lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Anti-MS drivel

"Gregh" <chows@...mail.com.au> wrote:

<<big snip>>
> > I haven't seen a sign on the shrink wrap of Windows XP Home that says
> > "Administrator not included".
> 
> It is always accepted in the Western world that if something is not SAID to
> be there and ISNT there, then the people who manufactured it or sold it to
> you cant be held accountable for it NOT being there.

This is where you go off the rails...

You are simply wrong.  At least when it comes to "general consumer 
goods" there are all kinds of _assumed_ properties _that are never or 
only very seldom mentioned in labelling_.  You're in a supermarket or 
at roadside stall buying apples; they have a big bin of them and you 
can choose as many and whichever apples you want.  The apples are not 
labelled and any labelling you may find on the bin will not contain a 
warning something like "Contain less than the minimum acceptable levels 
of dioxin, PCBs, DDT [etc, etc]".  Why not?  Because various legal 
processes "behind the scenes" require that (and, we hope, actually test 
for it and monitor the situation, at least in some broad scope).  
Likewise, other "due level of care" requirements specify, either 
formally or through the court-determined if it ever gets there 
"expectations of a reasonable person" concept.

And there's the rub with computers.  They are now (and have been for 
quite some time) sold as pretty much any other consumer electronics 
device.  The "reasonable person" does not worry, when buying a toaster, 
or afterwards, while using it, that an entirely unknown and untrackable 
person on the other side of the world can pillage his bank account 
while the toaster is plugged in or at least while the toasting 
mechanism is engaged and the machine is cooking his toast.  It is 
entirely reasonable for the consumer to not have to worry about such 
things, so there is no need to put a pre-sales warning on the device to 
that effect.  Windows PCs however, are sold into the consumer market to 
a very large extent because they enable Internet access.  They are (by 
and large) not sold with warnings about the near total lack of any 
effective "protection" from the kinds of evils just described.  Your 
typical "reasonable person" may or may not be expected to be aware that 
such dangers lurk at the end of the modem/DSL/cable/WiFi/etc 
connection, but let's say for the sake of argument that in today's 
society a "reasonable person" should be aware of such possibilities, at 
least at some general level (such dangers are, after all reported in 
the media, depicted in other popular culture materials and so on).  The 
"reasonable person" notes that there are no warnings on the computer 
sales display stand at their favourite consumer electronics store, 
notes there are no warnings about such thing inside the box when they 
get it home, doesn't see any warnings when first turning the device on 
nor when connecting it to the Internet.  The reasonable person, 
therefore, is quite reasonable in assuming the PC manufacturer and/or 
Microsoft has taken the necessary precautions to make this machine 
"safe" for Internet use because it was sold as "Internet ready".  If 
the "reasonable person" knows enough to aware of various online 
dangers, surely the experts at the PC manufacturer and/or Microsoft do 
too and given they were allowed to sell the machine and it wasn't 
plastered with warnings about its unsuitability for Internet use, the 
reasonable person is entirely within their rights to assume that the 
machine is, in fact, safe for such use.

Of course, we computer experts know that is not the case, but it is not 
the typical consumer's fault they get bitten.  It is the fault of the 
computer seller who recommended this model given the consumer 
explicitly said they wanted to "use the Internet", the PC manufacturer 
for selling self-described "Internet ready" computers that are not 
"Internet ready" by the reasonable standards of most of the folk who 
will buy them, it is Microsoft's fault for foisting its OS on the 
market claiming such high levels of ease of use while ignoring that all 
the security shortcuts it took to make Windows so easy to use are 
precisely the things that bite typical users hardest when it comes to 
the typical uses they are encouraged to make of the machines running 
the OS ("out of the box" Windows is only "safe" for an entirely 
standalone, non-networked environment) and it is the regulators fault 
for perpetuating the travesty of removing from software (or even 
computer systems as a whole) the same  basic consumer protections as 
every other product manufacturer has to work under (Why is Billy Boy 
the richest kid in the world and so many of the other computer and 
especially s/w moguls right up there despite the brief life of their 
sector?  Because they have not had to build their empires under the 
treat of the huge financial costs of ensuring that they are making 
products fit for its intended use, due to their lobbying for, and to 
retain, the almost standalone exemption of software from all the normal 
product liability legislation...).

> You need to know the risks in anything in life. Would you have a child and
> not bring it up warning it about people who may want to take advantage of
> it? Parenting doesnt come with a manual either but there are scumbags about
> who would do harm to an innocent child. Everything has a modicum of risk
> depending on what the thing is. Computers are no different to that. Ignore
> the risk at your own peril.

In general I agree.  The problem with computers is they are 
fundamentally complex.  In fact, way too complex for a typical user 
(and even most "computer experts") to understand sufficiently.  Way, 
way too complex for a typical user to understand well enough to do a 
reasoned risk assessment.  In fact, if they were able so to do and we 
applied your reasoning, almost no "typical consumer" computer users 
would use Windows (assuming that Windows had kept developing as it has 
if people had actually been able to make sensible, informed security 
assessments of it).  I have no idea what they would use instead 
(probably very few of them would exist), but if they could make the 
kind of security assessment you suggest they should, I know they 
wouldn't use Windows as it is today.

So, why do so many of them use Windows, flawed as we know it is?

Well, it provides huge utility and thus, presumably, value to them and 
as it is sold as a consumer electronics item, they assume that Billy 
Boy has their best interests (rather than the best inerests of his 
wallet) at heart because they reasonably presume that the usually 
"hidden" rules and expectations of due care (that apply to all other 
consumer electronics products, in fact most other products and 
definitely to your apples, through product liability law) apply here as 
well.  Hence, Billy Boy could only be that rich if he made a product of 
truly stellar quality.  (Actually, I don't think (m)any consumers make 
that last assessment, and certainly not as if it were a buying point 
for Windows...)


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