lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074635609.13406.144.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Anti-MS drivel

Hi Greg,

Am Di, den 20.01.2004 schrieb Gregh um 21:45:
...
> Let me paint you a hypothetical situation to show you where what you said is
> wrong:

I'm dieing to know...

> User receives keylogger attached to email as an exe and stupidly executes
> it.

You didn't understand this. Not one bit.

If you are a vendor and you ship a software that is intended to be used
by average Joe and average Jennie then _you_ have to take this into
account.

Why is it possible that a user is able to make this mistake? Why can
attachments that come in via email be executed by a user?

This is software design flaw, not a user mistake.

This is a matter of definition, Greg.

When I say that the user is always right then this means that software
has to be adapted to the users education and not the other way around.

You don't blame a child of 5 years old when it unsuccessfully tries to
mount a bicycle fit for children older than 10. It's the wrong bike.

Obviously everybody being infected with Blaster has been using the wrong
OS. This is a matter of definition and philosophy.

> User has no anti virus software on the system so keylogger installs
> without interference.

The fact that users have no anti virus software running or in many cases
old versions without updates (sense of false security!) can be linked to
the fact that they are being told time and again that they have bought a
secure operating system.

You certainly can't blame the users for not knowing the security risks
of the software they bought. If they don't know then it's not their
fault. Actually it's NEVER their fault. By definition.

>  User shuts down the machine and goes to bed. Next day,
> user starts the machine and gets on to their web banking with keylogger
> doing it's thing and reporting to Mr. Nasty, all the keypresses. User goes
> to bed and shuts down the machine again that night. On the other side of the
> world in a different timezone, Mr. Nasty receives User's keypress log and
> sees the web banking account details, logs on to User's bank account which
> contains $10,000 and in a few short hours, Mr. Nasty has transferred the
> entire amount to somewhere he can reach in this other country, which doesn't
> have any agreement with User's Govt so he can be touched in any way.

Sorry, again not the users fault.

OSs, online banking and so on are products which have to be ready for
the end user to use. Liability affects vendors, not users.

Besides, just a login account would do a bank account hacker no good
since he also needs a TAN number to commit a transactions. TAN numbers
can only be used once for ONE transaction and are discarded after that.
Banks send TAN numbers via snail-mail in protected envelopes. As you
see, in the real world banks have foreseen the lack of education of
their clients and adapted to them rather than expect it the other way
around.

> User gets up in the morning, goes to his computer, turns it on and logs on to his
> web banking account, finding it at a zero balance and immediately starts
> screaming blue murder to the bank.

He's damn right to do so. How could a bank let something like this
happen?! Don't they know there is always this possibility? It's the bank
and not the client that has to come up with a FOOL PROVE solution to
this. After all, the bank offered the product "web banking".

> The bank says "We understand your plight, User, but the transfers were done with your web banking username and
> password so was quite legal in our eyes. We cant help you, the $10,000 is
> gone".

Well, see above. Besides, this is far from reality, at least in Europe.
When a criminal abuses the credit card details which you have used for
online deals then the credit card company is liable for ANY damage that
has occurred. The fact that a bank would allow transactions of this
magnitude with only a web account and no additional methods of
verifications (TAN etc.) is already almost criminal.

> So who do you blame there?

The OS vendor and the bank. No doubt about it.

Customer is king. Always.

> The world's MEDIA blames the bank, at least in my
> country.

Which is their fine right. The bank would have acted negligent to say
the least and could be held full accountable for any losses. They
offered their client the promise to do secure online banking, then THEY
have to consider all risks, INCLUDING the possibility that criminals
gain access to the clients PC. 

>  We all know the truth is Mr. Nasty is to blame ultimately but he is
> in that country where he cant be touched.

Actually, he is the villain but he isn't to blame since he used an
opportunity someone else created: the OS vendor. See above.

>  So who bears the brunt of this?

The OS vendor and the bank.

> User does, of course.

No. This is where you are wrong and this is what keeps us stuck in this
dilemma. As long as product and technical solutions are not designed to
fit the end user we'll be stuck in this security nightmare.

> It isn't up to the bank to even WARN their web bankers
> about such things though I think you will find they all do.

Of course it is up to them. After all, THEY offer a product, "web
banking", THEY have to guarantee its safety.

