Trust through Education and Responsibility
It’s been seven years since Microsoft introduced the concept of Trustworthy Computing. As was the case back then, still remains the same today…a computing system is only as trustworthy as its weakest link. And the weakest link is all too frequently human—whether it be poorly designed products, misconfiguration, features over reliability or falling victim to the latest social engineering tactic. Recent focus group research conducted by Microsoft amongst three different generations—young adults, parents and professionals, and baby boomers, revealed a collective sense of resignation when it comes to control of personal information online. The notion being that once information is included online, control is invariably relinquished. And even more concerning was a clear gap that exists between general concern for online privacy, and the lack of understanding of the threats that exist online. While many participants disclosed they consider the privacy implications of their information sharing decisions, they take responsibility for their actions—albeit a shared responsibility at times—and the insights don’t necessarily change the online behavior.
On Jan. 28, National Data Privacy Day, Microsoft hosted a panel discussion with other industry experts at the SF Public Library that evaluated this focus group research. While it is clear that trust is central to helping ensure privacy and online safety, two of the key takeaways from the event focused on the important role of education and the consensus that achieving a trusted computing experience requires a shared responsibility.
Consumer security awareness programs and guidance, and more recently, online privacy awareness programs and guidance have been around since the dawning of the Internet area. With that in mind, what more can be done on the education front? Is it about going beyond prescriptive guidance? How can we connect with more people and catalyze a change in online behavior that further develops trust, but also enriches the computing experience? And at the end of the day, who should really be responsible?
모든 응답
- Dave,
Do you have any of the preceedings from that group? and the paticipants?
Pappkartoosh
Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda Great series of questions
>> With that in mind, what more can be done on the education front?The Microsoft "at home" security page is excellent. Also every college IT curriculum should include security awareness courses. The Technet TWC, MSRC, SRD, and other security blog resources also help
>> Is it about going beyond prescriptive guidance?No - Just as many products manufactured come with warning labels, users need to be aware of the ever-changing dangers out there
>> How can we connect with more people and catalyze a change in online behavior that further develops trust, but also enriches the computing experience?Some negative perceptions have occurred when change is not well communicated. For example, WGA is an important anti-piracy measure but initial implementations led to folks believing that WGA was phoning home to Redmond - and folks opting out of it started not applying MS security updates. Also, search engine Startpage.com doesn't store IP addresses during a search -- I'd love to see this concept in Bing, as these small things help improve TWC.
Personally, I believe MS is responsible from TWC standpoint. Like a good reputation, trust is built over a long time period, but can be destroyed in 10 seconds if one is not careful
>> And at the end of the day, who should really be responsible?In an E2E environment - both "ends" are ultimately responsible. The vendor is responsible for fixing security issues quickly as they are discovered and for best practices leading to secure product implementations. The end-user is also responsible for acting appropriately
Harry Waldron, Microsoft MVP - Enterprise Security- Respective Gentlemen,
Alot of this thread is typical academic. The truth of the matter is much more dire. With respect, this is more like a movie director re-doing Black Hawk Down with the suggestion of replacing the soldiers firearms with mace then trying to give the ending a positive spin. Let me see if I can start the color by numbers.
1970s- the start of the economic sucking sound, City Bank reported to the FBI suspicious activity, EFTs were bouncing around the globe and the best they got was a bagman in Argentina.
1980s- saw the best of US technology going overseas> the "Traitorous Eight", Japanese electronics dumping had taken it's toll, corporate espionage started hitting it's peak, a new kind of kiteing started validating cooking the books.
1990s- US corporations were truely on-board with "can't beat em, join em" and began trading on the insider information they gained through their services, boxed security companies sold products with no bondable backing and all surviving companies started to realise and practice "create the need, then fullfill it", Dr Norton, Steve Jobs, and a host of other visionaries were replaced by the drewling boards despirate to get in on the action ( I call it "Tuckered"). Microsoft started obfuscating the issues and removed md5 checksums as a benchmark for user security checking. By the end of the 90's We saw Ad-hoc gone and a new layer of code obfuscation along with a ton of user functionality, thus began the herding. Visual Studio 5 became net addicted. We started naming attack vectors not for logistical purposes but for security disclaimers.
2000- No software was bought or sold without rootkits or backdoors. .NET also with a new feature: run it as VB AND binary... what should we call that? Viralworm? .NET sandboxing has become a complete security feild in itself with tragedies and competative advantages still unfolding. The Internet was completely ruled by botnets and search engines who sold their services under a veil of redirection. PlanetLab betrayal is called entrepreneurial (best to discribe what happened is to watch the movie "Primer", never really sure what happened other than it was bad but that is what sells to investers). Skull and bones seeded what remained of American companies> in essence cavemen misusing flashlights and starting resort to stealing lunch monies. Social networking sites are widely used to insulate corporate management incompetence. Inovative business is not quite dead yet but restricted to start-up and sell operations. Patent storms of the last 20 years will finish off what's left.
2010- No octet will go unregistered. The question we need to ask is registered to who? and by what rules of compatition for products and services? We cant even agree about what is fair within our own boarders, nevermind the dismal record with the rest of the world who's values in cyberspace would make most American's shiver if they knew the truth. The cloud is nothing more than a fog. MPLS will have a good 2 years maximum before it becomes like Johannesburg when the lights go out. No fiscally viable champions or heros are left... ease back and call it the rapture if you want. What ever lets you sleep.
So, which way to point the mace can, I can do without right now. I need a few implosion gernades. Hurry up Cern! Hydron! put me in for 4 super-positioned entagled particles.
Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda
