Security Meets Flexibility

Clearing up around my desk the other day I found a printout of Marcus Ranum’s article, The Six Dumbest Ideas in Computer Security.  It does me good to re-read this from time-to-time, and never fails to give new ideas.  I’ve been thinking recently about viruses and spyware, and what a pain all that stuff is, so this paragraph jumped out at me:

Another place where “Default Permit” crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker. If you think about that for a few seconds, you’ll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don’t understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. That’s “Default Permit.”

This sounds perfectly sensible, doesn’t it?  Only let the good stuff run?  Of course the reason we don’t do it is that in order to select which is “the good stuff” and which is “bad”, we need a human to make a decision.  As PC users, we enjoy the flexibility to download and install anything we like, whenever we like.  I have a number of different soft-phones (Skype, SJ-Phone, Messenger, etc) that I have elected to install on my machine, and no-one else in the company was involved in the decision to do it.  Even supposing I install software from CD (for example installing firmware that comes with a VoIP phone), it is not unheard of for mass-produced software CDs to get shipped with viruses or trojans on board.  As a user, I don’t know that any particular package is “safe”, so I have to either take a risk or do without the functionality I want.

In the 1970’s there used to be a thing called the application backlog in IT which basically meant that users that wanted some kind of processing had to wait weeks, months or longer until the owners of the corporate mainframe could approve, budget, source and install some new software to solve the user need.  The PC brought with it the ability for users to solve their own problems in a timely manner, bypassing the Data Processing Manager and his domain.  However, the cost of that freedom is the risk that any package we install might include some threat which might not be apparent on day one of the install.

With PCs now being equipped for multimedia, with broadband or wireless Internet, there are more and more tempting software packages becoming available every day, ranging from mapping and route planning, to audio and movie studio software, telephony, IM and presence products.  There are many great productivity tools, offering everything from greater travel efficiency to better ways to interact with your customers. 

Of course you can lock down corporate PCs, and prevent users from installing their own software, but by using this level of control you also lose the ability for users to solve their own IT problems, and once again you are back in the world of the application backlog.