I've been thinking a lot about security lately. I'm not sure I'm making any sort of headway. Everybody seems to agree that it is really really important, but I'm willing to bet that just about everybody has a slightly different view of what it actually is. So my question of the week is this: what defines the boundary between a security issue and an end-user issue? Where does the responsibility of a company end and the responsibity of its customers to behave responsibly pick up?
I like to think of things in terms of extremes in an attempt to make the middle ground more stark and expose the underlying issues. For example, most people don't blame Ford if a drunk driver piles into a crowd at an intersection. On the other hand, Blaster was the result of code flaw that end users had no control over. The burden of responsibility seems pretty clear in these cases. But what about something like the “ILOVEYOU” virus? Outlook was the mechanism by which it spread, but it required direct user interaction to do the damage...who's at fault? Or should we talk about shared responsibility in a case like this?
These sort of foggy areas make “security” hard to define. The finest feature of a computer is its ability to spur creativity and imagination. Developers instinctively understand this, so we try to build systems that impose no artificial restrictions on what a user can do. If we've done our job well then we can't possibly imagine all of the different uses that people will find for our work. How many of these uses will later be deemed to be malicious? Can we possibly prevent them and keep the computer as a playground for unbridled invention?