Re: [Full-Disclosure] Anti-MS drivel

• Previous message: Alain: "Re: [Full-Disclosure] Readability of Full Disclosure communications :-)"
• In reply to: Tobias Weisserth: "Re: [Full-Disclosure] Anti-MS drivel"
• Next in thread: Nick FitzGerald: "Re: [Full-Disclosure] Anti-MS drivel"
• Reply: Nick FitzGerald: "Re: [Full-Disclosure] Anti-MS drivel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <tobias@weisserth.de>
Date: Sat, 24 Jan 2004 00:12:55 +1100

----- Original Message -----
From: "Tobias Weisserth" <tobias@weisserth.de>
To: "Gregh" <chows@ozemail.com.au>
Cc: <full-disclosure@lists.netsys.com>
Sent: Thursday, January 22, 2004 7:38 PM
Subject: Re: [Full-Disclosure] Anti-MS drivel

> Hi Greg,
>
> Am Do, den 22.01.2004 schrieb Gregh um 07:07:
> ..
> > > I'm dieing to know...
> > >
> >
> > What are you dieing? T-shirts? :)
>
> Yes, foreign languages are hard to master. I guess "dieing T-shirts" is
> in the process of learning them ;-)
>
> Maybe we should continue this debate in German then. Or Dutch. Or
> French. Choose one :-)

You chose to be silly in the first place. You just got it back when I was in
a weak moment.
>
> ..
> > > You didn't understand this. Not one bit.
> > >
> >
> > Nope, YOU didnt understand this "not one bit".
>
> I guess we're stuck then. Nothing you are going to say or compare will
> change my view and vice versa.
>
> > > If you are a vendor and you ship a software that is intended to be
used
> > > by average Joe and average Jennie then _you_ have to take this into
> > > account.
> >
> > If the user is so stupid as to not have someone check his computer and
> > secure it, then it isnt the problem of the OS vendor *WHERE* the problem
is
> > something like a keylogger though admittedly, if the OS is to blame,
there
> > is some reason to blame the OS manufacturer.
>
> If the consumer version of an OS requires "someone to check his
> computer" then there IS something major wrong with the product. Excuse
> me, but this is trivial.

Of course it is trivial. The computer owner SHOULD check his computer or
have someone check it for him if he doesnt understand it. That is a BASIC
principle you seem not to understand. I am no locksmith. Should I trust the
new house I am moving in to wont be robbed or should I get a locksmith to
check it out for me, as I dont know much about that and advise me how to
lock down my house properly? Same principle as locking down your computer.

>
> > > Why is it possible that a user is able to make this mistake?
> >
> > Oh COME now! Are you so INSULAR that you dont realise the real world?
>
> I do realise. But do manufacturers? If this is so natural to you why
> don't you think that it's a bad idea to ship an OS WITHOUT the option to
> open attachments from within email clients?

Let's give you an example. My own father in law, when first going on
internet, decided he wanted to read about one of his hobbies, model trains,
on the web. He knew enough to dial in to his ISP, load his browser and go to
Yahoo where he typed in, for the search "models". He clicked on the first
thing that came up and it happened to be a topless model (female) gif done
to music where the breasts independently did odd things. :)

Who's fault is that? MS? Nope. They wrote the browser he used and this was
no access violation issue. His ISP? Nope. Dont shoot the messenger, here!
Yahoo? Well, not really though to some extent, probably yes. Was it the
fault of the person who put that web site up that he ended up at? No, it was
soft porn and was totally legal in this country at that time. It was HIS
fault. Why? He didnt KNOW enough. Why do you think there are drivers tests?
So people with the physical ability to get a car key and get into a car,
start it and drive it can be tested for ability to drive safely. Put another
way, an expert has taught them what to do to the point where they can be
licenced. If they have an accident not due to shoddy workmanship of the car
or road or someone else doing the wrong thing then it is their fault. So it
is that if a person gets on the web and does web banking (one thing I dont
like the idea of one bit, personally) with a keylogger installed, no idea
about AV progs or even a basic software firewall, then it is no-one else's
fault but theirs if they lose their money.

>
> > My
> > wife works for a MENSA member, a recognised genius who would likely have
> > more brain capacity than most people in the world. He doesnt have a CLUE
how
> > to secure his computer. WHY? He isnt in the least INTERESTED in
computers
> > outside of using them to do his work on. Oh and BTW, his work, nothing
to do
> > with computers other than using them as a tool, made him a
> > multi-millionaire. Why the HELL should this guy, according to you,
*HAVE* to
> > know what he is doing with a computer. He, likely, has more money than
you
> > and I put together EVER will have unless one of us wins over 300 million
US
> > dollars.
>
> You know, money isn't my ultimate goal in life, so let the guy have
> another 300 million ;-) I don't measure personal achievements in money.

