Keith writes:
> perhaps because they are shipped that way?
Microsoft ships servers with most security features set to low security, because
customers whine and complain otherwise. Customers buy on the basis of features
and ease-of-use, not security, no matter what they might claim to the contrary.
Put a product on the shelf that is configured secure by default, and it will
still be on the shelf ten years later.
> But do you really expect a user to understand
> that when he clicks on something that is apparently
> (to him) an image, or even a word procesor
> document, that it's going to *execute* something
> that can potentially infect his system?
Yes. It only takes a few seconds to learn.
And consider this: If a user cannot understand that he should not click on an
attachment, how do you expect him to ever understand how to deal with a truly
_secure_ system? One reason customers do not buy secure software is that their
end users refuse to deal with it. People hate to type passwords and hate having
any restrictions at all on what they can or cannot do with a machine.
> Microsoft deliberately ignored this advice and
> chose to make their users vulnerable - not just by
> making the content "executable" with a single
> click, but also by bypassing the safeguards in
> the content-type registration system.
Microsoft's objective is to stay in business, and to do that, it has to give
customers what they want. Companies that adhere to some noble ideal even when
this prevents them from actually selling anything aren't around for long.
If you want these standards adhered to, then I suggest you educate and persuade
users so that they demand them from vendors. Right now, it's just the opposite,
and so that's what vendors provide.
> Or are you saying that Microsoft employees are
> no smarter than the average user (whom you expect
> should know better than to "execute" a virus)?
Microsoft employees who are not IT specialists are no smarter than the average
user when it comes to opening attachments. There are lots of non-IT people
working at Microsoft nowadays, since it is a large company. Indeed, as it grows
larger and deadwood in management accumulates, even people who should probably
no better (based on their positions within the company) start to make these
stupid mistakes. This has become apparent many times, and I'm sure that other
software vendors have exactly the same problems internally.
> no, it's more like blaming automobile manufacturers
> for producing cars whose brakes fail when used normally.
No, it's more like blaming automobile manufacturers for brakes that don't apply
themselves when the driver is too stupid to apply them himself.
> Presumably, that includes the actions of those
> at Microsoft who chose to make their customers
> unnecessarily vulnerable.
It's not unnecessary. If that isn't done, nobody will buy the products.
It's convenient to blame Microsoft, but it's simplistic. All successful vendors
get that way by providing what customers want; if you don't like what they are
producing, then I suggest you look at their customer base, not at their
engineering teams.
