Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
On Tue, 20 Apr 2004 09:21:02 -0500 (CDT), Adi Linden wrote:
Since many gateway service providers will not prevent insufficiently skilled users from connecting to the internet and injuring others, the only remaining solution, as far as I can see, is cutting connectivity with those enablers. That is the proposal I advanced in <http://www.camblab.com/misc/univ_std.txt>. And once again the you're punishing the victim. Let's not forget that the uneducated end user is tricked into doing things that are not good for them or the rest of the internet connected world. Unfortunately the only feasible and readily available computer solution for the uneducated end user is a single available operating system. Everyone is at the mercy of this product with all its flaws and downfalls. Instead of continually blaming the uneducated end user how about providing tools to the uneducated end user that can be used to connect to the internet without becoming a liability. A toaster with keyboard an monitor...
I beg to clarify that I am not "blaming" anyone; I am describing a system with known input-output properties and internal structures. We know how this system behaves in terms of technology and human behavior, and we know what to do to the inputs to change the outputs. If you choose to smoke, you get cancer. Same with spam. If you don't want to have spam, you have to change some behaviors. Some people will be inconvenienced. Life is full of such choices. As for the specifics of your comments, I could not disagree more, but it is a philosophy of life that distinguishes our views, not the analysis of the problem. I believe (like a lot of other New Englanders and even some from California) that people must assume responsibility for their actions. If responsibility is not enforced, society collapses (into e.g. the kind of chaos we see on the internet.) In 2004 no one is "tricked" into using rubbish software; there are plenty of alternatives, and the rubbishy nature of the leading OS is in almost every day's newspaper. It's a choice people make, like overeating and gaining weight. No one is there with a gun forcing people to gain weight. As for "uneducated", the solution is the same as for bad drivers: training. If you are a threat to the rest of the internet because of your ignorance (or irresponsibility) then you do not qualify for connectivity, just as bad drivers don't get licenses, bad credit risks don't get credit, and drunk airline pilots stop flying. To repeat: the solution to spam is to apply rigorously the same rules to the internet as are used everywhere else in society. It is simple, it pays for itself, it works, and it works immediately. Some people will be upset, like the smokers who have to go outside for a puff or even give up their habit. However the result is better for EVERYONE including "the uneducated". Jeffrey Race
As for the specifics of your comments, I could not disagree more, but it is a philosophy of life that distinguishes our views, not the analysis of the problem. I believe (like a lot of other New Englanders and even some from California) that people must assume responsibility for their actions. If responsibility is not enforced, society collapses (into e.g. the kind of chaos we see on the internet.)
I like the term responsibility but how is it applied? If I own a vehicle, what are my responsibilities? I have to obtain a drivers license which gives me the privilege of driving a motor vehicle. Driving a motor vehicle is an active choice, I am behind the wheel putting the vehicle in motion. I am responsible for all the consequences of my actions while driving. Where is my responsibility in vehicle ownership? Is is responsible to leave the vehicle locked at the curb, unlocked, keys in the ignition? What are my responsibilities when an unauthorized person uses my vehicle? Driving a motor vehicle is a complex task. There is enforcement in place and it is common knowledge that training and license is required to use a motor vehicle. What about a baseball bat? Where is my responsibility in owning a baseball bat? If I store my baseball bat leaning against my backdoor, am I responsible if my neighbour uses it without my permission to crack his wifes skull?
In 2004 no one is "tricked" into using rubbish software; there are plenty of alternatives, and the rubbishy nature of the leading OS is in almost every day's newspaper. It's a choice people make, like overeating and gaining weight. No one is there with a gun forcing people to gain weight.
My argument is that a computer needs to be in a safe state by default. I firmly believe that if I buy a brand new box from any reputable vendor with a premium operating system of choice I should be able to connect this device to a local broadband connection indefinitely. It needs to be safe without user training or user intervention.
As for "uneducated", the solution is the same as for bad drivers: training. If you are a threat to the rest of the internet because of your ignorance (or irresponsibility) then you do not qualify for connectivity, just as bad drivers don't get licenses, bad credit risks don't get credit, and drunk airline pilots stop flying.
