R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from Personal Computer World
ADVERTISEMENT

Guy Kewney

Finding security in a virtual world

An impenetrable firewall may not be the best way to keep your systems secure

Personal Computer World, 22 Jun 2006
ADVERTISEMENT

Most of us don’t want to be famous, even if it brings great wealth. We want to be admired.

Being admired is not the same as having strangers hate you just because you were on TV, or because you wrote a piece of software that made some money.

Real fame is having people write computer viruses specifically targeting your company. Against this sort of customised attack, it’s hard to see what anybody can do.

Anti-virus and anti-spyware software is generic, to counter mass-market attacks.

But suppose you work for a merchant banking group and one day you find all your systems crashing. The only clue is an anonymous email saying ‘Ha ha. That will teach you to fire me!’, and you realise a disgruntled ex-employee has written a virus specifically designed to use inside knowledge of your network to bring it down.

That’s fame. It isn’t good. But it is what you need to be a successful giant business; which means you’re making yourself into a target as surely as if you painted concentric circles on your face.

It is also a direction in which the anti-virus community fears we’re headed. What the PC community can do about this isn’t obvious to me.

I’ve endured many presentations from Microsoft about how it is making the PC more secure, and I suspect we aren’t talking the same language here.

From the perspective of security experts, there are choices. First, you must have an inherently safe environment. When you have that, you must support it by writing inherently safe code. Finally, you have to use the computer in a safe manner.

I had a chat with the guys from Fortify Software, who don’t believe an impenetrable firewall is the answer. Rather, they believe software-development tools have to produce code that is pre-verified against common errors such as buffer over-runs as part of the testing process.

I expect to hear a lot more from them over the next year or two.

But their point was a good one, generally. Put simply, the more secure your environment, the more careless you are likely to be.

If there are no cars, why look before crossing the road? If the network is controlled by foolproof intrusion-prevention technology, are you likely to trust an executable piece of code you find on your hard disk? Or are you more likely to be cautious if it’s a machine used on the Internet by a 10-year-old?

I think the problems require a computing environment where it isn’t possible to bring down the network by running trojan code. That means, to my mind, that the environment has to allow user stupidity, but isolate the user’s own private environment from the main system.

The question that then arises is the old, sad, Microsoft-bashing one. Can this honestly be done with a Windows system focused entirely on digital rights management and backwards compatibility with the IBM PC Bios from 1981?

I’m working on a story relating to what I think is a scandal in local government computing. In essence, it involves business practices by Microsoft agents (I can’t yet tell if Microsoft is even aware of the practice) that amount to ‘buying the business’ in order to create a publicity firewall.

This is a system where people write ‘security analysis’ white papers about their proposed new system, and base those white papers on unsupported assertions from Microsoft. They publish the white papers as ‘our research’ and then Microsoft quotes this ‘independent assessment’ as proof of its suitability for a high-security environment.

The way to achieve security isn’t by publishing corporate flannel as independent research. It is (obviously) the view of my Linux friends that a proper operating environment is the only way forward.

It is the view of my Windows friends that there’s no way of replacing the universe of Microsoft-based software, or of making the universe of Windows users into people who understand Unix.

Perhaps the solution is to create a virtual environment, with Unix as the host, in which protected Windows environments can be set up and run with limited privileges.

It must be possible, with virtualisation technology, to run something like that on any new dual-core PC, with a little extra system memory. And if it is, maybe we can move forward into a world where computers actually work without causing more problems than they solve.

See Guy's 15 minutes of fame on the BBC following his TV mix-up

Tags: Security

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

Permalink for this story
M A R K E T P L A C E
Sponsored links
F E A T U R E D   J O B S
Stuck in a dead end job? IT and computer training from Advent. Sign-up to find out more.
United Kingdom | Advent Computer Training
Are you stuck in a dead end job? Do you want to take control of your salary, life and career? Advent IT and computer training offers advanced, professional training and helps you find the right ... more >
Information Services Manager
United Kingdom | Hackney Homes
Hackney Homes Information Services Manager £46,737 - £53,196 p.a. (pay award pending) You'd be hard put to find another such opportunity to join a young and vibrant organisation in such an influential role. We are ... more >
Business Analyst
London, United Kingdom | BP
Business Analyst - £ Competitive - London About BP Our business is the exploration, production, refining, trading and distribution of energy. This is what we do, and we do it on a truly global scale. ... more >
Senior Business Analyst
Hertfordshire, United Kingdom | Tesco.com
Senior Business Analyst - Hertfordshire Who's behind the world's most successful online retailer? Just over 10 years ago we started Tesco.com (aka Dotcom). Today, we've an incredible 750,000 active customers and sales at just under ... more >
More job opportunities
Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Advertise
Consumer Technology websites:
Active Home Product reviews, competitions, news
Computeractive Software reviews, hardware reviews, buyers' guides, workshops, downloads
Gizmodo the daily gadget blog: technology news and reviews
PC Magazine your personal guide to technology
PCW software product reviews, hardware product reviews, buyers' guides, competitions
WebAct!ve what's happening on the web
What PC? helping you purchase the right computer, digital camera, peripherals, gadgets and more
Blogs:
Test Bed The PCW Labs blog, PCW Inter@ctive A reader blog from PCW. Your views, your comments, your say, Windows Watch Keeping an eye on the latest XP % Vista news
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory, Top IT Employers 2005
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . vnunet.com
Business & Finance websites: Accountancy Age . Best Practice . Financial Director . Management Consultancy
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503