Your dodging of the issue notwithstanding, right? :)

>
> > In my book, this guy is devoting his time the best way possible.
> > Learning what to do with computers to the extent where he can lock it
down
> > is actually financially irresponsible to him. He can PAY someone US$200
an
> > hour to do that and per hour STILL come out in front by a LONG shot.
>
> Why should owning an consumer version of an OS require ANYBODY (no
> matter how rich or poor) require an additional administrator?

Why should wanting to run a medium to large sized company require an
accountant?

>
> I haven't seen a sign on the shrink wrap of Windows XP Home that says
> "Administrator not included".

It is always accepted in the Western world that if something is not SAID to
be there and ISNT there, then the people who manufactured it or sold it to
you cant be held accountable for it NOT being there.

You need to know the risks in anything in life. Would you have a child and
not bring it up warning it about people who may want to take advantage of
it? Parenting doesnt come with a manual either but there are scumbags about
who would do harm to an innocent child. Everything has a modicum of risk
depending on what the thing is. Computers are no different to that. Ignore
the risk at your own peril.

>
> Obviously you think too that Windows XP Home can't be used without
> professional help so of course there's something wrong with the product.
>

Never said that so I dont know where you get that from. It is easy to use
but like any OS, it isnt automatically safe from outside harm without some
intervention.

> > What IS it with computer/I.T. professionals (or those who know as much
even
> > if not so employed) that they think just because THEY know how to do it,
> > everyone SHOULD know?
>
> Now you are talking my way. How does this fit in with the idea that
> everybody should have his personal IT guru at home?!
>

If you decided to invest on the share market, would you do so without
advice?

> > Not everyone is INTERESTED and not everyone thinks it
> > is a good use of their time!
>
> So he shouldn't be bothered, right? Why does he have to hire someone
> then?
>

If you want to have a car but dont want to take the time to learn how to
drive it, then you have to hire someone to drive it FOR you, right?

> > > Why can attachments that come in via email be executed by a user?
> >
> > Why not?
>
> Because it poses a significant security threat. And every sane OS

....to the unwary, definitely and yes there are a lot of those types about.
This is why people exist in computer security. To advise about those things.

> designer _knows_ there billions of potential users who'll blindly do it.
> A bright designer foresees this and designs his product in a way users
> can't blow themselves into oblivion.

Be my guest. Write the OS that can do that without SOME smart arse in the
world thinking of a way to get around it. Blackhats are the water in the the
I.T. community. Water can be held behind a dam for a while but eventually it
flows and finds it's own way out.

>
> > In benign situations it is often helpful to a user. Just because
> > Mr. Nasty decided to exploit this for whatever reason doesnt make it a
BAD
> > idea.
>
> Yes it does. Of course it's nice to leave the door open while you do
> shopping. A constant draft of fresh air will flow through the house. But
> it's a VERY stupid idea because everybody knows that open doors provoke
> theft.

....having attachments isnt akin to leaving the door open. Using a computer
on the netwithout thinking of the consequences is, though.

>
> > It just makes it a co-opted idea. Education is the fault here.
>
> Then have fun. Explain security to consumers. It NEVER has worked and it

I do, almost daily.

> NEVER will. Look at it!! Viruses are part of business life for almost a
> decade now and people still are falling for "Hi... Test" and start an
> attachment that is named randomly.

Most of my users are small to medium-small companies. I tell the boss of
those companies what the situation is - that you wont stop someone who WANTS
in short of pulling the plug but you CAN make it less easier and I tell them
how. I insist they all have AV scanners because I KNOW the moment I am not
there, something will happen. I leave spyware scanners on their machines and
educate them in their use after clearing spyware off the machines. Some time
back I even had a security "test" on a web site that basically ran a program
on their computer (going back a long way now) to show them what I could do
easily so imagine what those who REALLY know what they are doing could do.
People tend to take notice and remember at that point. Granted, not all of
them want to be bothered ensuring their machines remain as free from crap as
they can and in those cases I get called back regularly. Either way, they
are more protected than before I first went there.

>
> You yourself said that this rich guy doesn't bother how to secure his
> PC. What makes you think he is willing to spend his time on "education"
> about how or not to open an attachment?!
>

He really doesnt have to bother. His machine has been secured by people he
hired. He can still open an infected attachment and so on but he cant infect
his machine now.

> > The person doesnt KNOW what they are doing yet are blindly clicking
anyway. If
> > they didnt get someone to educate them or tie things down to safeguard
> > against this, then THEY are at fault.
>
> That's where we differ. If a vendor can't produce a product in a way the
> consumers use it in a safe way without education then the product sucks.
>

So Mercedes Benz sucks? Ferrari sucks?

> > Why can a car be started by ANYONE with the key?
>
> Again: cars and computers are not comparable. If you've already made the
> assumption that every user should be required to have a PC license to
> operate it then this may be true but luckily the PC revolution isn't
> bound by "driving permit" for users.

Nope. I havent done that and they ARE comparable. You either learn to drive
a car if you want to own one or hire someone to drive it for you to get you
around, using it. You either learn how to secure your computer or hire
someone to do it for you, if you want to get around, using it.

