Would you let users vouch for unknown software's safety with an upvote? Google does Google has revealed that its internal anti-malware tools include a “social voting” scheme that lets staff vouch for code they want to install won’t do any damage. The ad and search giant’s rationale is that blocking all unknown software works but may limit productivity, while blocking only known unsafe software requires a lot …
Google gives no particular trust to its internal network:
Google reveals own security regime policy trusts no network, anywhere, ever
They have no notion of "same network".
I believe that the saying is "Convenience trumps security"?
I am surprised that corporate policy allows the downloading of random software on to corporate machines, since for most use cases surely the tools required for people to do their jobs are pretty well-defined, and there is a process to request new software approvals.
With this approach the bad guys only have to be lucky once (dependent on other security countermeasures), and it doesn't matter if the user will downvote in future, the damage is done?
Unfortunately, in far too many companies, corporate PCs are not locked down.
I don't see this doing much good, though, since whoever first wanted it with upvote it and get their peers and friends to do likewise. Also, much of the problem stems from management who will not want to limited.
To get Boaty McBoatfaced means that you’ve made the critical mistake of letting the internet decide things. In other words, as much as we revere democracy, there are times — and they do typically involve the internet — when one’s fellow citizens deliberately make their choices not in order to foster the greatest societal good, but, instead, to mess with you.
The city of Austin, Texas, got McBoatfaced, for example, when it asked the internet to name its waste management service. The internet obliged by suggesting it be named in honor of Fred Durst, the frontman of the rock band Limp Bizkit.
Taylor Swift and VH1 got McBoatfaced when they asked the internet to choose a location for her forthcoming concert. The internet obliged by choosing the Horace Mann School for the Deaf and Hard of Hearing. (Ms. Swift, proving once and for all that she is a good sport, donated $10,000 to the school, before settling on another venue.)
But sometimes these episodes can take a darker turn. Mountain Dew got McBoatfaced when it asked the internet to name its new flavor. The internet — largely driven by members of the message boards Reddit and 4chan — obliged by naming the new flavor “Hitler Did Nothing Wrong.”
before you've had the chance to run the software to find out if it's a "Bad Idea". Hmmm.
How about making it so the new software can only be run in an virtual machine with very restricted connectivity and only if the experience goes well, and the malware and anti-virus are happy, allowing the user to "upvote"?
Yep. And at the last 2 software houses I worked at, devs caught installing software off their own backs would end up on the wrong end of a disciplinary procedure! A written warning at best, a shoe carton with their personal possessions and a boot up the rear at worst.
"This stuff will get run anyway" Not if the company uses MDM software effectively.
Our company "proposed" Policy (to allow work Email on phones) - No unapproved apps (pretty much no non-work app) can be installed. Yep harsh, but we hold your finances, and "your" security is more important that an employee getting coupon pop ups all day. They can use their own device for that.
Android phones (I like them but) have more malware than ever before and keeps gowning. Thanks mostly to google security policies, and the rest on the scammers that take advantage of them.
I've yet to find the bottom of how far people will go to prove just how stupid they are.
Just the last few days have made me question Darwin's theory of evolution since people as stupid as I've met recently should have choked to death on a hammer or other large inedible object long before they reached breeding age.
Asking these people to decide on what consitutes malware seems somewhat of an irrational decision. These being the same people that will curse science as dark magic when asked to get vaccinated on their high technology mobile phone device. Which they seem to think was grown on an organic phone farm.
An ExCo meeting following a breach.
CEO
"So the breech has cost is millions in pay outs, legal fees and our customer base is rapidly shrinking because no one trusts we can deliver anything safely."
CRO
"Well Mr CEO, the software that brought the malware into the company had a lot of upvotes... So we thought we would go with that one."
Or...
An ExCo meeting following a lack of downloads.
CEO
"Our customer base is rapidly shrinking because no one trusts we can deliver anything safely."
CRO
"Well Mr CEO, we don't have the necessary number of upvotes for potential customers to be sure our software isn't malware, so they don't download it."
As an ex-Googler, this was my thought exactly. This looks like a very Googly solution to a very Googly problem.
When I was there, we had >30,000 devs. And one code repository. There is nothing like the feeling of being one of a hundred or so people responsible for figuring out if you personally had broken the build. "Builds character", I believe is the phrase. So personal responsibility is a real thing.
Moreover, like most shops, I was root on my box. The ME was beyond my reach, which was good. And yes, there developers are better than average, which also matters.
Having said all of that, I don't believe for a moment that this tool is a match of what is actually going on inside. The priesthood of readability is already well established, and it makes 0 sense to allow a green grad to directly affect such a process. I expect that there is a new priesthood for this, and that the priesthood is functioning with a tool like this one.
It's an interesting idea, and could work IF configured correctly. For instance : set x to the total number of users allowed to upvote, and set the "allow" threshold to x+1.
Users think they have a say in the matter, and sysadmins don't lose sleep in the knowledge that said users actually don't. Win/win.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
