    (microsoft.public.security)
  • RE: Concepts: Security and Obscurity
    ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
    (Security-Basics)
  • RE: Concepts: Security and Obscurity
    ... International Journal of Social Economics ... Security is an economic decision. ... risk and always cost. ... Subject: Concepts: Security and Obscurity ...
    (Security-Basics)
  • RE: Impact of Global recession on Security !
    ... Intimate with clients? ... Cost and efficiency projects still need security. ... Impact of Global recession on Security! ...
    (Security-Basics)
  • RE: Concepts: Security and Obscurity
    ... I have at no point claimed absolute security measures or cost ... nothing to do with security is pure head in the sand ignorance. ... It also ignores the requirements of a control function. ... of transformation pressure " Cambridge Journal of Economics, ...
    (Security-Basics)