SAN FRANCISCO -- The various seminars and exhibits at the computer security show here occupy not only an entire wing of the Moscone Convention Center, but also the 15 movie theaters across the street at Sony's Metreon entertainment complex.
The RSA Conference is huge; and its size is a testament to the fact that, given the increasing cost of computerized mischief, tech firms are starting to devote serious money to securing their data.
But convincing people to be more careful with their computers, and convincing them to be more respectful of intellectual property, might be the only way to add any lasting strength to a network, security experts said.
Some experts are suggesting seemingly drastic, though not very technically sophisticated, ways of protecting data. They include "locking up" employees' computers so that viruses don't spread through an organization, and "scaring" the people who use pirated software -- rather than the pirates who distribute it -- to halt the spread of cracked programs.
"This is a technical conference, and I'd like to tell you some technical ways to prevent cracking software," said Robert Baldwin, a security consultant (and former cracker) who was demonstrating how easy it is for even middling crackers to break the fancy anti-piracy schemes in most commercial software. "But at best, you can write software that would take a day to crack instead of an hour."
So if combating the crackers is a losing proposition, what's the answer? "Scaring the users of pirated software," Baldwin said.
If software companies see that a person is coming to their site after having just visited a site that offers a crack, the company "should display a message saying they know about it." Or, if the company notices that many different users are entering in the same registration code for an application, the company should send each user a message saying that something fishy is going on.
"Some companies are already doing this, and they're having some success with it," Baldwin said.
Basically, Baldwin was proposing that companies interested in securing their programs attack the source of the problem -- the people willing to download cracked software -- instead of only going after the crackers.
It's a novel tack, and it might work, since the regular users cause many of the problems, as some here noted. Not only do they download pirated software and music: They also install "untrusted" software, they click on all the attachments that come into their mailboxes, they don't take the time to install security patches and they choose the password "password" to secure their banking data.
That concern came up on Tuesday at RSA when Jim Roskind, the chief scientist of AOL Time Warner who once worked on security for Netscape Navigator, was asked about the many features the company added to the browser that gave users the chance to surf insecurely. "You guys added Javascript," the questioner said accusingly. Javascript and similar scripting languages from Microsoft have been one of the main ways that viruses have passed through the Internet: the Love Bug and Anna Kournikova viruses were scripts.
"I fear the question is a little bit political," Roskind said. "But you know why we added it. We did it for the users, because users wanted it." And users did like scripts -- it allowed fun things, like pop-up menus and funny messages when you rolled over a part of the screen.
When various security problems did eventually occur with scripting languages, people were repeatedly told how to shut down scripting support in their browsers -- but the problems kept popping up, indicating that folks weren't really paying attention.
The new approach in security is to let administrators take over the security measures for users. For example, the "Professional Edition" of the upcoming version of Windows, which was being displayed here on the expo floor, will feature controls to let IT people "lock down" employee desktops.
If an IT manager specifies it, an employee can be prohibited from downloading software, from installing new programs and -- especially handy -- from running VBS scripts that come in via e-mail.
It's a nice set of features, and could work well in preventing Love Bug-like disasters. But one can guess that employees will grumble if their administrators prevent them from clicking on attachments, especially ones that look like they're coming from a friend who just wants to say she loves you.
Worse, the "Home Edition" of Windows XP -- the one that will likely be shipped with all new PCs sold -- won't have the feature to prevent people from running attachments. By default, it will run scripts.
Why? "We think that's a policy decision," said a Microsoft rep, meaning that, well, people would get mad if they couldn't run their attachments. "There really is no solution for home users just yet," he said.
(Of course, there is a solution: People can turn off the scripts by themselves. But we've seen how well that works.)
And that, in the end, is the real problem. Few companies want to upset users by making things too difficult for them, and by restricting access to "fun stuff" over concerns of security.
Even Baldwin, who advocates "scaring users," admits that his go-after-the-people approach might backfire for the company.
"It makes the firm look bad," he said.
