"Roy Schestowitz" <newsgroups@xxxxxxxxxxxxxxx> wrote in message
news:1650829.nsiP8KkK1W@xxxxxxxxxxxxxxxxxx
> ____/ [H]omer on Wednesday 03 October 2007 16:22 : \____
>
>> Verily I say unto thee, that jim spake thusly:
>>
>>> Right... What are the odds of a male surfing porn on company time?
>>
>> What are the odds of a Windows machine being exploited by Malware?
>>
>> What are the odds that a computer forensics specialist doesn't know what
>> he's doing?
>>
>> 'Farr even retained a computer forensics specialist who concluded: "No
>> one had intentionally loaded the list of Web sites on the computer.
>> Rather, the list was placed on the respiratory therapists' computer by a
>> common and well-known Internet virus that promotes fee-generating
>> pornographic sites."'
>>
>> Blame the victim - it's easier than pursuing the truth.
>
> A bigger issue here is that Windows has led to loss of trust in computing
> and
> nothing that you ever see in a person's PC can be used as evidence (or
> /can/
> it?). Whenever things go rotten, the suspect will cry "malware!".
Windows made computing accessible. Windows made computers popular and drove
the entire industry. It matters not that it was/is insecure.
IMHO, the real problem in the loss of trust is ignorance. PCs are so simple
that any idiot can screw one up - and they frequently do.
When you give an untrained person ANYTHING, they can misuse it and harm
themselves and/or others. Such is the case with automobiles, knives, guns,
rocks, scissors, play dough, tiny magnets, pillows and on and on.....
The problem is that some people think that end user ignorance can be coded
around (i.e. UAC). That, somehow, programmers can make a system that stupid
users and malicious crimminals cannot destroy. That, my friends, is a
fantasy of the highest order.
If you make it strong enough to block ANY unauthorized activity, you must
train the end user on what activities are ok to authorize and which aren't,
how to tell the difference and how to allow and deny each one. In effect,
you will have a hardened system that is so complicated (for the average
user) or such a pain to use (aka UAC) that people will not use it.
Infection rates will decrease - as will productivity.
OTOH, if you keep it simple enough for "anyone" to use, it's going to have
holes. There is no way to have a simple system that gives the end user the
absolute control that they demand without security risks.
This leads us somewhat closer to reality. Systems still need to be simple.
Very simple. Simple saves time in training, saves money in hiring the
employees to run the OS and makes getting replacement workers relatively
easy and cost effective. But, simple means that they can hurt themselves
(just as they can run with scissors or a knife and they can drink and drive
and they can throw rocks on the playground).
The reality is that education of the end user plus simple systems plus
SEVERE punishment of system abusers is the only realistic solution. Even
then, you will have people shoot themselves in the foot with thier mouse
every once in a while and you will have bad people still doing bad things.
While we can never stop bad people from doing bad things, we can hunt them
down and use them as an example to the next person tempted to follow in
their footsteps (instead of giving an 18 year old virus writer 18 months of
a possible 30 year sentence).
And, we will still be here...fighting the good fight...trying to keep users
safe from themselves and from the bad guys.
jim
And, if you
Should it be any different? I don't think so.
|
|
