begin quoting James G. Sack (jim) as of Thu, Aug 02, 2007 at 12:24:16PM -0700: [snip] > In the PC realm (individuals, household-based, consumer items, etc): > > Has anyone stepped back and ask *what we want and/or need*?
Frequently, I suspect. But there probably isn't just one answer. Many users want cool stuff. They want quick, easy, free games; they want videos; they want commerce. They don't want to have to think, to be suspicious, to be careful, and they want it to Just Work. (They also want the computer to Read Their Mind, To Do The Right Thing, and many other impossible things.) Needs are harder.... > Here are a few initial thoughts to sugggest what I mean: > > Do we want/need PCs to be safe from malware? Yes. A machine under the control of malware is not available for the user's needs, and is consuming the user's resources. > Do we want/need PCs to be good netizens? The other users on the network want/need this. > Do we want/need PC owners to be "responsible"? The PC owners are the ones best able to be responsible, as they can take the most direct action. On the flip side, they may be the least capable, giving us a situation where responsibility must be shouldered by those who can't do anything due to limited access or limited competence. (And this is how we get the long arm of the government involved.) > It strikes me that the following relate to /how/, and might be better > deferred until after deciding on /what/. It all comes down to policy. What do you, the owner of a machine, wish for it to do and not to do? Can you phrase the policy succinctly? Can we provide some way to translate that into something the machine would be able to understand? > How to prevent installation/spread of malware? Easy - kill mobile code, live data, and default services. Provide a layer of abstraction that lets the machine owner see and manage all resources on the machine (virtual machines could be very useful here). > How to enforce and verify? Harder. Just establishing a decent policy is hard, much less enforcing it or verifying it. > How to fairly distribute costs? Costs need to be borne by those who *can* take action. > OK, I suppose you have to ask whether something is possible (or evaluate > the cost) when deciding among alternative objectives. Well, it may not be possible to eliminate *all* malware -- it may not even be a good thing. (This is a problem in the Mac and Linux communities, I think. The relative lack of malware makes us soft.) > But maybe you > shouldn't focus on how before deciding what. I don't mean to discourage > research -- research is probably necessary, especially on the > /impossible/ things. ;-) I wonder if we should pay a bonus to every trojan, rootkit, and virus-writer that gets more than a specified percentage of the market infected with their special bit of malware. (Paid for by imposing a small fee on those "infected", perhaps.) Encourage research. Paid for by people who run insecure machines. Vendors who make it hard to secure a machine will lose in the marketplace. -- We know how to be secure. Just not with with untrustworthy endpoints. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
