[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1065081102.15572.47.camel@syd0137.fujitsu.com.au>
From: kluge at fujitsu.com.au (Steffen Kluge)
Subject: CyberInsecurity: The cost of Monopoly
On Wed, 2003-10-01 at 02:30, Schmehl, Paul L wrote:
> We don't let people drive cars without some proof that they know how.
> We don't even let them neglect the maintenance any more (think emissions
> inspections.) Why should we let people use computers with no training,
> no awareness of the potential trouble spots, no idea what they're
> getting in to?
Because, unlike driving your personal car, operating your personal
computer isn't likely to injure or kill someone.
> That's insanity. And that's why we have hundreds of
> thousands of infections with every new iteration of a worm or virus.
Losing your frame of reference is a kind of insanity, too. Most people
rank infections with computer worms or viruses pretty low on the scale
on things to do with life and death, and rightly so.
> And IT people contribute to the problem by throwing up their hands and
> saying that the users don't want to learn or can't be taught.
Some IT people compound the problem by hysteric hand waving, making
those with their feet on ground (and money in their pockets) turn away
and stop listening.
> They
> *must* be taught. There is no other way to solve the problem.
How big is the problem, though, and how much should we spend addressing
it? I'd prefer a differentiated approach, insuring that critical
infrastructure is protected against onslaught without teaching every mom
and granny in the world how to patch a PC. Ideally everyone, home users,
corporations, government organisations, you name it, should assess the
risk to their assets and come up with a proportional response.
Given the lack of risk assessment capabilities in the general
population, the approach for selling other potentially dangerous
products should be adopted: make it idiot-proof (difficult for the
average operators to hurt themselves) or face severe restrictions
selling it. Again, keep in mind that the dangers of using software or
PCs' are mostly those of wasting time, financial loss, identity theft,
but not injury or death.
Yet, they somehow manage to sell people sharp and pointy kitchen knives
- it's all a matter of risk mitigation and a dose of common sense (which
isn't all that common, as we know).
In short, if you think that inexperienced people operating PC's that can
boot into Windows is as dangerous as housewives (or husbands) operating
microwave ovens that can be turned on with the door open - you should
lobby for getting them outlawed, rather than relying on end-user
education. Or at least you should try to raise consumer awareness.
And, speaking of ridiculous analogies, I'd prefer a 100 million PC's
infected with five different worms per year to the annual slaughter of
40.000 people on the road (in just the US, or in Europe). I'm not saying
there's a choice between those two, I'm just pointing out the vastly
different levels of severity.
Cheers
Steffen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031002/c4410c5c/attachment.bin
Powered by blists - more mailing lists