lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Feb 2009 09:36:32 -0500
From: Kevin Wilcox <kevin@....appstate.edu>
To: Yudi Rosen <yr42.lists@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	Jimmy Astle <astle.j@...il.com>
Subject: Re: Windows 7 UAC compromised

2009/2/6 Yudi Rosen <yr42.lists@...il.com>:

> But Joe the Plumber doesn't want to have to click on endless 'confirm'
> dialogs every time he tries to use the computer. Simply having him run as a
> non-admin user only fixes half the problem.

No, it doesn't fix anywhere *near* half of the problem; it doesn't
address that we have millions of people that use their computers
without knowing anything about them.

"But not every car driver needs to be a mechanic!" Yes, I know this,
but every driver needs to know that there are laws and rules
concerning how they drive and what happens when a 1200 kilogramme car
hits a 100 kilogramme pedestrian at 70 kilometres/hour. Every driver
needs to know they need to have their tyres rotated and their oil
changed. There are things you must know beyond, "accelerator,
decelerator and steering wheel".

"But a computer isn't going to kill anyone if someone gets infected by
a virus or trojan!" Yes, I know this, too, but if you're mixing
questionable software and surfing habits with online banking and
shopping, it's a recipe for destruction. Welcome to identity theft and
empty bank accounts.

We can either continue to pretend like it's *only* really crappy
software or we can realise that it's a combination of easily
exploitable software, user ignorance and user apathy. You can give
them an operating system that has been vetted and been through
multiple code reviews by people that really do know secure OS design
but they wouldn't be able to accomplish anything at all. So what do we
do? We give them operating systems that are less secure, hope they
don't shoot their feet off and turn them loose with it - but we don't
shoulder the burden of training them. Some of us do but we, as a
collective, do not. Until we can properly educate our users, all we
are doing is trying to mitigate risk in the best ways we can while
still providing them a service. I maintain that by not educating our
users we are failing in that goal.

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