There is nothing in these keynote comments made by Ivan Krstic at AusCERT 2007 that hasn't been said before. What is a bit different -- and refreshing -- is that Krstic pulls absolutely no punches. There is a lot of fun invective to be found in his opinions, which were reported by ComputerWorld.
"Everything you know about security is wrong."
"We run untrusted code every time we open a Web page. It is bizarre."
Behind these and other quotable quotes is a very fundamental and simple point: Security is so complex that leaving decisions to uninformed and unmotivated end users is impractical and senseless.
The security landscape is based upon the notion that the end user must take some action in order to ensure the safety of his or her machine. This problematic assumption -- that people actually will do the right thing -- is mitigated in corporate settings by management tools that allow IT departments to protect desktops. Many businesses still leave end users to fend for themselves, however. Vendors increasingly offer automated mobile computing options, but the onus still largely rests on end users.
Krstic certainly is correct in his assessment that what is happening today is not working, and it makes sense to try to fix it. Indeed, Google is toying with the concept by considering a rating system that will assess sites for vulnerabilities and attach warning labels to those that are potentially dangerous. Google's approach can be seen as a baby step toward the centralization of security oversight.
The problem is that end points and websites that are not under corporate control are, cumulatively, as big a threat as those controlled by IT departments. Hackers are finding new ways to spread mayhem, and many depend on the laziness and ignorance of site owners and surfers alike. Bottom line: Chains are only as strong as their weakest link, and there are plenty of weak links on the Internet.
So a fix -- even a radical one -- seems in order. Time spent thinking about this, however, brings to mind the Winston Churchill comment that "democracy is the worst form of government except all the others that have been tried." The nature of the Internet makes the implication of Krstic's critique -- that some sort of certralization of security is necessary -- seem impractical.
That's why it makes sense that Krstic, at least in the comments reported at ComputerWorld, makes no suggestions on how the situation could be alleviated. He only voices contempt for current affairs. How would a world look in which control was taken away from end users? It would seem that such a shift would involve a layer of regulation, bureaucracy, administration and software that would raise a lot of hackles and cause as many problems as they prevent. Central control of security also would require a level of international cooperation that is unlikely to occur.