lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <007701c3df96$46445e40$6500a8c0@p41700>
From: chows at ozemail.com.au (Gregh)
Subject: Anti-MS drivel

----- Original Message -----
From: "Tobias Weisserth" <tobias@...sserth.de>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, January 21, 2004 3:55 AM
Subject: RE: [Full-Disclosure] Anti-MS drivel


> Hi Paul,
>
> Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01:
> > But the *real* problem isn't the OS, it's the users.
>
> Actually, that's wrong.
>
> Users are never the problem. It's always the software. When a user
> doesn't understand something, then there's a problem with the software,
> not the user. When a user doesn't operate the software in the way the
> developers intended to, then there's a problem with the software.
>


Let me paint you a hypothetical situation to show you where what you said is
wrong:

User receives keylogger attached to email as an exe and stupidly executes
it. User has no anti virus software on the system so keylogger installs
without interference. User shuts down the machine and goes to bed. Next day,
user starts the machine and gets on to their web banking with keylogger
doing it's thing and reporting to Mr. Nasty, all the keypresses. User goes
to bed and shuts down the machine again that night. On the other side of the
world in a different timezone, Mr. Nasty receives User's keypress log and
sees the web banking account details, logs on to User's bank account which
contains $10,000 and in a few short hours, Mr. Nasty has transferred the
entire amount to somewhere he can reach in this other country, which doesn't
have any agreement with User's Govt so he can be touched in any way. User
gets up in the morning, goes to his computer, turns it on and logs on to his
web banking account, finding it at a zero balance and immediately starts
screaming blue murder to the bank. The bank says "We understand your plight,
User, but the transfers were done with your web banking username and
password so was quite legal in our eyes. We cant help you, the $10,000 is
gone".

So who do you blame there? The world's MEDIA blames the bank, at least in my
country. We all know the truth is Mr. Nasty is to blame ultimately but he is
in that country where he cant be touched. So who bears the brunt of this?
User does, of course. It isn't up to the bank to even WARN their web bankers
about such things though I think you will find they all do. If the users
infect their own machines and cause this problem it isn't the software (OS
or otherwise) that caused this problem. It is the USER. See, User in the
story above, may well be so computer illiterate that web banking is the
pinnacle of his computer talent because he is basically uninterested in
computers but thought web banking would make his life easier. He could,
however, have hired someone who works in computers and knows how to secure
his computer so that he can not automatically stuff his life up like that.
He didn't.

In Australia when things similar to that happen, it is always the corporate
entity portrayed as the bad guy here when it really isn't, in this case. I
keep thinking it is like someone who drives a Toyota suing Toyota because of
a car accident they had through the brakes not working though the car is 4
years old and never had a service in it's life since that person bought it.
Ultimately, though they may know NOTHING, the user is to blame for scenarios
as above. They hire locksmiths to make sure their doors aren't so easy to
open to unauthorised people. Why aren't they hiring "Computer Locksmith"
companies to do the same? Ignorance is why! Gee, you don't buy a KNIFE
without knowing it can be a weapon rather than a vegetable cutter, should
someone grab it and wield it at you. Well, you don't buy a computer without
realising that if someone grabs it and wields it, the computer can ALSO be a
weapon used against you.

Greg.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