posted by steve | Category: Random Rants |

When one doesn’t understand computer security one is destined to design a system that appears to be secure while in fact merely hiding the underlying insecurities.

Take for example all of the newfound security alerts and dialogs in Windows XP Service Pack 2. It seems as though my computer may be at risk, according to one of the balloons that keeps popping up. No kidding. Makes me wonder why that balloon only pops up when I boot into Windows and not when I boot into Linux. Is the computer more secure when I boot into Linux?

Obviously, the balloon is part of SP2 but why is it there? What of all the other security alerts and dialogs from SP2? It seems as though I need to wade through more and more junk just to get the computer to do what I want. Is this security? Does it add any value at all or does it detract from my ability to use the computer while doing nothing to prevent a malicious user from doing their thing?

I think it’s proven by now that people don’t read license agreements when installing software. Similarly, I’d argue that people don’t read (and/or comprehend the meaning of) all of these security dialogs. I’m installing an unsigned driver? What are my choices? If I want sound, I have to install the driver, right? Windows prevented something from happening, should it be unblocked?

How, exactly, is the average user going to understand the implications of allowing these things? Again, what value are these dialogs? By about the third similar dialog I’m guessing that most everyone will just click “unblock” or “yes” or “go away” blindly without reading anything at all.

Wouldn’t the better solution be to design an architecture that isn’t susceptible to all these amateur programming mistakes (think Internet Explorer)? Wouldn’t it be better to solve the underlying problems rather than continuing to patch the symptoms.

I believe that we’ve now officially seen the results of Microsoft’s Security Initiatives and repeated attempts and repeated attempts and repeated attempts (I could continue but I won’t) to tell their developers how to code securely. We’ve seen the result and it is a security balloon telling us that our computers may be at risk.