Rather unfortunate for Microsoft, but also for people who use their software. He was always out explaining what and why of Windows security to groups of people. Should be interesting to see what happens in that regard with Microsoft in the future.
Jesper Johansson has written an article called Help Wanted — Need "People" People for July's TechNet. It's an interesting writeup about how technological solutions to computer security problems will never work, and it needs to be addressed through changing opinion. Even brings out the classic quote "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." The dancing pigs example is back too.
He does bring out the point that we need "people" people to do that, which I think is important. The problem from my point of view seems to be convincing the more technical people people that it's in the user's best interest to be told no for certain things and explain why, rather than saying the users aren't technical and they'll never understand it. Just saying no isn't enough, as if someone is told know but just thinks it's arbitrary or because IT doesn't have time or doesn't want to support it, they'll try to do it on their own and make it worse than if they were assisted.
His perspective is actually that the technical people have to figure out how to deal with people to get around that. I can see that in a way. There are several non-technical people at work who I've built up relationships where I give complete answers of why we want to do something in a completely different way. They've learned in the long run that it's easier for both of us, and now are pretty much willing to take my responses without explanation. I think the key is after reaching that point to still keep explaining things, so things don't revert back to an "us vs them" mentality. It makes things easier to explain in small pieces gradually and let it sink in rather than hitting a point where it no longer makes sense and the whole background has to be rebuilt.
Unfortunately there are a couple issues with this. The first being it ends up not falling under and interfering with trying to keep a single-point-of-contact Help Desk. Part of the problem here I think stems from the fact that often the front line doesn't have enough technical knowledge to see the reasoning (or doesn't care about telling the user about it), and doesn't have an interest in learning it, so passes information through that sounds like an arbitrary mandate. The problem isn't needing to change the Help Desk model, that's needed for a lot of the front line stuff. Sysadmins need uninterrupted time to concentrate and work on projects. The people I work with for example understand that they can't always come to me with stuff. Most stuff goes to the Help Desk, especially if they need response right away. If it's an explanation that will end up with jumping through hoops at the Help Desk and they're willing to wait for action, it may not go through there. They understand I can't respond to stuff instantly (although for simple stuff I know the history and can do it in 10 seconds rather than them spending 30 minutes explaining what it is to someone asking completely unrelated things because they don't know it), and in some cases may take weeks to finish a request. And and understanding or dealing with the occasional "that needs to go through the Help Desk". I think there's probably a good medium between the techs dealing with people and the Help Desk workers understanding and communicating reasonings. There's also the need to get the information out to work the way down the chain through smaller jumps in technical knowledge, somehow minimizing the telephone effect.
Of course there are always the people who won't care, and will refuse all attempts to explain anything. Those are the ones who will probably need a few rounds of getting their identity stolen or financial accounts compromised, and losing their data due to lack of any sort of data management habits before thinking there may be a reason behind why they can't do whatever they want. What are your opinions on this issue?
Jesper Johansson posted the entry Windows Firewall: the best new security feature in Vista? He explains in detail why host-based outbound firewalls are worthless for what people expect them to do (stop/slow malware) as admin access means it can just be bypassed anyways, and actually create more problems by desensitizing people to security dialogs. Anyone who still thinks they're a good idea for the average user's computer should read it. A couple good quotes:
"Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work."
"A plethora of dialogs, particularly ones devoid of any information that helps an ordinary mortal make a security decision, are simply another fast clicking exercise. We need to reduce the number of meaningless dialogs, not increase them, and outbound filtering firewalls do not particularly help there."
The naked dancing pigs analogy is way too accurate too. The people who would benefit the most from it are the most likely to click to get around it.
He does somewhat explain where they help (in a general sense on limited non-admin accounts). Apparently it's being added in Vista because they're implementing sub-user SIDs so even two services running under the same user won't have access to the the data or resources of the other. Assuming they don't have admin access either, one could be limited from using the network.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
