On Feb 16, 2007, at 9:12 AM, <michael.dillon@bt.com> wrote:
It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem.
I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile.
The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
We know how -people with specialized knowledge- can secure them, not ordinary people - and I submit that we in fact do not know how to clean and validate compromised systems running modern general-purpose operating systems, that the only sane option is re-installation of OS and applications from scratch. There have been very real strides in increasing the default security posture of general-purpose operating systems and applications in recent years, but there is still a large gap in terms of what a consumer ought to be able to reasonably expect in terms of security and resiliency from his operating systems/applications, and what he actually gets. This gap has been narrowed, but is still quite wide, and will be for the foreseeable future (witness the current renaissance in the area of browser/HTML/XSS/Javascript vulnerabilities as an example of how the miscreants can change their focus as needs must). ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan