The Dancing Bunnies Problem
How to keep users from doing bad things - don't.
Plan for bad things instead.
The problem as simply as I can restate it is that users with the power to do what they want will also do bad things unintentionally even if they have to work at it.
The Dancing Bunnies Problem
What's the dancing bunnies problem?
It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".
The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.
What if the UAC was not activated for tasks, but rather for activity along with the risk it exposes the user to. With ZoneAlarm (which I used to recommend) you get a learning phase and then an alarm for unusual network activity. The same thing could be applied to every file access and the parameters of normal interaction based on internet collected data. I imagine a whitelist sandbox OS where any application can be downloaded and installed, but the system would allow a sandboxed image of the installation and when completed, it would download information about the application, instances of immediate uninstall, instances of virus flagging and potential interactions. Something along the lines of
Snapshots currently use 3.5% of available diskspace.
You've downloaded and installed dancingbunnies.exe which has the following associated information: 85% of users who installed dancingbunnies.exe uninstalled it within 2 hours. It has been flagged by ClamAV, Symmantec and McAfee as a virus. Where dancingbunnies.exe has been installed 72% of users indicated it caused unwanted effects. dancingbunnies.exe has access to: delete any file, change the way your computer works, send email without your permission and download files that may be illegal to have on your computer. You may
[Discard these changes] (63% popular)
[Activate these changes for a limited time] before being offered the option to remove them later (23% popular)
[Activate these changes permanently] (14% popular)
Choosing to discard would remove and delete the system snapshot. Choosing to activate would result in the user running in an instance of the system which would be using a differencing snapshot image. Choosing to activate permanently would discard the differencing snapshot and make the changes permanent.
Two of the actions described are already basically available with varying methods, but I've never seen them brought together into a single system. Microsoft's virtual server seems to (I'm almost certain) do differencing snapshots as described here. Jotti uses multiple scanning tools to identify the AV systems that flag a file as a virus. The third major component, (tracking the usage, acceptance and rejection of software) would become available through the vendor tracking databases which mostly already exist if not in this exact form. Recognising what an application would be capable of would require a robust sandboxing system, which I realise is a challenge but don't think is insurmountable one.