| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: kluge at fujitsu.com.au (Steffen Kluge) Subject: CyberInsecurity: The cost of Monopoly On Wed, 2003-10-01 at 02:30, Schmehl, Paul L wrote: > We don't let people drive cars without some proof that they know how. > We don't even let them neglect the maintenance any more (think emissions > inspections.) Why should we let people use computers with no training, > no awareness of the potential trouble spots, no idea what they're > getting in to? Because, unlike driving your personal car, operating your personal computer isn't likely to injure or kill someone. > That's insanity. And that's why we have hundreds of > thousands of infections with every new iteration of a worm or virus. Losing your frame of reference is a kind of insanity, too. Most people rank infections with computer worms or viruses pretty low on the scale on things to do with life and death, and rightly so. > And IT people contribute to the problem by throwing up their hands and > saying that the users don't want to learn or can't be taught. Some IT people compound the problem by hysteric hand waving, making those with their feet on ground (and money in their pockets) turn away and stop listening. > They > *must* be taught. There is no other way to solve the problem. How big is the problem, though, and how much should we spend addressing it? I'd prefer a differentiated approach, insuring that critical infrastructure is protected against onslaught without teaching every mom and granny in the world how to patch a PC. Ideally everyone, home users, corporations, government organisations, you name it, should assess the risk to their assets and come up with a proportional response. Given the lack of risk assessment capabilities in the general population, the approach for selling other potentially dangerous products should be adopted: make it idiot-proof (difficult for the average operators to hurt themselves) or face severe restrictions selling it. Again, keep in mind that the dangers of using software or PCs' are mostly those of wasting time, financial loss, identity theft, but not injury or death. Yet, they somehow manage to sell people sharp and pointy kitchen knives - it's all a matter of risk mitigation and a dose of common sense (which isn't all that common, as we know). In short, if you think that inexperienced people operating PC's that can boot into Windows is as dangerous as housewives (or husbands) operating microwave ovens that can be turned on with the door open - you should lobby for getting them outlawed, rather than relying on end-user education. Or at least you should try to raise consumer awareness. And, speaking of ridiculous analogies, I'd prefer a 100 million PC's infected with five different worms per year to the annual slaughter of 40.000 people on the road (in just the US, or in Europe). I'm not saying there's a choice between those two, I'm just pointing out the vastly different levels of severity. Cheers Steffen. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031002/c4410c5c/attachment.bin
Powered by blists - more mailing lists