| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ggilliss at netpublishing.com (Gregory A. Gilliss) Subject: User responsibility [was: CyberInsecurity: The cost of Monopoly] This discussion appears to have ranged into the "should users be required to be responsible for security" arena. So be it. First, the people making the car analogies - I live in California, and I also am a licensed pilot. If the government required people to train, test, and recertify their driving skills as often as aircraft pilots do, there would be (a) far fewer drivers, (b) far fewer accidents, (c) far higher fees, and (d) far less money made by auto makers, insurance companies, tire stores, etc etc. The people who are making that money want more people on the road, skilled or otherwise, because tat translates into more money. What does that have to do with security? Everything...if you believe that money talks (at least in America). People, corporations, and governments make decisions that are going to benefit them monetarily. I assert that is part of why M$ products get shipped out the door untested and with so many security flaws - because "time to market" equals do re mi money >-) Having said that, I take the position that all software should be shipped with few or no known vulnerabilities and with the default configuration set so that everything is *off* by default. That way users are *forced* either to learn how to configure and enable what they want, or else to have someone with a clue do the work for them (another previous argument - job security). G On or about 2003.09.30 13:45:02 +0000, Michael Smith (mike@...e.com) said: > Paul, you have a *slight* point with the fact that users need to be aware of > security issues, but let's realize that no matter how easy UI's become, > using/operating/maintaining a computer is NEVER going to be *nearly* as easy > as driving a car. As far as not letting people to drive a car without proof > that they know how, my eyes tell me differently every day. Most people > can't drive worth a damn. > > I certainly agree that computer users need to be aware, but as far as > depending on that as the bottom line of defense, it just can't be. Your > network is as secure as it's LEAST secure point. All it takes is 1 lazy > user to not maintain their machine and that's it. Obviously trained > knowledgeable users should be everyone's desire, I just don't think you can > rely on it for your network security. For my money, I'll hope all my users > understand and follow the training I've given them.... but I won't rely on > it. -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: greg@...liss.com Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists