On Wed, 2010-06-09 at 08:50 -0500, Joe Greco wrote:
Primarily because the product that they've been given to use is defective by design.
Indeed. So one approach is to remove the protection such defective designs currently enjoy.
supposed to play out for the single mom with a latchkey kid? Let's be realistic here. It's the computer that ought to be safer.
Fine. Agreed. Now what mechanisms do you suggest for achieving that? Technical suggestions are no good, because noone will implement them unless they have to, or unless implementing them in some way improves the product so it sells better.
modest improvements on the part of users, sure, but to place it all on them is simply a fantastic display of incredible naivete.
Indeed. And certainly not something I'd advocate. at least not without making sure that they, in turn, could pass the responsibility on.
That shows an incredible lack of understanding of how the market actually works. It's nice in theory.
It would be a lot more pleasant discussing things with you if you understood that people may disagree with you without necessarily being naive or stupid.
We (as technical people) have caused this problem because we've failed to design computers and networks that are resistant to this sort of thing.
And why did we do that? What allowed us to get away with it? Answer: Inadequate application of ordinary product liability law to the producers of software. Acceptance of ridiculous EULAs that in any sane legal system would not be worth the cellophane they are printed behind. And so forth. I know the ecosystem that arose around software is more complicated than that, but you get the idea.
Trying to pin it on the users is of course easy, because users (generally speaking) are "stupid" and are "at fault" for not doing "enough" to "secure" their own systems, but that's a ridiculous smugness on our part.
You're right. And again, I am not advocating that. People are always going to be stupid (or ignorant, which is not the same thing as stupid). The trick is to give them a way out - whether it's insurance, education or effective legal remedy. That way they can choose how to handle the risk that *they* represent - in computers just as in any other realm of life.
I'm fine with that, but as long as we keep handing loaded guns without any reasonably-identifiable safeties to the end users, we can expect to keep getting shot at now and then.
You keep stating the problem, where what others are trying to do is frame a solution. Right now we are just absorbing the impact; that is not sustainable, as long as the people providing the avenues of attack (through ignorance or whatever) have no obligation at all to do better.
Yep! And the fastest way to get more secure systems is to make consumers accountable, so that they demand accountability from their vendors. And so it goes, all the way up the chain. Make people accountable. At every level.
Again, that shows an incredible lack of understanding of how the market actually works. It's still nice in theory.
There are whole industries built around vehicular safety. There are numerous varieties of insurance that protect people - at every level - from their own failures. Where there is no accountability in a human system, failure is practically guaranteed - whether in the form of tyranny, monopoly, danger to life and limb or whatever. The idea of accountability and the drive to attain it forms the basis of most legal and democratic systems, and of uncountable numbers of smaller systems in democratic societies. Now, what were you saying about "theory"?
Do you really think that the game of telephone works? Are we really going to be able to hold customers accountable? And if we do, are they really going to put vendor feet to the fire? Or is Microsoft just going to laugh and point at their EULA, and say, "our legal department will bankrupt you, you silly little twerp"?
Please, read more carefully. "At every level". If the consumer is made responsible, they must simultaneously get some avenue of recourse. Those ridiculous EULAs should be the first things against the wall :-)
Everyone has carefully made it clear that they're not liable to the users, so the users are left holding the bag, and nobody who's actually responsible is able to be held responsible by the end users.
Correct. That is the current situation, and it needs to be altered. On the one hand consumers benefit because they will finally have recourse for defective software, but with that gain comes increased responsibility.
Yes, "we" needs to include all the technical stakeholders, and "we" as network operators ought to be able to tell "we" the website operators to tell "we" the web designers to stop using Flash if it's that big a liability. This, of course, fails for the same reasons that expecting end users to hold vendors responsible does, but there are a lot less of us technical stakeholders than there are end users, so if we really want to play that sort of game, we should try it here at home first.
Try what? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF