On Mon, 12 Feb 2001, Derek Martin wrote:
> Today, Niall Kavanagh gleaned this insight:
>
>
> > Cars kill millions of people every year. Fortunately we don't HAVE TO use
> > them.
> >
> While you have a valid point, there IS a difference. The vast majority of
> people who use these wonderful on-line services have NO IDEA that they may
> be putting themselves at various forms of risk, because they know
> absolutely NOTHING about the technology. Most people couldn't even
> concieve of the idea of someone hijacking their encrypted browser session
> in which they do their banking, for example.
Find me one in ten that drives that can draw a force diagram, or Newton's
acceleration equations. People hear, seems every day, of another break-in
(or DoS, which they frequently think is the same thing) at a given site;
they're aware that there are security risks -- just like they know about
drunk drivers, black ice, and wet leaves. It doesn't mean they know about
IP spoofing, just as much as they don't know about friction coeficients,
or the rate at which alcohol is metabolized. Being aware of the risks,
without truly understanding them, *has* to suffice in most cases, because
otherwise we'd all be in school 23.5 hours a day. It's an imperfect
world, and one has to cope as best as possible. Note: this is not an
excuse for ignorance. If one is (say) a network admin, or a breathalyzer
manufacturer, or a NASA flight engineer, you'd *damn* well better know
your business -- because it's your specialty. We have the responsibility
to help people lead as security-conscious an existence as possible, but it
falls short of having them rip the wires out of their walls (cheap
allusion to "Press Enter", by John Varley -- damn good novella; go read).
$.0000000002.
-Ken
> Whereas in both cases you mentioned, most people who attend school (at
> least in this area) are afforded easy access to education about those
> topics. If you fail to make use of that access, that's your business. But
> at least you have the opportunity. High schools in this area offer
> driver's ed. classes, and I've had electricity awareness as a topic
> (though certainly not an entire semester worth) at multiple levels of my
> education.
>
> For the average person to really understand the risks envolved with
> putting services on-line, the education they would need to obtain is
> extensive. Most people have neither the time nor the desire to obtain
> this training. The computer is a tool that is supposed to make their
> lives easier, and that's all they want to know. And the providers are
> happy to keep them ignorant, because it's cheaper for them, both to
> provide the riskier services, and to not educate them.
>
>
> > Sysadmins can often attack the very users they are trying to help.
> > Fortunately, you don't HAVE TO... um, nevermind.
>
> I'm not going near that. ;)
>
>
> > Life is all about risk management, trading off perceived benefits for
> > possible threats. I don't have to use E-Trade, but I can't bear the
> > thought of dealing with a broker every time I want to trade a stock. The
> > perceived benefit for me far outweighs the possible risk.
>
> Exactly. I have no problem with these services existing, and even use
> some of them myself, from time to time. But, though I would not call
> myself a computer security expert (or anything reasonably similar) by any
> means, I have a pretty good understanding of what the risks are, and can
> make an informed judgement about whether or not I want to use those
> services. What percentage of people who use, say, on-line banking
> services, would you say have that understanding? I obviously can't
> provide you figures, but my expectation is that it's very, very low.
>
> My own experience at a previous job working with people who work in a
> high-tech field suggested exactly that (though I won't go into that in any
> detail for various reasons). Even a few people on this very list who work
> in software, or even in OS design, have admitted that they don't really
> know much about computer security and/or electronic communications
> security. If THEY don't, what chance does Doctor Joe or Lawyer Jane, or
> Fred Average office worker stand?
>
> Even that isn't my biggest gripe. My concern is that given the inherently
> insecure nature of such transactions, that there should always be
> alternative ways to accomplish the same task. For example, in the case of
> on-line banking, there should always be real tellers to whom I can go and
> get a written reciept of my transaction.
>
> Granted, NO method of transacting (anything) is completely secure, but
> obviously some are more risky than others. I should not be FORCED to use
> more risky services when it is reasonable to provide less risky ones.
> Society should be careful to ensure that those less risky methods remain
> available. We in the Linux community can, should, and often do work to
> make sure that those alternatives exist. And I thank us. :)
>
>
> > I hate going back and forth with you guys, because you ARE RIGHT. I
>
> As are you.
>
> > completely agree with you (and Kenny). I just feel I should point out your
> > tolerance level for risk may not be the same as someone else. As you said
> > "it's your choice".
>
> Everyone's tolerance for risk is different. I was kinda busy when I
> posted my original (very brief) comment, but the point I was trying to
> convey is that there are usually alternatives, and even when there aren't
> you should know what you're getting yourself into, and I don't think
> that's really happening with these new on-line services and a variety of
> other new technologies (like biotech, communications, etc).
>
> If consumers are informed, then they may insist upon new (or old) ways of
> doing things that meet their needs and/or expectations. That was more or
> less the sentiment behind my original response; if you know that you're
> unhappy with the service that's being offered you, go to your service
> provider and insist they provide an alternative. Let your friends know
> you're not happy too. You can be sure that if YOU want something
> different, someone else somewhere wants the same thing. If there's enough
> demand for alternatives, SOMEONE will meet it, because there's money in
> meeting people's demands.
>
> Also, it should be the burden of those service providers to spell out the
> risks to their customers. Of course, cigarette companys have known for
> decades that smoking is addictive and causes cancer, and we STILL can't
> get them to admit it even though it's become common knowledge, so I
> suppose I'm asking for too much.
>
> I've left out a lot of points that I would have made, but it's getting
> late and I'm sick of typing... And as you said, we agree. If you want
> to talk about this some more over a beer, I'll be happy to... :)
>
>
>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
