Secure Coding mailing list archives

Re: Administrivia & Request: Aloha, the moderator is back

From: jnf <jnf () datakill org>
Date: Tue, 30 Mar 2004 16:47:08 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But with personal computers there is this conflicting belief, stating in one
hand that the computer should need no maintenance, so there's no need for
understanding its inner works, and on the hand, if something happens, the same
unknowledgable user should take action. Note that the pairs (problem, user
action) range from (personal firewall popup window, choose allow/deny) to (RPC
buffer overflow found, install patches/deploy firewall/turn off service).


And most often the end user will take their computer to their 
neighbor/friend/whatever in hopes they can fix it and often that person is 
little more than (ill nab a word from windows here) a power user.

In addition, I find the idea that an end user will deploy a firewall, 
without any knowledge of the protocols they will allow/block AND still 
somehow remain safe. I've watched so many people just click accept because 
they dont know what it is and think its important, or are just so sick of 
little windows popping up that just default to a rule of some sort 
(accept/decline everything they dont know).

Again I really feel the issue most needing to be addressed is user 
education, as I said its the year 2004, things are not going to get less 
complex, only more complex, a basic knowledge of computers and network 
(imho) is necessary, and will only become more neccessary as time 
progreesses.

My personal view of the problem is that there are two very important obstacles
for computer security: one is the previously stated one about user education,
the other is about (the industry/goverment/the professionals) understading that
software quality is a requirement for security.


I can agree here, but it would really depend on how such things were 
handled, I mean anyone can make a simple mistake and cause a bug- it 
happens, it shouldnt, but that is life- Of course in depth auditing should 
be done before release, but well it isnt always as in-depth as we'd like, 
that also is reality. But overall I agree.

j


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAaF1msKAeTAhLiCERAvBaAJ0Qs0HVWgt0dFL/nz2FIFLX3rK87wCeOAKT
YxhiKWwPIs9kcZnTrwCYA8s=
=T7k4
-----END PGP SIGNATURE-----

Current thread:

Administrivia & Request: Aloha, the moderator is back Kenneth R. van Wyk (Mar 27)
- Re: Administrivia & Request: Aloha, the moderator is back Crispin Cowan (Mar 29)
- Re: Administrivia & Request: Aloha, the moderator is back jnf (Mar 29)
  - Re: Administrivia & Request: Aloha, the moderator is back Fernando Schapachnik (Mar 29)
    - Re: Administrivia & Request: Aloha, the moderator is back jnf (Mar 30)
- Looking for Experts Julie Ryan (Mar 29)
- <Possible follow-ups>
- RE: Administrivia & Request: Aloha, the moderator is back Gary McGraw (Mar 29)
  - Re: Administrivia & Request: Aloha, the moderator is back M Taylor (Mar 30)
- RE: Administrivia & Request: Aloha, the moderator is back Tim Bolton (Mar 30)
  - RE: Administrivia & Request: Aloha, the moderator is back jnf (Mar 30)