lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074617743.4482.39.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Anti-MS drivel

Hi Paul,

Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01:
> But the *real* problem isn't the OS, it's the users.

Actually, that's wrong. 

Users are never the problem. It's always the software. When a user
doesn't understand something, then there's a problem with the software,
not the user. When a user doesn't operate the software in the way the
developers intended to, then there's a problem with the software.

Customer is king. Always.

Why should every single user on earth have to worry about virus updates,
personal firewalls and so on? They want to USE a PC not secure it.

Any attempt to deliver software in a state as secure as possible without
cutting too many features must be welcomed. Any practise where software
is delivered "with open doors" should be considered a fatal flaw. 
When a user has to act in order to deactivate features he doesn't use
that are potentially dangerous then this is wrong. There shouldn't be
any "opt-in" into security. If individual users discover they need an
additional feature of their software that adds to overall risks then let
those individual users find out how to do that. That's education. Not
the other way around. If they have to do something on their behalf to
use risky features that the majority doesn't use, then they actually
educate themselves in the process. If you want to have a webserver
running on your box, then it's better there isn't one by default and the
user has to find out how to enable it and how to enable it SAFE. The
majority of users who don't, won't have to care about this.

Users should always have to "opt-out" from the more secure setting into
the risky setting.

The "anti MS" drive IMHO results from the fact that MS has practised
"opt-in" into security far too long. One of the most striking examples
giving evidence to this is the fact that _AOL_ had to shut down the
Windows Messaging Service on its clients PCs because clients were
complaining about receiving unwanted ad messages that way. I find it
very striking that this feature seems to be activated by default in an
OS that is aimed at the end user, a single connected machine connected
to the Internet by mostly a modem or some other form of dial-up
connection without something in between. Delivering an OS with such a
feature enabled leaves millions of users to disable that feature while
only a minority actually makes good use of the feature. This is just one
example of many.

The Blaster worm is yet another example how "opt-in" into security
fails. Why do private, single connected machines to the Internet use an
open RPC port by default?! Obviously there hasn't been a real use to it
for most end consumers because the recommended Personal Firewall just
shuts it down. Why has it been enabled for millions of end users by
default? Just because this is a feature that may be used in a certain
scenario inside LANs? Again millions of end users who don't know about
"RPC what?!" had to act to "opt-in" into security. This stinks.

THIS is why MS is drawing so much bad attention here. It's not because
people don't like the colours of Windows XP around here or because of
the idea that Windows is not a good OS. It's about "opt-in" into
security. And the blame goes on MS for this. Nobody else.

cheers,
Tobias W.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