We've failed the consumer. When it comes to the lowest common denominator, security is an abject failure.
I say this because, when I was housebound during Virginia's "snowpocalypse," I spent a bunch of hours repairing a Windows PC for a family member, who I will call Alice. Alice is about as tech illiterate as anyone you'll ever meet. She has an out-of-the-box Windows XP system from a popular PC vendor. It's been running for a couple of years, more or less intact. A few months ago, she asked me to set up Skype on the system so that she could talk to family members overseas. Sure thing.
I made sure that it was up to date with patches, service packs and such. It had an antivirus product on it that was free from the cable modem provider. I made Firefox the default browser and Thunderbird the default e-mail client. I figured the machine was relatively safe from many of the nasties that plague the interwebs.
So I put Skype on the system, configured a basic webcam for her and left her to it. What could go wrong?
Well, a few short months later, the PC was running noticeably slower. We're talking boot-up times that can be measured with a sundial. Yes, the trusty but rusty home PC had picked up a cough somewhere in its travels, and it wasn't likely to get any better.
I took a look at the system and sure enough, it was dead. So here it sits in my office while I reload Windows on it. This time, I'm taking things a step further by giving Alice a non-privileged account, ensuring NoScript is installed in Firefox and setting Internet Explorer's default Internet zone security at "High." But I can't help but think I'll be doing this again in a few months' time.
This is not fun, folks. And the only conclusion I can draw is that we've failed.
Alice started using this system with zero knowledge. She simply wanted to webcam with family members. Nonetheless, she ended up picking up all sorts of nasty malware, keyloggers, botnets and so on.
The status quo is simply not a sustainable business model.
I can't help but think back to my December 2009 column where I advocated an "app store" for the common user. Let's revisit that idea just a bit, in the context of a user like Alice.
Consider a home PC (I'll call it a "Lily Pad") for which all the software comes from one place, and whose configuration management is controlled by one central app store (I'll call it the "Mother Ship").
The user simply wants to accomplish a task -- in Alice's case, to communicate via videoconference with her family. She turns on the Lily Pad, connects to the Mother Ship, finds a tool (Skype) for the job, installs it, and it works.
The Lily Pad contains no customized configurations of Firefox, antivirus tools, etc. It also contains no software that hasn't gone through the Mother Ship's security/functionality vetting process. All the applications on the Lily Pad are sandboxed to prevent cross-contamination.
To me, this is a compelling argument in favor of an app store for consumers.
Now, I know many of you tech-savvy readers are saying things like, "Not on my computer!" That's to be expected; there will always be a population of computer users who simply won't accept an app store for their own use.
But those people are not the target population for such an app store. I'm talking about the Alices of the world, who simply can't be bothered with -- or begin to understand -- the techno-crud we all put up with.
Folks, I believe that that is exactly the sort of vision that Apple has painted for us with the iPad. The smartphone platform is growing up and beginning to acquire some serious, business-capable applications -- not to mention enough screen real estate to really do some work.
If the iPad succeeds, it will be a boon for the consumers of the world. They might end up needing far less IT security support from us techies. In the grand scheme of things, that would be a success for everyone.
I know I'll be ordering my own iPad as soon as it appears in the Apple store. I wish Alice would do the same.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.