Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Brian Russo <brian () entropy net>]

At Mon, Apr 19, 2004 at 08:22:48AM -0400, Chris Brenton wrote:
> Agreed. I think part of what makes 0-day easier to hide *is* the raw
> quantity of preventable exploits that are taking place. In many ways we
> have become numb to compromises so that the first response ends up being
> "format and start over". If 0-day was a higher percentage, it would be
> easier to catch them when they occur and do a proper forensic analysis. 

Right, they fit in with the noise.

> <RANT>
> I guess I have a hard time blaming this type of thing on the end user.
> Part of the fall out from making computers easier to use, is making it
> easier for end users to shoot themselves in the foot. One of the
> benefits of complexity is that it forces end user education. I'm
> guessing that if you had to load SQL as a dependency you would have
> caught your mistake before you made it. 
>
> Let me give you an example of the easy to use interface thing. Back in
> 2000 I made it a personal goal to try and get the top 5 SMURF amplifier
> sites shut down. I did some research to figure out what net blocks were
> being used and started contacting the admins. Imagine my surprise when I
> found out that 3 of the 5 _had_ a firewall. They had clicked their way
> though configuring Firewall-1, didn't know they needed to tweak the
> default property settings, and were letting through all ICMP
> unrestricted and unlogged. 
>
> IMHO its only getting worse. I teach a lot of perimeter security folks
> and it seems like more and more of them are moving up the ranks without
> ever seeing a command prompt. I actually had one guy argue that
> everything in Windows is point and click and if you could not use a
> mouse to do something, it was not worth doing. Again, I don't see this
> as an end user problem because as an industry we've tried to make
> security seem easier than it actually is. We want to make it like
> driving a car when its more like flying an airplane. 

That's pretty sad, I can forgive users, but nobody doing 'security' 
should be living in a pure GUI world, to extend your analogy it would be 
like only knowing how to configure the autopilot and getting a pilot's 
license.

As far as mainstream users..
* Software needs to patch itself, users aren't going to do it.
* Software needs to be intuitive, people interact with computers as if 
they were doing 'real' things. Things like cut and paste are easy 
because they make sense...
* Software patches need to WORK and not screw up Joe User's system, 
believe me they won't "understand" that software is never bug-free, 
they'll instead swear off installing patches in future.
* Software needs reasonable defaults.. this doesn't necessarily mean 
turning every feature off.
* Wizards and/or a choice of 'starter' confs can be great.