Walt Mossberg has a dream. His computer will not make him feel like he is a part-time systems administrator. During an interview with RSA Security CEO Art Coviello and Symantec CEO John Thompson, Walt asked, "When will you protect my computer without annoying and bothering me…and stop telling me the diff between a virus, a Trojan and a worm. "
On stage: Art Coveillo, John Thompson and Walt Mossberg
Symantec's Thompson responded: “The next instantiation of our Norton Internet Security Suite will have an intelligent firewall. It will know where you go frequently. If we can tag that you have been before, we won't bother you. We are using technology to make it less noisy." However, security software companies don't want to be invisible, he said. "In part, we want users to know that we are working to protect them." The reasoning--when users reach the end of a paid subscription period, they may think that the software hasn't done anything userful with out the feedback. "It's a balance between alerting users and working on their behalf and not communicating," Thompson said. Coviello added his perspective: "It’s always about an equation, balancing security and risk, convenience to users and administrators and cost. As we make it easier for user, it's high time we make it harder for the attacker. We are offering anti-phishing service to consumer facing organizations, working with telcos and ISPs to find the source of attacks, shutting phishing sites down in five hours."
Thompson went on to talk about the need for more transparency in the security technologies themselves, but not to change the user experience in delivering security services, such as having to deal with dozens of passwords. Thompson views federated identity, similar to how the ATM banking system works, as a key to creating an environment where people feel more secure making online transactions.
Coviello noted the efforts so far in that direction (using the SAML protocol) been "spectacularly unsucessful," especially around getting back end agreements for accepting liabiliity for accepting identities. He predicted it will take several years for protected identities to take root.
Walt didn't seem very satisfied with the answers. Then he asked why aren't all security services in the operating system. Thompson answered: Certain components should and can be embedded in the operating system, but Microsoft Windows wasn't designed for the Internet and has a lot of functionality in the kernal that wasn't intended for current users. He allowed the the SP2 fix and Vista are more secure. Walt probed again, asking why everything to secure a PC couldn't come from Microsoft or Apple. "If you believe that monoculture is a healthy environment, if all the security is built by the same company, the lack of diversity and heterogeneity is as big a problem as having Microsoft building it all themselves," Thompson said. "Microsoft building it all and being the savior of the world is not believeable."
Coviello added that there are parts of software other than the OS that are vulnerable. "What gives me hope is firms like John's and mine own have overlaps--in security a little bit extra is not a bad thing." Walt asks about Microsoft's launch of its OneCare managed service. Thomspon said that the service solves problems that are less significant today (worms, virus) than in the past and compared to online fraud and identitytheft.
So...virus, worms and trojans are less of a threat (give Microsoft its due), financial attacks via phishing and other techniques is the battleground. Monocultures are bad, diversity yields better results. Less noisy is better, but some noise is good for business.
But, Walt wasn't done. The number one complaint from his readers is about spyware and adware, and Symantec products are weak in that area he said. A slightly bruised Thompson talked about applying some kind of rating system so that users get the ads they want.
Walt's final word--no one should be allowed to put anything on my computer without my permission. Case closed...