I want to take this one step farther. There is a sales mentality that computers CAN be bought, plugged in, and on the web in 10 minutes. Therefore, they SHOULD be bought, plugged in, and on the web in 10 minutes. I find this inherently incorrect and bordering on arrogant.
We do not require computer users to know two cents worth about their machines or their safe use. We require waiting periods, licensing, training, and legal registration for the purchase or even use of guns, cars, motorcycles, heavy equipment, arc welders, etc, but nothing for computers. Even now, computers and "security tools" like GPG and basic encryption are being criminalized as tools of terrorists, when the truth is closer to "terrorists are safer, more knowledgeable users of basic computer functions than most Windows users". Frankly, I applaud their steps taken toward privacy and discretion and smart computer use; when was the last time the US government cracked a terrorist network or fed it a virus in a Word document? MS commoditized and simplified the entry-level OS and released it into the wild. It is generally speaking insecure, buggy, and exploitable. Common users are generally naive about its workings and its safe and controlled use in public (networked). By engineering remote control software into XP, MS has shown that they continue to prefer and promote a naive user base and centralized boo-boo management. I disagree strenuously, on grounds economic, social, political, and functional. I believe that users with increased clue would trade messages and data in portable formats, not shiny ones, so that they can be reached from any commoditized machine in any library, home, or educational institution. Anything from an industrial dumb terminal to a library PC to a college Mac should be able to read email and browse the web with at least some functionality. I believe that more clueful users would rather keep their private info private than let MS into their machine or let their cd player (Media Player) report their listening habits back to a vendor. I believe that users would feel safer about themselves and the world at large if they had the basic intellectual tools to avoid every virus-infected email attachment that gets sent them. Understand, please, that the vast, VAST majority of viral traffic is instigated by curiousity, not by brute force. More people open unkown email attachments, after the years of Melissa and Nimda and HappyWorm, than are infected by sophisticated autoexecuting binaries in their unopened mail spools. Those sophisticated worms ARE a problem, but they are the Ebola virus in a world where millions die for not washing their hands before they eat. The native faculty of Windows to execute any virus that comes down the pike from what SHOULD -- by all measures functional and reasonable -- be a text-only environment is a problem. An out-of-box problem. It was mentioned earlier that a new user on an out-of-box machine is not necessarily "insecure", and I disagree to the very last iota. XP comes preinstalled with the ability to turn on your PC's mic, call home to Microsoft, and allow internet access to your filesystem, all without your permission or even knowledge. Don't leave home WITH it. I am running one XP box right now, months after it has been proctologized and patched into delirium. I'm still behind a firewall, and I still read all my mail in either PINE or Mozilla, in plain text, thank-you-very-much. I'm not an OS bigot; I've got four copies of Windows installed in my house, three of them dual-booted with Linux. I am, however, placing the blame for this "security" problem where it belongs, the official practice of turning loose self-aware "appliances" that run programs out of text documents and expose raw network sockets to every process on the box. Users who want mail and web should get a non-root account on a box that runs Mozilla or Opera or Netscape. I believe Windows would be a better place if it allowed an Administrator privilege set for doing system maintenance, but not as a desktop login. Login as Joe, try to run a system-critical process, and get an su-style popup that requests an Administrative password. It serves the purposes of awareness and prevention and makes people realize there's more to driving a car than turning on the radio. -- -j John Beamon On 3 Jul 2002, mat branyon wrote: > Date: 03 Jul 2002 12:26:51 +0000 > From: mat branyon <[EMAIL PROTECTED]> > Reply-To: [email protected] > To: [email protected] > Subject: RE: [brlug-general] IE un-Security > > just bc someone is ignorant of certain matters does not mean that they > should be sheltered. if they want to use email and chat, and do all the > other fun things that the net has to offer, they need to realize that > security is a big issue, and they need to take care of it. just bc i > dont know how to work on cars doesnt mean i shouldnt have an alarm > system or change the oil myself. im not saying they should be able to > resolder sockets back on their motherboard, but they should know the > basic maintanence skills to keep thier computer running. > > on the other hand, if they could all do that... there would be a lot > fewer jobs for computer techs (like me). > > the moral of the story is... people need to learn to think on thier own, > even if it might cost me a decent job... :( i would much rather a world > less full of ignorance > > --mat > > > On Wed, 2002-07-03 at 14:42, Doug Riddle wrote: > > I want to wade in on this one, because I can see both sides. > > > > I'll use my father as an example. He is very intelligent, a former > > general of the US Army, captain of industry, etc, etc. He is not, by > > any stretch of the imagination computer literate. He can use a PC > > and send and recive emails, but if the screen changes colors, he > > calls for help. To him, a computer is a "blackbox." At almost 70 > > years old he has no interest in trying to learn the workings of said > > box, he just wants to stay in touch and talk to some old friends. He > > should be able to do that in reasonable safety. He