I beg to clarify that I am not "blaming" anyone; I am describing a system
with known input-output properties and internal structures. We know how
this system behaves in terms of technology and human behavior, and we
know what to do to the inputs to change the outputs. If you choose
to smoke, you get cancer. Same with spam. If you don't want to have
spam, you have to change some behaviors. Some people will be inconvenienced.
Life is full of such choices.
As for the specifics of your comments, I could not disagree more, but it
is a philosophy of life that distinguishes our views, not the analysis of
the problem. I believe (like a lot of other New Englanders and even
some from California) that people must assume responsibility for their
actions. If responsibility is not enforced, society collapses (into e.g.
the kind of chaos we see on the internet.)
In 2004 no one is "tricked" into using rubbish software; there are
plenty of alternatives, and the rubbishy nature of the leading OS is
in almost every day's newspaper. It's a choice people make, like overeating
and gaining weight. No one is there with a gun forcing people to gain
weight.
As for "uneducated", the solution is the same as for bad drivers:
training. If you are a threat to the rest of the internet because of
your ignorance (or irresponsibility) then you do not qualify for
connectivity, just as bad drivers don't get licenses, bad credit
risks don't get credit, and drunk airline pilots stop flying.
To repeat: the solution to spam is to apply rigorously the same rules
to the internet as are used everywhere else in society. It is simple,
it pays for itself, it works, and it works immediately. Some people
will be upset, like the smokers who have to go outside for a puff or
even give up their habit. However the result is better for EVERYONE
including "the uneducated".
Jeffrey Race
As for the specifics of your comments, I could not disagree more, but it
is a philosophy of life that distinguishes our views, not the analysis of
the problem. I believe (like a lot of other New Englanders and even
some from California) that people must assume responsibility for their
actions. If responsibility is not enforced, society collapses (into e.g.
the kind of chaos we see on the internet.)
I like the term responsibility but how is it applied? If I own a vehicle,
what are my responsibilities? I have to obtain a drivers license which
gives me the privilege of driving a motor vehicle. Driving a motor vehicle
is an active choice, I am behind the wheel putting the vehicle in motion.
I am responsible for all the consequences of my actions while driving.
Where is my responsibility in vehicle ownership? Is is responsible to
leave the vehicle locked at the curb, unlocked, keys in the ignition? What
are my responsibilities when an unauthorized person uses my vehicle?
Driving a motor vehicle is a complex task. There is enforcement in place
and it is common knowledge that training and license is required to use a
motor vehicle.
What about a baseball bat? Where is my responsibility in owning a baseball
bat? If I store my baseball bat leaning against my backdoor, am I
responsible if my neighbour uses it without my permission to crack his
wifes skull?
In 2004 no one is "tricked" into using rubbish software; there are
plenty of alternatives, and the rubbishy nature of the leading OS is
in almost every day's newspaper. It's a choice people make, like overeating
and gaining weight. No one is there with a gun forcing people to gain
weight.
My argument is that a computer needs to be in a safe state by default. I
firmly believe that if I buy a brand new box from any reputable vendor
with a premium operating system of choice I should be able to connect this
device to a local broadband connection indefinitely. It needs to be safe
without user training or user intervention.
As for "uneducated", the solution is the same as for bad drivers:
training. If you are a threat to the rest of the internet because of
your ignorance (or irresponsibility) then you do not qualify for
connectivity, just as bad drivers don't get licenses, bad credit
risks don't get credit, and drunk airline pilots stop flying.
I can walk, I can take a bicycle. Owning a computer today is like owning a
performance car. There is no learning curve, it's all or nothing.
If this is the way it has to be, then service providers need to take
responsibility and provide a safe environment for the uneducated users.
This includes filtering ports, filtering emails, etc. A last resort is
terminating service if a user is unwilling to learn at all.
Adi
[snip]
:
: My argument is that a computer needs to be in a safe state by default. I
: firmly believe that if I buy a brand new box from any reputable vendor
: with a premium operating system of choice I should be able to connect this
: device to a local broadband connection indefinitely. It needs to be safe
: without user training or user intervention.
:
It would be nearly impossible for computer software makers to provide against
any type of attack by those so inclined. The result is that they are reactive
rather than pro-active.
Understand that the software maker wants his product to have all the features
and gee-gaws that make it attractive and simple to use, and most work well in
this area, but over-compensating for any potential type of attack before
delivery is, in my opinion an impossible task.
One may wish that there were no vulnerabilities in any operating system, but
this is not the case. There are vulnerabilities in all the operating systems
in place today. Ther are many admins, (even if the admin is an uneducated
end-user) who do not bother to update their sofware or operating systems.
This practice is why Linux/Unix systems get chrooted, Windows machines get
compromised, even OSX.
Some of the vulnerabilities are in the chipset on the motherboard, be it Intel,
AMD, or Motorola.
The software maker must try to compensate for those failings as well.
As long as there arre otherwise bored miscreants who will continue to try to
exploit the vulnerabilities they will continue to happen, no matter what the
patch position is, no matter the OS or chipset used.
Thre are many security capabilities built into many OS distributions, and
relatively few are ever implemented. Why? Your guess is as good as mine, but
my guess is that it is time consuming of time that is not budgeted.
just my 0.02
Operating systems bundled with a retail computer _should_ be reasonably
secure out of the box.
OS X can be placed on a unprotected internet connection in a unpatched
state and it's default configuration allows it to be patched to current
levels without it being compromised.
On the other hand Win2k & XP will be compromised in under 5 minutes if
connected to the same unfiltered connection (The record here is 35 seconds
for time to compromise)
I am not saying that OS X is the paragon of all things good. But it's
basic settings take into account the average user's skill level and
ability to secure the OS if you want less security the user needs to
_specifically_ configure the machine to allow the reduced level of
protection.
Whereas the desire for chrome on WinXXXX has made a platform which is
virtually impossible for the average user to secure.
I use both on a daily basis as well as Solaris and Linux so I consider
myself somewhat agnostic on OS choices as each does something better than
the others and I use it for that function.
Scott C. McGrath
Doug White writes:
It would be nearly impossible for computer software makers to provide
against any type of attack by those so inclined. The result is that
they are reactive rather than pro-active.
That's not the point. The difference in degree of security between
Windows and Mac OS X is so great as to be a difference in kind. It is
possible for vendors to build, and customers to buy, sufficiently safe
Internet client software.
It is also possible to mitigate the spam problem (which started this
whole thread, as you may recall :). From where I'm sitting, Apple Mail's
spam detection feature, Spam Assassin, and similar products all do a
sufficiently good job. I get obscene amounts of spam at this account,
but I see very little of it (even though my version of Spam Assassin is
old).
Now, I know network operators have a different point of view (I have
been one): that spam consumes expensive network resources. But even
Hotmail (and who could have a worse spam problem than Hotmail?) only
blackholes specific hosts or small subnets, and only then for 24-48
hours. This idea of cutting off entire ISPs/countries/operating
systems/ethnicities from their access to certain or all services is very
poor and reflects badly on those who propose it.
The spam problem is as mitigatable as it is bad, and taking away or
reducing the usefulness of the network in order to save a few bits or
bucks is a bad trade. Freedom, openness and universal access are worth
the trouble.
Why is it that some people respond to the problem by breaking things
rather than building things? In particular, something like Bastille (the
Linux hardening kit) for Windows would be great.