[Full-Disclosure] Anti-MS drivel
tobias at weisserth.de
Thu Jan 22 08:38:50 GMT 2004
Am Do, den 22.01.2004 schrieb Gregh um 07:07:
> > I'm dieing to know...
> What are you dieing? T-shirts? :)
Yes, foreign languages are hard to master. I guess "dieing T-shirts" is
in the process of learning them ;-)
Maybe we should continue this debate in German then. Or Dutch. Or
French. Choose one :-)
> > You didn't understand this. Not one bit.
> Nope, YOU didnt understand this "not one bit".
I guess we're stuck then. Nothing you are going to say or compare will
change my view and vice versa.
> > If you are a vendor and you ship a software that is intended to be used
> > by average Joe and average Jennie then _you_ have to take this into
> > account.
> If the user is so stupid as to not have someone check his computer and
> secure it, then it isnt the problem of the OS vendor *WHERE* the problem is
> something like a keylogger though admittedly, if the OS is to blame, there
> is some reason to blame the OS manufacturer.
If the consumer version of an OS requires "someone to check his
computer" then there IS something major wrong with the product. Excuse
me, but this is trivial.
> > Why is it possible that a user is able to make this mistake?
> Oh COME now! Are you so INSULAR that you dont realise the real world?
I do realise. But do manufacturers? If this is so natural to you why
don't you think that it's a bad idea to ship an OS WITHOUT the option to
open attachments from within email clients?
> wife works for a MENSA member, a recognised genius who would likely have
> more brain capacity than most people in the world. He doesnt have a CLUE how
> to secure his computer. WHY? He isnt in the least INTERESTED in computers
> outside of using them to do his work on. Oh and BTW, his work, nothing to do
> with computers other than using them as a tool, made him a
> multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to
> know what he is doing with a computer. He, likely, has more money than you
> and I put together EVER will have unless one of us wins over 300 million US
You know, money isn't my ultimate goal in life, so let the guy have
another 300 million ;-) I don't measure personal achievements in money.
> In my book, this guy is devoting his time the best way possible.
> Learning what to do with computers to the extent where he can lock it down
> is actually financially irresponsible to him. He can PAY someone US$200 an
> hour to do that and per hour STILL come out in front by a LONG shot.
Why should owning an consumer version of an OS require ANYBODY (no
matter how rich or poor) require an additional administrator?
I haven't seen a sign on the shrink wrap of Windows XP Home that says
"Administrator not included".
Obviously you think too that Windows XP Home can't be used without
professional help so of course there's something wrong with the product.
> What IS it with computer/I.T. professionals (or those who know as much even
> if not so employed) that they think just because THEY know how to do it,
> everyone SHOULD know?
Now you are talking my way. How does this fit in with the idea that
everybody should have his personal IT guru at home?!
> Not everyone is INTERESTED and not everyone thinks it
> is a good use of their time!
So he shouldn't be bothered, right? Why does he have to hire someone
> > Why can attachments that come in via email be executed by a user?
> Why not?
Because it poses a significant security threat. And every sane OS
designer _knows_ there billions of potential users who'll blindly do it.
A bright designer foresees this and designs his product in a way users
can't blow themselves into oblivion.
> In benign situations it is often helpful to a user. Just because
> Mr. Nasty decided to exploit this for whatever reason doesnt make it a BAD
Yes it does. Of course it's nice to leave the door open while you do
shopping. A constant draft of fresh air will flow through the house. But
it's a VERY stupid idea because everybody knows that open doors provoke
> It just makes it a co-opted idea. Education is the fault here.
Then have fun. Explain security to consumers. It NEVER has worked and it
NEVER will. Look at it!! Viruses are part of business life for almost a
decade now and people still are falling for "Hi... Test" and start an
attachment that is named randomly.
You yourself said that this rich guy doesn't bother how to secure his
PC. What makes you think he is willing to spend his time on "education"
about how or not to open an attachment?!
