lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: buri at z17.net (Erich Buri)
Subject: Anti-MS drivel

Hi Gregh,

do you work for MS? look at the answer from tobias. All what you wrote
can be avoided with todays knowledge of cryptography. And must be
avoided, at least in Europe. The bank is responsible for that. There's
even no need for TC/Palladium what so ever.

I think you can move on with painting hypothetical situations, but
finally I fully agree with Tobias: Customer is king. Only a company as
big as MS can ignore this. 

What MS actually does is leading customers into a trap. MS Products look
as if they were so easy to use that _every_ body colud work with it,
just like that - "you don't need to know a thing". Intuitive User
interface etc.

And now... You come up and blame the user for trusting MS? So MS should
write this on top of all their products - "You have to take lessons in
securing this Product before can start using it!" or "Attention:
Security is left to the user!"


greetings
buri



On Tue, 2004-01-20 at 21:45, Gregh wrote:
> ----- Original Message -----
> From: "Tobias Weisserth" <tobias@...sserth.de>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Wednesday, January 21, 2004 3:55 AM
> Subject: RE: [Full-Disclosure] Anti-MS drivel
> 
> 
> > Hi Paul,
> >
> > Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01:
> > > But the *real* problem isn't the OS, it's the users.
> >
> > Actually, that's wrong.
> >
> > Users are never the problem. It's always the software. When a user
> > doesn't understand something, then there's a problem with the software,
> > not the user. When a user doesn't operate the software in the way the
> > developers intended to, then there's a problem with the software.
> >
> 
> 
> Let me paint you a hypothetical situation to show you where what you said is
> wrong:
> 
> User receives keylogger attached to email as an exe and stupidly executes
> it. User has no anti virus software on the system so keylogger installs
> without interference. User shuts down the machine and goes to bed. Next day,
> user starts the machine and gets on to their web banking with keylogger
> doing it's thing and reporting to Mr. Nasty, all the keypresses. User goes
> to bed and shuts down the machine again that night. On the other side of the
> world in a different timezone, Mr. Nasty receives User's keypress log and
> sees the web banking account details, logs on to User's bank account which
> contains $10,000 and in a few short hours, Mr. Nasty has transferred the
> entire amount to somewhere he can reach in this other country, which doesn't
> have any agreement with User's Govt so he can be touched in any way. User
> gets up in the morning, goes to his computer, turns it on and logs on to his
> web banking account, finding it at a zero balance and immediately starts
> screaming blue murder to the bank. The bank says "We understand your plight,
> User, but the transfers were done with your web banking username and
> password so was quite legal in our eyes. We cant help you, the $10,000 is
> gone".
> 
> So who do you blame there? The world's MEDIA blames the bank, at least in my
> country. We all know the truth is Mr. Nasty is to blame ultimately but he is
> in that country where he cant be touched. So who bears the brunt of this?
> User does, of course. It isn't up to the bank to even WARN their web bankers
> about such things though I think you will find they all do. If the users
> infect their own machines and cause this problem it isn't the software (OS
> or otherwise) that caused this problem. It is the USER. See, User in the
> story above, may well be so computer illiterate that web banking is the
> pinnacle of his computer talent because he is basically uninterested in
> computers but thought web banking would make his life easier. He could,
> however, have hired someone who works in computers and knows how to secure
> his computer so that he can not automatically stuff his life up like that.
> He didn't.
> 
> In Australia when things similar to that happen, it is always the corporate
> entity portrayed as the bad guy here when it really isn't, in this case. I
> keep thinking it is like someone who drives a Toyota suing Toyota because of
> a car accident they had through the brakes not working though the car is 4
> years old and never had a service in it's life since that person bought it.
> Ultimately, though they may know NOTHING, the user is to blame for scenarios
> as above. They hire locksmiths to make sure their doors aren't so easy to
> open to unauthorised people. Why aren't they hiring "Computer Locksmith"
> companies to do the same? Ignorance is why! Gee, you don't buy a KNIFE
> without knowing it can be a weapon rather than a vegetable cutter, should
> someone grab it and wield it at you. Well, you don't buy a computer without
> realising that if someone grabs it and wields it, the computer can ALSO be a
> weapon used against you.
> 
> Greg.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