Andrew Plato wrote: > The third point is absurd. It flies in the face of decades of security > reasoning that says, when you have risks - mitigate them. Rather than > focus on the risks, Geer focuses on the environment where those risks > exist. And rather than talk about mitigating the risks, the paper > suggests that we need to fundamentally alter the environment (i.e. bust > up Microsoft.) I don't see the paper arguing for busting up Microsoft, but for giggles let's say it does. > Furthermore, if the real problem is that many systems in this > monoculture are left unpatched or unsecured, then clearly the problem > isn't the systems or the company that makes the OS - it's the people > and > organizations that use them. So the organizations and people should change. I think with the impact of worms and other malware shows that many, possibly most don't. I fail to see how what you argue should happen, is in any way less of an environment change than busting Microsoft. Please explain how altering the behavior of MILLIONS of people is less of an environmental change than altering the organization of ONE corporation? Granted in a perfect world people would properly patch their systems. In a perfect world, I'd have the body of the governor-elect of California, instead of a body that resembles an oversized Krispy-Kreme (don't ask about the hole in the middle, it's a long story). > When somebody fails to act responsible with > a car and hurts another person, we don't shut down the car > manufacturer. Ah, but this analogy is flawed. With cars and other products, when there is a consistent and recurring set of problems we DO hold the manufacturer liable. Remember the Corvair, the Pinto, burning hot McDonald's coffee? When there is a problem with the normal operation of a product the manufacturer is responsible to fix it, if they know about a problem and don't fix it they are legally liable for the damages that occur and can be subject to punitive damages. But Microsoft disclaims liability for damages caused by it's software. So the analogy is doubly flawed. > If you use a computer and > connect to a public space, you have a responsibility to secure those > systems. If you don't, then you will pay the consequences as will > others > in that public space. Yeah, and to experts it is clear the Internet is a public space, and we know that MS software is open to MANY attacks, and needs additional security. However, when Grandma uses Internet Explorer she doesn't realize she's in a public place, she doesn't know network services are exposed, she doesn't know what a TCP is, and she doesn't know what fabric store to goto to buy patches for the Internet. To expect her to somehow realize that she needs to secure her computer is just not realistic. I prefer the "diversity" approach. Buy Grandma a Mac. ;-> Frankly, I expect diversity will continue to decrease. Even the "security solution diversity" Andrew talks about will decrease. Security providers will merge, products will die, the market will consolidate. Microsoft will introduce security software to try to fix Grandma's computer, then software companies will die like Stacker, and Netscape. Beyond that, to grow the PC market Microsoft will push PC's into ever less technically inclined people, who will make the problems worse. What happy thoughts eh? Cheers, Brad _____________________________ Brad Siemssen Strongbox Network Services www.strongboxnetworks.com brad@private 503.466.1416 -- This message checked for dangerous content by MailScanner on StrongBox.
This archive was generated by hypermail 2b30 : Wed Oct 08 2003 - 16:39:40 PDT