> The person doesnt KNOW what they are doing yet are blindly clicking anyway. If
> they didnt get someone to educate them or tie things down to safeguard
> against this, then THEY are at fault.
That's where we differ. If a vendor can't produce a product in a way the
consumers use it in a safe way without education then the product sucks.
> Why can a car be started by ANYONE with the key?
Again: cars and computers are not comparable. If you've already made the
assumption that every user should be required to have a PC license to
operate it then this may be true but luckily the PC revolution isn't
bound by "driving permit" for users.
> If someone starting that car without the permission of the
> owner takes it and runs over another person, killing them, is that the fault
> of the car manufacturer?
If the key is built into the car and can't be taken after you lock it,
THEN OF COURSE it is the fault of the manufacturer when such things
Face it. No matter what glorious comparison you get think of, I'll turn
it against you because comparisons are simply not applicable here.
> > This is software design flaw, not a user mistake.
> > This is a matter of definition, Greg.
> > When I say that the user is always right then this means that software
> > has to be adapted to the users education and not the other way around.
This is the essential "soul" of my view. If you can't live with that you
shouldn't ever design consumer products ;-)
> A common setup - Say WIN98 with Internet access. They call in someone and
> tell them they want to be as secure as possible. That person installs (name
> your flavour of WIN98 compatible AV prog here) which works well and also,
> say, Zone Alarm *free edition*. The person, still no wiser as to
> executables, receives an infected one from a friend who has an infected
> machine and didnt actually send it to them but the person thinks it is from
> them anyway so executes it. Their AV prog jumps in at this point, stops it
> from executing and informs the user that it was a virus and gives the name.
> The user doesnt HAVE to worry about thing that way.
Yes, he HAD to worry. He had to ask someone to fix it. I'm asking the
vendor to fix it in the first place. It is a fictional assumption that
every consumer can ask somebody to fix his computer. I have stopped
counting the hours I've spent in front of friends and family's machines
"fixing" things. This is lost time on my account. I should bill an
invoice to MS ;-)
> This IS software already around adapted to the least knowledgeable computer user.
Why does he use someone to install it or even realise he needs it?!
There is a gap between your statements and the way you try to prove them
> The fact that the infected exe CAN be run doesnt mean there is a design flaw.
Yes, it is. Of course there is. This isn't a useful feature anymore. It
is a dangerous feature. So it should be turned OFF by default. People
may turn it on again but it should come turned OFF by default.
> You will never stop viruses happening while the world still uses PCs the way they are now
> and it doesnt matter what OS you use.
No we will actually never stop viruses. But by redefining what's a
useful feature and what's a too dangerous feature we can _limit_ the
affects of viruses. If only 3 out of 10 users who click on an infected
attachment manage to turn on again the option to run attachments from
within their email client and the other 7 fail to do so then we have 70%
less infected machines on the net.
> There are enough on any of them AND
> Macs to make people who KNOW what they are doing at least think about them.
> At this point I took the time to read the rest of your letter instead of
> reading while replying because I was a little amazed at your lack of
> understanding of the real world OUTSIDE of computers and I realised I would
> never convince you that the world operates not the way you want it to but
> the way it will, so I have to give up right now. All I can say is that
> experience will, one day, light the way.
Mmh. "My lack of understanding of the real world outside of
Well maybe I know more about the real world then you Greg. You see, _I_
have lived and worked in a couple of different European countries, I can
speak four languages (even if I die T-Shirts occasionally), I know why
online banking in Europe requires more than just an account and I have
realised that there seem to be a problem users are having in using the
typical consumer OS. So this makes up for a "lack of understanding of
the real world"?!?!
Well maybe I don't know anything about "down under" because I have never
been there and if the real world ends at the cost of your continent in
your mind then of course I don't know a thing about YOUR "real" world.
Think about it ;-)
If you want to continue THIS debate you may gladly contact me
personally. I'm really interested about Australia and some day I'll
Full-Disclosure is hosted and sponsored by Secunia.