Rearchitect Security: It's A Jungle Out There!
Security issues are rampant and if you are to judge by the number of security reports, patches and other prevention mechanisms and policies being put in place by most IT departments, things are only getting worse by the day.
"Computer users suffer myriad security problems, including:
- viruses and worms,
- "Nigerian" scams (email asking you to help smuggle out a supposedly large sum of ill-gotten gains),
- phishing (falsified email, purportedly from a known vendor's customer service department, asking you to go to a masquerading website and enter your account information),
- and spyware and adware that install software on your computer without your informed consent (although some operations might claim to have consent, most people don't know what they're agreeing to when they click "OK?" buttons on the Web; for true consent, users must know that software will be installed and want the adware feature activated)."
Jakob strongly argues that it is useless to keep pushing the blame onto final users and their need to be more prudent, technically knowledgeable and up-to-date with the latest patches. This just doesn't work.
"Computer security is too complicated and the bad guys are too devious and inventive.
It's simply unrealistic to assume that average users can keep up with them.
Yes, you can tell people not to click on attachments in email from strangers, but then attackers start sending email that apparently comes from your boss, your wife, or your best friends. In a modern office, you can't do your work without clicking on attachments."
Do we all need to go around carrying a digital gun?
"The virtual world magnifies the reach of the nasty guys. A single cracker who discovers a security hole can attack billions of users. Every single netizen therefore needs protection against all the world's computer criminals, not just the neighborhood hacker."
I couldn't agree more.
But where I and Jakob strongly diverge is when we talk about solutions.
While he titles his solution section "Rearchitect Security" he practically only advises about enhancing to the highest limit the security approaches we are already using.
Mr Nielsen advises adoption of the repression and policing approaches that utilize massive and highly trained police forces, defaulting our computers to maximum security settings and to other draconian measures for countering the security issues plaguing the Web.
The cure he would recommend is made up of the following medicines:
- Encrypt all information at all times, except when it's displayed on the screen.
- Digitally sign all information to prevent tampering and develop a simple way to inform users whether something is from a trusted source.
- Turn on all security settings by default since most people don't mess with defaults.
- Automate all updates. ...The automated patching introduced with Windows XP's SP2 is also an improvement.
- take a more proactive approach to criminalizing and hunting down spammers, phishers, virus writers, eBay fraudsters, and others who violate users' rights. We need big-time FBI task forces dedicated to these problems because their impact on the economy and on citizens' well-being is now greater than many old-fashioned crimes that absorb law-enforcement resources.
On the other hand, I myself reckon that the way out from dangerously living in a jungle is the rearchitecting of our use of the Web around real-estate principles and by providing us with the real missing element to solve all of these issues: identity management.
What I suggest we look at is the realization that on the Web we are carrying out businesses just like in our physical space. We meet and exchange information with partners and customers in secure and protected spaces that have been built according to standards and tight specifications.
We need an equivalent approach online too. Infrastructure standards that need to be applied to our virtual offices, meeting rooms and conferencing spaces. Materials and infrastructures to build online spaces must be certified and built according to certified standards applicable to all.
"We need a coherent model that is based upon architecture, rather than a bunch of standards that simply define how software and hardware widgets (i.e. construction materials) plug into each other."
(Source: Future of Online Collaboration)
More than this we need to be able to identify who we are communicating and exchanging with in a 100% precise and reliable way.
We need effective identity management and the ability, without selling into a centralized, commercial entity (like Microsoft PassPort has attempted in the past to achieve), to enroll into a program that allows individuals to create a trusted and legally valid digital identity.
Attempts toward "local crypto infrastructures" like Microsoft original TCPA/Palladium/NGSCB initiatives can only work if they are provided by a neutral organization that represents real authority.
This doesn't mean that everyone needs to expose her identity while online but that the infrastructure within which we carry our private businesses is designed to manage securely those people who can be positively identified.
To make this possible we need to self-organize into one or more NGO-like organizations, some form of futuristic ITUs, that would take charge of developing and approving building codes and licensing permits. This organization must be capable of being representative of Internet users and it must not be bound to adapt to the whims and hidden agendas of some major commercial enterprise
I know, it all sounds just a bit too off the far side of reality to sound interesting and worth exploring more. But believe me, I am not the first one suggesting such a road, and if you go and dig yourself a little deeper than what the surface of the issue seems to offer, you will see that what I have described in very simple terms is indeed not only applicable, but it does provide a greater number of benefits without engulfing us in an Orwellian panopticon like the one suggested by our usability expert Jakob Nielsen.
Food for thought.
Or do you really think that we should give some heavy money to fix this to Microsoft and the FBI?
Excerpts extracted from:
Jakob Nielsen's Alertbox, October 25, 2004:
User Education Is Not the Answer to Security Problems
(User education and security)
Copyright 2004 Jakob Nielsen
blog comments powered by Disqus