AusCERT: Entrusting end-users with security an outdated '70s idea, says author

Desktops exposed as users ignore security

Ivan Krstic, co-author of the bestselling The Official Ubuntu Book, delivered a scathing keynote at AusCERT 2007 today claiming the tech industry has failed to address securing IT and that far too much still rests in the hands of un-informed end-users.

Delivering the opening address at Australia's premier IT security conference, Krstic said immediate action is required.

"We can fix it now or face another 10 years of empty vendor promises and lousy security products," he said.

"We need to work less on sexy problems and focus on the hard ones that need to be solved."

Today's problems cannot be fixed, according to Krstic, with a 1970s security model.

"Everything you know about desktop security is wrong. Desktop security is about the user not protocols and algorithms," he said, adding that 75 percent of machines are infected with malware.

"Today, there are more than 100,000 known viruses, not to mention spam and phishing and that is because we rely on users to make choices about things they don't understand."

To reinforce his point, Krstic showed how a user interprets a pop-up dialogue box that appears on their screen.

To a user it simply says: "Blah blah, technical terms, I don't understand, blah blah."

Then it will ask the user to press 'yes', 'allow' or 'permit'.

"Of course they will click on 'yes', 'allow' or 'permit' because it rewards them by letting them get back to work. We are training users to ignore security and rewarding them for it," Krstic explained.

"By leaving decisions to uninformed users it means IT security is an unbelievable mess and disaster. How did we get here?"

Krstic said the assumption that every program runs with the permission of the user is a 35 year-old concept.

He said 35 years is equivalent to centuries in IT, adding that "we wouldn't go to war with sticks and stones."

"We run untrusted code every time we open a Web page. It is bizarre," he added.

Krstic went on to criticize the methods used to address these problems.

"Maintaining blacklists is one of the dumbest ideas in computer security; what's the point in keeping an up-to-date list of all the bad things, simply cataloguing badness. That's a losing battle we cannot win," he said.

More than 1100 delegates are in attendance at AusCERT 2007 which is being held on the Gold Coast from May 21-25.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sandra Rossi

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?