understands there > > are security issues, and has accepted the fact that his ignorance > > will occassionaly lead to his PC being wiped out. He counts on > > keeping a low profile and a decent virus scanner to protect him from > > most problems, and it will. > > > > I, on the other hand run some domains, manage some websites and love > > Linux. My exposure is a higher, and I have to take more steps to be > > sure that not only am I safe, but that I am not unwittingly used as a > > tool by someone else in a DoS or worse. > > > > Then there is the new user. Unless they are so dense as to have to > > have someone come over and turn on the PC and use the mouse for them, > > they have to be aware of the basic threats a computer user on the > > internet faces. However, their skill level does not allow them to > > combat these threats. Informing them of specifc threats on a > > constant and consistant basis does them no good, as they cannot > > respond. It is a sad but true fact that there is more misinformation > > than factual information available. > > > > It is deplorable that Microsoft doesn't make a better effort to > > secure their software and educate their customers. Given the current > > disasters in the American corporate model it is not surprizing that > > Microsoft treats their customers as non-entities, but it is > > unethical. > > > > So, what is a good approach to sending out notices about security > > flaws? Probably a new mailing list. Anyone that wants to suscribe > > and try and protect themselves can subscribe. Advise the new users > > to tackle the basics before subscribing. That way it is a self-paced > > system and those that wish to remain blissfully ignorant are welcome > > to do so. > > > > In a perfect world, these would not be issues, we do not live in > > Perfect as the commercial says. We live in a society where half of > > the people are so failed by the education system that they cannot > > read and write well enough to fill out a job application. We need to > > cut the new people some slack while they come up to speed. Besides, > > there is no surer teacher that fire is hot than a scorch mark on your > > hand. > > > > My two cents, US. > > > > Doug Riddle > > > > > > --- Jerald Sheets <[EMAIL PROTECTED]> wrote: > > > But don't you consider it a moral issue that common *REAL* security > > > threats are not discussed freely? > > > > > > I find that amoral at best and criminal at worst. In any event, it > > > does > > > a disservice to new folk. > > > > > > A very palatable method of succeeding at free discourse without the > > > detriment of speech deprivation :-) would be to have a > > > "clickers-announce" list where such items are "announced" as they > > > occur, > > > and then in the context of the same message you could present the > > > time > > > and place (and cost if applicable) of the discussion "what it is > > > and > > > what you can do". > > > > > > As an educator, I would find this a fine occasion to divert from > > > standard curriculum, and follow a thread explaining the state of > > > security today, what it is, how it works, and what you can do. > > > Simply > > > quashing a free discourse on said topic does a service to no > > > one....ESPECIALLY newbies. > > > > > > --JMS > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Larry Braud > > > > Sent: Wednesday, July 03, 2002 9:07 AM > > > > To: [email protected] > > > > Subject: Re: [brlug-general] IE un-Security > > > > > > > > > > > > John, the problem is, a very large percentage of the > > > > membership of CC are New-Newbies. They just got their > > > > computer, (in hours usage), and are afraid to turn it on if > > > > someone says "security problems". You have to remember that > > > > on a 1 - 10 scale, the Linux group are at an 8 - 10 and the > > > > members that we teach are in the 1 - 3 range. Security > > > > problems are real and I try to address it every workshop I > > > > give, but a lot of the CC membership still don't even have > > > > the basic antivirus or firewall software even thought you can > > > > get them free. Larry > > > > > > > > > John Beamon wrote: > > > > > "Holy crap", indeed. Is it really PI to mention security > > > > problems in > > > > > the Clickers' list? What else do 1500 ppl talk about on a > > > > daily basis > > > > > in what is essentially a Windows club? > > > > > > > > > > </span> > > > > > > > > > > oof! That was harsh. I'm sorry. It slipped out before I > > > could > > > > > restrain it. No offense intended. Seriously, when MS' own > > > Supreme > > > > > Architect (or whatever his title is this week) goes for Trusted > > > > > > > > Computing (TM) and makes security job #1 for the world's > > > largest > > > > > software company, it seems that a basically Windows club would > > > > > consider this an important subject to converse freely > > > > about. I mean, > > > > > if I checked my mail more than my securityfocus.com and > > > cert.org, I > > > > > would APPRECIATE people pointing out major security issues > > > > from time > > > > > to time. Finding the subject gauche is just obtuse beyond > > > > belief in > > > > > modern computing times. No offense intended, but I "don't get > > > it". > > > > > > > > > > -j > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > General mailing list > > > > > [email protected] > > > > http://brlug.net/mailman/listinfo/general_brlu> g.net > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > General mailing list > > > > [email protected] > > > http://brlug.net/mailman/listinfo/general_brlug.net > > > > > > > > > > > > > _______________________________________________ > > > General mailing list > > > [email protected] > > > http://brlug.net/mailman/listinfo/general_brlug.net > > > > > > __________________________________________________ > > Do You Yahoo!? > > Sign up for SBC Yahoo! Dial - First Month Free > > http://sbc.yahoo.com > > > > _______________________________________________ > > General mailing list > > [email protected] > > http://brlug.net/mailman/listinfo/general_brlug.net > > >
