I love and hate the Firefox addon "noscript". I use it to add an extra level of protection to my web browsing but I hate it when a site requires java or some other script to run and I haven't approved that site. It's not a big deal when I first visit the site but when I write a fairly long comment on a blog post and have it wiped out because scripting is required is really irritating. I did that this morning. Mitchell Ashley wrote a blog post on the need for security vendors to do more to take the ball out of the end users hand. I had a great (ok that's subjective) comment and it was a little lengthy but it got wiped out when I went to post it because I had scripting enabled.
So, I decided to take it to the streets. I'm going to rewrite my comment (at least what I can remember) here and see if I can get some good chatter going between Mitchell, myself and any others who may want to jump in here.
First go read Mitchell's post and then come back here. While you do that I've got a meeting to attend.
Ok, so were all back. Here are my thoughts and comments:
Mitchell, I agree with you that we need to make these issues transparent to the user to a point. Some AV/HIPS vendors are already doing this somewhat. They have taken lots of the firewall alerts and answered them "by default" so that the user isn't bothered with answering questions that they don't understand. They are making it easier for updates to be pushed/pulled to the system instead of making the users do this manually. There is still work to be done but.... Where I have a little disagreement is in completely removing the user from the fray. If we do so we may make it easier on them but we are missing out on an opportunity to educate them on the risks associated with life on the internet. We are missing the chance to teach them how to be more secure by giving them information that they can understand and then make a intelligent decision on. What I would like to see is the software vendors write alerts and pop-ups in layman's terms so that a user doesn't have to decide if it's safe to allow lsass.exe and svchost.exe to access the internet. And it gets even more confusion when the internet isn't really the internet but the internal LAN if they have one. I would like to see the vendors provide easy to understand tutorials (via the help button) that explains what the dangers of allowing or disallowing something is. We have conditioned them to click "yes" just to shut up the firewall but they have no idea what they are clicking "yes" to. I agree that User Awareness isn't the silver bullet but it has to be focused on because we can't change users behavior if we don't give them data that will educate them effectively.
Thanks for a good post that gives us something to think about. Thanks for stoking the fire of how can we make a difference and not continue to do things in the same way. What I would like to see now is how can we really make this work. What are our action points for making security transparent yet still making the user be (in the active sense) more secure?
OK, the floor is open for your comments and for you to add to the discussion on your blog. I think there is lots of good stuff here to chew on. Let's get going.