| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Anti-MS drivel Hi Paul, Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01: > But the *real* problem isn't the OS, it's the users. Actually, that's wrong. Users are never the problem. It's always the software. When a user doesn't understand something, then there's a problem with the software, not the user. When a user doesn't operate the software in the way the developers intended to, then there's a problem with the software. Customer is king. Always. Why should every single user on earth have to worry about virus updates, personal firewalls and so on? They want to USE a PC not secure it. Any attempt to deliver software in a state as secure as possible without cutting too many features must be welcomed. Any practise where software is delivered "with open doors" should be considered a fatal flaw. When a user has to act in order to deactivate features he doesn't use that are potentially dangerous then this is wrong. There shouldn't be any "opt-in" into security. If individual users discover they need an additional feature of their software that adds to overall risks then let those individual users find out how to do that. That's education. Not the other way around. If they have to do something on their behalf to use risky features that the majority doesn't use, then they actually educate themselves in the process. If you want to have a webserver running on your box, then it's better there isn't one by default and the user has to find out how to enable it and how to enable it SAFE. The majority of users who don't, won't have to care about this. Users should always have to "opt-out" from the more secure setting into the risky setting. The "anti MS" drive IMHO results from the fact that MS has practised "opt-in" into security far too long. One of the most striking examples giving evidence to this is the fact that _AOL_ had to shut down the Windows Messaging Service on its clients PCs because clients were complaining about receiving unwanted ad messages that way. I find it very striking that this feature seems to be activated by default in an OS that is aimed at the end user, a single connected machine connected to the Internet by mostly a modem or some other form of dial-up connection without something in between. Delivering an OS with such a feature enabled leaves millions of users to disable that feature while only a minority actually makes good use of the feature. This is just one example of many. The Blaster worm is yet another example how "opt-in" into security fails. Why do private, single connected machines to the Internet use an open RPC port by default?! Obviously there hasn't been a real use to it for most end consumers because the recommended Personal Firewall just shuts it down. Why has it been enabled for millions of end users by default? Just because this is a feature that may be used in a certain scenario inside LANs? Again millions of end users who don't know about "RPC what?!" had to act to "opt-in" into security. This stinks. THIS is why MS is drawing so much bad attention here. It's not because people don't like the colours of Windows XP around here or because of the idea that Windows is not a good OS. It's about "opt-in" into security. And the blame goes on MS for this. Nobody else. cheers, Tobias W.
Powered by blists - more mailing lists