lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: chows at (Gregh)
Subject: Anti-MS drivel

----- Original Message -----
From: "Tobias Weisserth" <>
To: "Gregh" <>
Cc: <>
Sent: Wednesday, January 21, 2004 8:53 AM
Subject: Re: [Full-Disclosure] Anti-MS drivel

> Hi Greg,
> Am Di, den 20.01.2004 schrieb Gregh um 21:45:
> ..
> > Let me paint you a hypothetical situation to show you where what you
said is
> > wrong:
> I'm dieing to know...

What are you dieing? T-shirts? :)

> > User receives keylogger attached to email as an exe and stupidly
> > it.
> You didn't understand this. Not one bit.

Nope, YOU didnt understand this "not one bit".

> If you are a vendor and you ship a software that is intended to be used
> by average Joe and average Jennie then _you_ have to take this into
> account.

If the user is so stupid as to not have someone check his computer and
secure it, then it isnt the problem of the OS vendor *WHERE* the problem is
something like a keylogger though admittedly, if the OS is to blame, there
is some reason to blame the OS manufacturer.

> Why is it possible that a user is able to make this mistake?

Oh COME now! Are you so INSULAR that you dont realise the real world? My
wife works for a MENSA member, a recognised genius who would likely have
more brain capacity than most people in the world. He doesnt have a CLUE how
to secure his computer. WHY? He isnt in the least INTERESTED in computers
outside of using them to do his work on. Oh and BTW, his work, nothing to do
with computers other than using them as a tool, made him a
multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to
know what he is doing with a computer. He, likely, has more money than you
and I put together EVER will have unless one of us wins over 300 million US
dollars. In my book, this guy is devoting his time the best way possible.
Learning what to do with computers to the extent where he can lock it down
is actually financially irresponsible to him. He can PAY someone US$200 an
hour to do that and per hour STILL come out in front by a LONG shot.

What IS it with computer/I.T. professionals (or those who know as much even
if not so employed) that they think just because THEY know how to do it,
everyone SHOULD know? Not everyone is INTERESTED and not everyone thinks it
is a good use of their time!

> Why can attachments that come in via email be executed by a user?

Why not? In benign situations it is often helpful to a user. Just because
Mr. Nasty decided to exploit this for whatever reason doesnt make it a BAD
idea. It just makes it a co-opted idea. Education is the fault here. The
person doesnt KNOW what they are doing yet are blindly clicking anyway. If
they didnt get someone to educate them or tie things down to safeguard
against this, then THEY are at fault. Why can a car be started by ANYONE
with the key? If someone starting that car without the permission of the
owner takes it and runs over another person, killing them, is that the fault
of the car manufacturer?

> This is software design flaw, not a user mistake.
> This is a matter of definition, Greg.
> When I say that the user is always right then this means that software
> has to be adapted to the users education and not the other way around.

A common setup - Say WIN98 with Internet access. They call in someone and
tell them they want to be as secure as possible. That person installs (name
your flavour of WIN98 compatible AV prog here) which works well and also,
say, Zone Alarm *free edition*. The person, still no wiser as to
executables, receives an infected one from a friend who has an infected
machine and didnt actually send it to them but the person thinks it is from
them anyway so executes it. Their AV prog jumps in at this point, stops it
from executing and informs the user that it was a virus and gives the name.
The user doesnt HAVE to worry about thing that way. This IS software already
around adapted to the least knowledgeable computer user. The fact that the
infected exe CAN be run doesnt mean there is a design flaw. You will never
stop viruses happening while the world still uses PCs the way they are now
and it doesnt matter what OS you use. There are enough on any of them AND
Macs to make people who KNOW what they are doing at least think about them.

At this point I took the time to read the rest of your letter instead of
reading while replying because I was a little amazed at your lack of
understanding of the real world OUTSIDE of computers and I realised I would
never convince you that the world operates not the way you want it to but
the way it will, so I have to give up right now. All I can say is that
experience will, one day, light the way.


Powered by blists - more mailing lists