Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: yet another victim of Microsoft malware ..

"Roy Schestowitz" <newsgroups@xxxxxxxxxxxxxxx> wrote in message 
> ____/ [H]omer on Wednesday 03 October 2007 16:22 : \____
>> Verily I say unto thee, that jim spake thusly:
>>> Right...  What are the odds of a male surfing porn on company time?
>> What are the odds of a Windows machine being exploited by Malware?
>> What are the odds that a computer forensics specialist doesn't know what
>> he's doing?
>> 'Farr even retained a computer forensics specialist who concluded: "No
>> one had intentionally loaded the list of Web sites on the computer.
>> Rather, the list was placed on the respiratory therapists' computer by a
>> common and well-known Internet virus that promotes fee-generating
>> pornographic sites."'
>> Blame the victim - it's easier than pursuing the truth.
> A bigger issue here is that Windows has led to loss of trust in computing 
> and
> nothing that you ever see in a person's PC can be used as evidence (or 
> /can/
> it?). Whenever things go rotten, the suspect will cry "malware!".

Windows made computing accessible.  Windows made computers popular and drove 
the entire industry.  It matters not that it was/is insecure.

IMHO, the real problem in the loss of trust is ignorance.  PCs are so simple 
that any idiot can screw one up - and they frequently do.

When you give an untrained person ANYTHING, they can misuse it and harm 
themselves and/or others.  Such is the case with automobiles, knives, guns, 
rocks, scissors, play dough, tiny magnets, pillows and on and on.....

The problem is that some people think that end user ignorance can be coded 
around (i.e. UAC).  That, somehow, programmers can make a system that stupid 
users and malicious crimminals cannot destroy.  That, my friends, is a 
fantasy of the highest order.

If you make it strong enough to block ANY unauthorized activity, you must 
train the end user on what activities are ok to authorize and which aren't, 
how to tell the difference and how to allow and deny each one.  In effect, 
you will have a hardened system that is so complicated (for the average 
user) or such a pain to use (aka UAC) that people will not use it. 
Infection rates will decrease - as will productivity.

OTOH, if you keep it simple enough for "anyone" to use, it's going to have 
holes.  There is no way to have a simple system that gives the end user the 
absolute control that they demand without security risks.

This leads us somewhat closer to reality.  Systems still need to be simple. 
Very simple.  Simple saves time in training, saves money in hiring the 
employees to run the OS and makes getting replacement workers relatively 
easy and cost effective.  But, simple means that they can hurt themselves 
(just as they can run with scissors or a knife and they can drink and drive 
and they can throw rocks on the playground).

The reality is that education of the end user plus simple systems plus 
SEVERE punishment of system abusers is the only realistic solution.  Even 
then, you will have people shoot themselves in the foot with thier mouse 
every once in a while and you will have bad people still doing bad things. 
While we can never stop bad people from doing bad things, we can hunt them 
down and use them as an example to the next person tempted to follow in 
their footsteps (instead of giving an 18 year old virus writer 18 months of 
a possible 30 year sentence).

And, we will still be here...fighting the good fight...trying to keep users 
safe from themselves and from the bad guys.


And, if you

Should it be any different?  I don't think so. 

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index