I can walk, I can take a bicycle. Owning a computer today is like owning a performance car. There is no learning curve, it's all or nothing. If this is the way it has to be, then service providers need to take responsibility and provide a safe environment for the uneducated users. This includes filtering ports, filtering emails, etc. A last resort is terminating service if a user is unwilling to learn at all. Adi
[snip] : : My argument is that a computer needs to be in a safe state by default. I : firmly believe that if I buy a brand new box from any reputable vendor : with a premium operating system of choice I should be able to connect this : device to a local broadband connection indefinitely. It needs to be safe : without user training or user intervention. : It would be nearly impossible for computer software makers to provide against any type of attack by those so inclined. The result is that they are reactive rather than pro-active. Understand that the software maker wants his product to have all the features and gee-gaws that make it attractive and simple to use, and most work well in this area, but over-compensating for any potential type of attack before delivery is, in my opinion an impossible task. One may wish that there were no vulnerabilities in any operating system, but this is not the case. There are vulnerabilities in all the operating systems in place today. Ther are many admins, (even if the admin is an uneducated end-user) who do not bother to update their sofware or operating systems. This practice is why Linux/Unix systems get chrooted, Windows machines get compromised, even OSX. Some of the vulnerabilities are in the chipset on the motherboard, be it Intel, AMD, or Motorola. The software maker must try to compensate for those failings as well. As long as there arre otherwise bored miscreants who will continue to try to exploit the vulnerabilities they will continue to happen, no matter what the patch position is, no matter the OS or chipset used. Thre are many security capabilities built into many OS distributions, and relatively few are ever implemented. Why? Your guess is as good as mine, but my guess is that it is time consuming of time that is not budgeted. just my 0.02
Operating systems bundled with a retail computer _should_ be reasonably secure out of the box. OS X can be placed on a unprotected internet connection in a unpatched state and it's default configuration allows it to be patched to current levels without it being compromised. On the other hand Win2k & XP will be compromised in under 5 minutes if connected to the same unfiltered connection (The record here is 35 seconds for time to compromise) I am not saying that OS X is the paragon of all things good. But it's basic settings take into account the average user's skill level and ability to secure the OS if you want less security the user needs to _specifically_ configure the machine to allow the reduced level of protection. Whereas the desire for chrome on WinXXXX has made a platform which is virtually impossible for the average user to secure. I use both on a daily basis as well as Solaris and Linux so I consider myself somewhat agnostic on OS choices as each does something better than the others and I use it for that function. Scott C. McGrath
Doug White writes:
It would be nearly impossible for computer software makers to provide against any type of attack by those so inclined. The result is that they are reactive rather than pro-active.
That's not the point. The difference in degree of security between Windows and Mac OS X is so great as to be a difference in kind. It is possible for vendors to build, and customers to buy, sufficiently safe Internet client software. It is also possible to mitigate the spam problem (which started this whole thread, as you may recall :). From where I'm sitting, Apple Mail's spam detection feature, Spam Assassin, and similar products all do a sufficiently good job. I get obscene amounts of spam at this account, but I see very little of it (even though my version of Spam Assassin is old). Now, I know network operators have a different point of view (I have been one): that spam consumes expensive network resources. But even Hotmail (and who could have a worse spam problem than Hotmail?) only blackholes specific hosts or small subnets, and only then for 24-48 hours. This idea of cutting off entire ISPs/countries/operating systems/ethnicities from their access to certain or all services is very poor and reflects badly on those who propose it. The spam problem is as mitigatable as it is bad, and taking away or reducing the usefulness of the network in order to save a few bits or bucks is a bad trade. Freedom, openness and universal access are worth the trouble. Why is it that some people respond to the problem by breaking things rather than building things? In particular, something like Bastille (the Linux hardening kit) for Windows would be great. -- Chris Palmer Staff Technologist, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell)
participants (5)
-
Adi Linden
-
Chris Palmer
-
Doug White
-
Dr. Jeffrey Race
-
Scott McGrath