Full Disclosure mailing list archives
User responsibility [was: CyberInsecurity: The cost of Monopoly]
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Tue, 30 Sep 2003 12:41:01 -0700
This discussion appears to have ranged into the "should users be required to be responsible for security" arena. So be it. First, the people making the car analogies - I live in California, and I also am a licensed pilot. If the government required people to train, test, and recertify their driving skills as often as aircraft pilots do, there would be (a) far fewer drivers, (b) far fewer accidents, (c) far higher fees, and (d) far less money made by auto makers, insurance companies, tire stores, etc etc. The people who are making that money want more people on the road, skilled or otherwise, because tat translates into more money. What does that have to do with security? Everything...if you believe that money talks (at least in America). People, corporations, and governments make decisions that are going to benefit them monetarily. I assert that is part of why M$ products get shipped out the door untested and with so many security flaws - because "time to market" equals do re mi money >-) Having said that, I take the position that all software should be shipped with few or no known vulnerabilities and with the default configuration set so that everything is *off* by default. That way users are *forced* either to learn how to configure and enable what they want, or else to have someone with a clue do the work for them (another previous argument - job security). G On or about 2003.09.30 13:45:02 +0000, Michael Smith (mike () sane com) said:
Paul, you have a *slight* point with the fact that users need to be aware of security issues, but let's realize that no matter how easy UI's become, using/operating/maintaining a computer is NEVER going to be *nearly* as easy as driving a car. As far as not letting people to drive a car without proof that they know how, my eyes tell me differently every day. Most people can't drive worth a damn. I certainly agree that computer users need to be aware, but as far as depending on that as the bottom line of defense, it just can't be. Your network is as secure as it's LEAST secure point. All it takes is 1 lazy user to not maintain their machine and that's it. Obviously trained knowledgeable users should be everyone's desire, I just don't think you can rely on it for your network security. For my money, I'll hope all my users understand and follow the training I've given them.... but I won't rely on it.
-- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: greg () gilliss com Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Christopher F. Herot (Sep 30)
- <Possible follow-ups>
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Schmehl, Paul L (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Michael Smith (Sep 30)
- User responsibility [was: CyberInsecurity: The cost of Monopoly] Gregory A. Gilliss (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Ron DuFresne (Sep 30)
- Re: CyberInsecurity: The cost of Monopoly Cael Abal (Sep 30)
- Re: CyberInsecurity: The cost of Monopoly Mike Griffin (Sep 30)
- Re: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Gary Flynn (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Michael Smith (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Schmehl, Paul L (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly Ron DuFresne (Sep 30)