> If the users infect their own machines and cause this problem it isn't the software (OS
> or otherwise) that caused this problem.

Yes it is. See above. Why should users be required to know that starting
an attachment can lead to disaster? Why must users have a certain amount
of knowledge or education about this in order to use the product?

Customers don't have to adapt to products. Products ALWAYS have to adapt
to customers.

If a user starts a malicious attachment because the OS allows to do so
then he has chosen the wrong OS or mail client. It's as easy as that.

> It is the USER.

That's vendor talk. It's pretty convenient to blame customers for design
flaws in your products. But it doesn't improve a thing.

> See, User in the story above, may well be so computer illiterate that web banking is the
> pinnacle of his computer talent because he is basically uninterested in
> computers but thought web banking would make his life easier.

Which is his damn good right. If he doesn't want to know about secure
computing then vendors have to sell him secure computing instead of
requiring him to adapt to the product.

> He could, however, have hired someone who works in computers and knows how to secure
> his computer so that he can not automatically stuff his life up like that.

Why would he want to HIRE someone?!?!?!?!?!?!?!?

Why can't the vendor ship the product secure instead of requiring the
user to do that AFTER he purchased it? It's the vendors product, the
vendor is liable, the vendor has to provide it in the best way for the
user to use.

Customer is king. Always.

I can't emphasise this enough.

> He didn't.

Why should he? Can't he expect that products are usable right after he
purchased them? When I buy a new car I don't have to bring it to someone
else in order to make it usable for me. Why should I do that with a PC,
an OS, web banking and so on?

When the industry sells things those have to be usable right from the
start without limitations.

> In Australia when things similar to that happen, it is always the corporate
> entity portrayed as the bad guy here when it really isn't, in this case.

You still haven't understood this.

> I keep thinking it is like someone who drives a Toyota suing Toyota because of
> a car accident they had through the brakes not working though the car is 4
> years old and never had a service in it's life since that person bought it.

In fact, the "brakes" of most software products aren't functioning on
the first day after you bought it. This is what I'm criticising. Your
comparison is out of place.

> Ultimately, though they may know NOTHING, the user is to blame for scenarios
> as above.

Customers ARE NOT engineers. When there's no warning light blinking
inside the car's cockpit, telling the customer he has to refill oil or
refuel the car then the consumer will use the product until something
breaks.

This is a simple matter of design philosophies of consumers products. If
a consumer has problems with the product, then the design of that
product has failed. Not the other way around.

> They hire locksmiths to make sure their doors aren't so easy to
> open to unauthorised people. Why aren't they hiring "Computer Locksmith"
> companies to do the same?

Now this is actually sweet :-)

When you buy something then you expect it to work out of the box. You
don't expect spending additional investments into making it work after
you already paid for a new product. This is how consumers think and
vendors have to adapt to this. Anything else is plain stupid.

>  Ignorance is why!

It's not ignorance. It's greed and profit pressure.

Good design and service of a product are expensive. Bad design can't
even be reverted. If the design of a product is flawed this can only be
revertible in the early stage of development cycle. As soon as the
product is on the market it's too late to change things. Dance the
damage control dance. Better known as the Microsoft Patch Day dance or
Chrysler car recall day and so on.

Seriously. If developers took the time to VERIFY consumer behaviour and
needs rather than GUESS or ASSUME them when creating products we'd have
much better products with much less flaws.

Why for example didn't Microsoft recognise that VERY many consumers
would start attachments when they receive them by mail? Had they known
this fact BEFORE they created Outlook, they probably would have disabled
the possibility to start attachments by default and placed alerts
whenever an executable attachment arrives. I tell you why they didn't.
It doesn't fit into the short release cycles which aim for profit and
not for quality.

> Gee, you don't buy a KNIFE without knowing it can be a weapon rather than a vegetable cutter, should
> someone grab it and wield it at you. Well, you don't buy a computer without
> realising that if someone grabs it and wields it, the computer can ALSO be a
> weapon used against you.

No, you are wrong here, Greg. Of course you can expect everybody to
recognise a knife. Humans have used knives for thousands of years.
Computer technology on the other side is very abstract and evolves in
many different directions faster than most people can take track of. Or
in other words: this comparison stinks :-)

cheers,
Tobias


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