Sat, Aug 28 2004 13:49
I'll take Security Center vulnerability for $1,000 Alex!
PcMag and other magazines came out with an article on the “vulnerabity of the Security center” and Larry Osterman has a post on the issue. My take is that it's a risk analysis issue. What is worse? That a malware is going to get in and overwrite the security center application or that the person is still running the same Norton Antivirus definition files that came with the computer two years ago when the computer was new?
Yeah, we need to stop making people be local administrators, but you know what? The ENTIRE INDUSTRY hasn't woken up to this issue yet. Least Privilege is HARD to do and it should be soooo much easier than it is now. Every single application developer should be reprimanded if they are writing an app today that will have an impact in the future and it is not “least privilege” aware.
We've taught our end users that they need absolute control of their box and haven't given them enough training at all to be able to handle “RunAS” or “SuDo”. At the same time, I would not be as computer enabled as we are today if Windows 95 demanded that we RunAs.
I've said this before, I'll say it again, what I consider to be acceptable risk today, will not be acceptable risk tomorrow. Someone said to me that they call end users “dear Muggles”. I think we do need to have a wizard, a protector, a defender behind every user.
The polluted Internet | The Register:
"People shouldn't have to be computer experts to own a computer. But without a firewall, router, mega patches, anti-virus and anti-spyware, my auntie Fern has little hope."
... sad but true.....
Filed under: Security