User responsibility [was: CyberInsecurity: The cost of Monopoly]

["Gregory A. Gilliss" <ggilliss () netpublishing com>]

This discussion appears to have ranged into the "should users be required to
be responsible for security" arena. So be it.

First, the people making the car analogies - I live in California, and I 
also am a licensed pilot. If the government required people to train, test,
and recertify their driving skills as often as aircraft pilots do, there 
would be (a) far fewer drivers, (b) far fewer accidents, (c) far higher fees,
and (d) far less money made by auto makers, insurance companies, tire stores,
etc etc. The people who are making that money want more people on the road,
skilled or otherwise, because tat translates into more money.

What does that have to do with security? Everything...if you believe that 
money talks (at least in America). People, corporations, and governments
make decisions that are going to benefit them monetarily. I assert that 
is part of why M$ products get shipped out the door untested and with so 
many security flaws - because "time to market" equals do re mi money >-)

Having said that, I take the position that all software should be shipped
with few or no known vulnerabilities and with the default configuration set
so that everything is *off* by default. That way users are *forced* either
to learn how to configure and enable what they want, or else to have someone
with a clue do the work for them (another previous argument - job security).

G

On or about 2003.09.30 13:45:02 +0000, Michael Smith (mike () sane com) said:

> Paul, you have a *slight* point with the fact that users need to be aware of
> security issues, but let's realize that no matter how easy UI's become,
> using/operating/maintaining a computer is NEVER going to be *nearly* as easy
> as driving a car.  As far as not letting people to drive a car without proof
> that they know how, my eyes tell me differently every day.  Most people
> can't drive worth a damn.
>
> I certainly agree that computer users need to be aware, but as far as
> depending on that as the bottom line of defense, it just can't be.  Your
> network is as secure as it's LEAST secure point.  All it takes is 1 lazy
> user to not maintain their machine and that's it.  Obviously trained
> knowledgeable users should be everyone's desire, I just don't think you can
> rely on it for your network security.  For my money, I'll hope all my users
> understand and follow the training I've given them.... but I won't rely on
> it.

-- 
Gregory A. Gilliss, CISSP                             Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg () gilliss com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html