Sometimes you get the funniest things said to you.  It all started when someone asked how to stop spyware and even with Firefox and a firewall they were still being infected and overwhelmed.  And I told them in addition to the Microsoft Antispyware tool that they really needed to pushing to stop using local administrator and instead try to move to restricted user mode to better protect that computer.  That antispyware software wasn’t enough, that we truly needed to stop running our computers with local administrator rights. 


I knew though that they will have line of business applications and thus won’t easily be able to do this.  So I explained that they needed to urge their software vendors to better support ‘restricted user’.  And as a result of my email …. the response that came back was…..


I haven’t got the slightest friggen clue what you just said.”


Steve Riley says tonight that he and Dr. Jesper Johansson have an idea for a second book for home users [you do know about their first book don’t you?  You should!], and there’s a section in the outline that talks about “Running with least privilege”.   But already I can hear the poster that said that to me, read that outline and go …… “I haven’t got the slightest friggen clue what you just said.”


And there’s the rub.  Here it is a basic foundational rule in security… only give those rights that you absolutely must, and most of us haven’t got a slightest friggen clue about what it’s all about.  Aaron says “The security principle of “least privilege” is well understood:  Software should run with the smallest set of privileges needed to perform its tasks. “


Understood by whom?  Certainly not with the folks I hang around with.  Certainly not home users.  Certainly not buyers of software that haven’t a clue that that Accounting application you just bought, that is a pain to make run as restricted user, is actually causing you, forcing you to run your system in a very insecure way.


Even in the Ebook/College notes for the Teen’s guide to safe computing “Always use Protection”, I don’t see where Dan talks about restricted user at all.


So here’s to the day that I don’t say the word “restricted user” and someone doesn’t say …..”I haven’t got the slightest friggen clue what you just said.” 


In my view it can’t be soon enough.

 

Comments are closed.