>
> > If someone starting that car without the permission of the
> > owner takes it and runs over another person, killing them, is that the
fault
> > of the car manufacturer?
>
> If the key is built into the car and can't be taken after you lock it,
> THEN OF COURSE it is the fault of the manufacturer when such things
> happen.
>

Well if you want to get silly about it....

> Face it. No matter what glorious comparison you get think of, I'll turn
> it against you because comparisons are simply not applicable here.
>

You havent turned one thing against me yet. You have actually proven that
you dont understand real world people though.

> > > This is software design flaw, not a user mistake.
> > >
> > > This is a matter of definition, Greg.
> > >
> > > When I say that the user is always right then this means that software
> > > has to be adapted to the users education and not the other way around.
>
> This is the essential "soul" of my view. If you can't live with that you
> shouldn't ever design consumer products ;-)
>
> > A common setup - Say WIN98 with Internet access. They call in someone
and
> > tell them they want to be as secure as possible. That person installs
(name
> > your flavour of WIN98 compatible AV prog here) which works well and
also,
> > say, Zone Alarm *free edition*. The person, still no wiser as to
> > executables, receives an infected one from a friend who has an infected
> > machine and didnt actually send it to them but the person thinks it is
from
> > them anyway so executes it. Their AV prog jumps in at this point, stops
it
> > from executing and informs the user that it was a virus and gives the
name.
> > The user doesnt HAVE to worry about thing that way.
>
> Yes, he HAD to worry. He had to ask someone to fix it. I'm asking the
> vendor to fix it in the first place. It is a fictional assumption that
> every consumer can ask somebody to fix his computer. I have stopped
> counting the hours I've spent in front of friends and family's machines
> "fixing" things. This is lost time on my account. I should bill an
> invoice to MS ;-)
>

Well, you disprove your own assertion. Even in your case, your friends had
you to whom to turn.

> > This IS software already around adapted to the least knowledgeable
computer user.
>
> Why does he use someone to install it or even realise he needs it?!
> There is a gap between your statements and the way you try to prove them
> right.

Only if you dont want to accept you are wrong but there's nothing I can do
about that.

>
> > The fact that the infected exe CAN be run doesnt mean there is a design
flaw.
>
> Yes, it is. Of course there is. This isn't a useful feature anymore. It

No it doesnt. It never WAS a design flaw. It was a purposefully implemented
feature. Just because someone took a good idea and used it to infect
machines doesnt make it a design flaw. A design flaw by definition, is
something that is meant to do something and doesnt. They put in traffic
calmers that turn the local road into a chicane at 2 points, near me. Like
most people, I loved the idea. I like driving faster through them. The end
result, in this example, IS a design flaw. They didnt slow traffic speed.
They actually inreased it with something meant to slow it.

> is a dangerous feature. So it should be turned OFF by default. People

Not at all. That is your opinion and not a design flaw but a feature. In any
case, in OE6, doing something with an attachement, nowadays, IS turned off
by default. It can easily be turned back on but I get called by a lot of new
OE users who tell me they cant open their attachments and complain about
that being a design flaw when I explain what is going on to them. They say
it should be able to be used without intervention in the first place.

> may turn it on again but it should come turned OFF by default.
>
> > You will never stop viruses happening while the world still uses PCs the
way they are now
> > and it doesnt matter what OS you use.
>
> No we will actually never stop viruses. But by redefining what's a
> useful feature and what's a too dangerous feature we can _limit_ the
> affects of viruses. If only 3 out of 10 users who click on an infected

I find that a disturbing statement, actually. If I were a sandcastle kicker
and they stopped something I used to create havoc on your sandastle, I would
be prompted into action to find other ways. It is never the I.T. guy who
redefines a useful feature. It is always the person who decides what the
public will pay money to have.

> attachment manage to turn on again the option to run attachments from
> within their email client and the other 7 fail to do so then we have 70%
> less infected machines on the net.
>

Optimistic but unlikely. You dont think it was the MAJORITY of net users in
the world who caused the spread of the major worm outbreaks in the last 2
years do you?

> > There are enough on any of them AND
> > Macs to make people who KNOW what they are doing at least think about
them.
> >
> > At this point I took the time to read the rest of your letter instead of
> > reading while replying because I was a little amazed at your lack of
> > understanding of the real world OUTSIDE of computers and I realised I
would
> > never convince you that the world operates not the way you want it to
but
> > the way it will, so I have to give up right now. All I can say is that
> > experience will, one day, light the way.
>
> Mmh. "My lack of understanding of the real world outside of
> computers..." lol
>

I had no doubt you would laugh at that. When you dont understand, all you
can do is laugh or get out of the way.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Alain: "Re: [Full-Disclosure] Readability of Full Disclosure communications :-)"
• In reply to: Tobias Weisserth: "Re: [Full-Disclosure] Anti-MS drivel"
• Next in thread: Nick FitzGerald: "Re: [Full-Disclosure] Anti-MS drivel"
• Reply: Nick FitzGerald: "Re: [Full-Disclosure] Anti-MS drivel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]