See your link here
Who's responsible for securing your PC: You or Microsoft?
10 comments- IT TOPICS:Operating Systems, Security, Windows & Microsoft
Microsoft recently took a lot of flak for quietly forcing a security update on users without their knowledge or approval. Basically the company sent out patches for the Windows Update mechanism to users of Windows XP and Vista machines. The patch was installed on systems without users knowing about it--even in cases where individuals had turned off the automatic updating feature.
Predictably, that caper had a lot of folks steaming over what they saw as a serious privacy intrusion by Microsoft. The incident reminded me of something that came up during an interview I did recently with Scott Charney, corporate vice president of Trustworthy Computing (TwC) at Microsoft. The subject was consumers and the responsibility they bear for securing not just their own systems but also the whole connected Internet ecosystem.
According to Charney, securing the Internet is something of a shared responsibility between hardware and software vendors, Internet access providers and consumers. While the vendors definitely need to do a better job of helping users manage security, there also needed to be a clearer articulation of what consumers need to do to secure their own systems and the Internet, he says.
Understandably, most consumers don't want to become system administrators or security administrators. All they want is to be able to log on, connect up and securely do whatever it is they want to do on the Internet without having to worry about spyware, Trojans, rootkits and botnets, Charney said. And technologies are readily available today that can help consumers do just that. ISPs and software vendors such as Microsoft can help consumers keep malware out of their systems and ensure they have the proper protections in place before their systems are allowed on the Internet, Charney said.
Microsoft itself can "sometimes do things like manage the machine for you," he said. "But that violates trust and privacy issues for you. And you immediately go ‘I don't trust Microsoft. I don't want them changing the settings on my machine. I want to do it myself'," Charney says. That's just fine so long as you actually do it; The thing is, if users don't manage security aggressively, all they are doing is adding risk to themselves and to the entire ecosystem, he said.
"There's an interesting analogy to smoking here," Charney says. Before people understood the implications of second-hand smoke, the general attitude towards smokers was "if you want to kill yourself that's your choice. You're free right?" But once the implication of second hand smoke begun to sink into the public perception, attitudes changed quickly and smoking was banned everywhere in public places. "The rational was you have the right to poison yourself and kill yourself but you don't have the right to kill others."
Charney readily agrees that comparing attitudes towards smoking to letting an outsider tamper with the settings on your system without your knowledge may be a stretch. But it at least helps frame the argument. "In the security space, for consumers and computers you can say, ‘Look, if you don't want to run anti-virus and you don't want to configure your system right and you want to get wiped out, that's your choice, The problem is, if your machine turns into a botnet and is used to attack someone else, it's not just you injuring yourself, its you injuring everyone else," he says.
Companies have been dealing with this issue for the past several years via network access control technologies designed to prevent users from connecting to the network unless their systems are properly secured with all patches and configuration settings mandated by policy. It is a trivial task to do the same on the consumer side, he says. "There's no reason why an access provider couldn't say, ‘Hey you're infected and I'm not giving you an IP address until you clean the stuff out'," he says. The important thing is there needs to be more of a discussion of these sorts of issues. "At some point, people could say is it socially responsible for a vendor not to offer automatic upgrades? Is it socially responsible for a user not to turn on automatic upgrades?" he asks.
Personally, I HATE the idea of someone automatically updating my system with patches for flaws that I don't even know about. And I don't care if it's Microsoft that's doing the updating or if it's any other software vendor. But I let them do it anyway because I just don't have the time or the inclination to patch systems myself. I haven't really thought about it really as being so much of a social responsibility as much as a pragmatic thing to do. So far I've been lucky in that no patch has crashed my system or otherwise caused things to go terribly wrong with it. But I also know others have not been so lucky in this regard.
What do you think? Should consumers be prepared to let outsiders manage their security for them if they aren't willing to do so themselves? Are we reaching a point where consumers with unsafe systems should be prevented from connecting to the Internet -- not just for their own safety but also that of others?
Print
Email this
Digg this
