[2690] in WWW Security List Archive
Re: Active X security hole reported
daemon@ATHENA.MIT.EDU (John C. Pavao)
Mon Aug 19 12:34:14 1996
Date: Mon, 19 Aug 1996 09:58:41 -0700
From: "John C. Pavao" <pavaojc@rixix.sod.eds.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Chuck D'Antonio wrote:
>
> >John C. Pavao wrote:
> >
> >To say that the average user should be smart enough to not choose OK
> >when choosing OK is just what you have to do all the time to do anything
> >in Micro$oft Windows (name your version, name your application) is like
> >saying that soldier should have known better than to step on that
> >landmine because it was buried in the ground.
>
> I don't click okay to warning boxes until I've become familiar with them.
That's right. You don't. And I don't. But the people who use the
computers that I am responsible for here are not that discriminating.
They are under pressure to produce and will frequently do the quickest
thing. I'd be willing to bet that if a dialog came up that said "Erase
all files on Hard Drive: OK Cancel", some would press OK just to get
the box off the screen. We're talking about people who don't want you
to explain how to do something if it involves their computer, they just
want you to do it so they can do what they think is important.
> And they can be written in such a way as to get your attention without
> appearing as something to just click okay to and move on. My problem
> isn't with the users who chose to click okay, but rather with a vendor
> that would make something as important as security seem so trivial. To
> draw on your landmine analogy, if my commanding officer said to charge
> ahead into a field because fields never contain mines (much in the way
> that Microsoft encourages you to click okay to a security warning since
> most messages are trivial) then I would hope that his commanding officers
> and the media and everyone else who felt some responsibility for my
> well-being would be infuriated. If however, he warned me that their
> might be mines ahead in a way that registered, I'd expect a much different
> reaction -- perhaps for everyone to think I was stupid.
>
> >Those of us who seem to feel that it's just too bad for the cutting-edge
> >technology illiterate would do well to remember that maybe people who
> >don't make their living running other people's computers hardly have
> >time to learn the pitfalls of the latest thing to pop out of the WWW
> >fad. I have no interest in learning medicine, but I want a bottle of
> >aspirin that it's safe to take. Shouldn't the doctor be able to sit
> >down at his computer and be able to use the web without having to learn
> >a second profession AND getting his computer FUBARed?
>
> Part of being on the cutting edge is being cut. And part of being cut
> is knowing where the first aid kit is. If you don't, step back from the
> edge. Come along later, or at least heed my advice today. I take an
> aspirin because I know it's safe -- I also wouldn't take it if the seal
> were broken, much like not accepting an untrusted Active X control, don't
> you think? I agree with you that MS has a responsibility (as do I as a
> system administrator) to make the use of web less dangerous. But I also
> think that it's your fault if you charge ahead without understanding
> what's really going on. I don't know how to climb a mountain, so an
> experienced climber would be right in say I deserved it if I jumped into
> doing so without learning how to do it.
I don't know if you are able to force a better knowledge level on your
users in a college setting, but here's a hypothetical business situation
I could describe in detail. One day you get an order from a manager:
install Netscape on all the PCs in the building. So you do, but you
disable the client-side stuff like Java, etc to try to secure it. Then
suppose someone in your outfit develops something that uses one of the
things you disabled and convinces the manager that it's needed. Then
you're ordered to turn it back on. So you turn it back on. But most of
the people who use it are like the people above; when they see "OK
Cancel", they hit "OK" to get that darn box out of the way. In a
high-pressure business setting, people don't want to hear about these
things; if you try too often to warn them you get a "Chicken Little"
reputation and people stop listening to you altogether.
So if you're saying that the people who use computers should now be held
to a higher standard of knowledge because of the Web, I agree... in
theory. But the fact of the matter is that in a real-world situation
you're lucky if it happens. Being a large corporation as well as a
software developer, I have no doubt that M$ is aware of these things;
I'll bet they've done studies on how people use computers. That is why
I hold them to a degree of responsibility. I think M$ is fully aware
that the average business enduser is going to be behind the eight-ball
when it comes to internet knowledge and that training can't be always
top priority to the people who set priority. Yet, to stay competitive,
you've got to use the latest technology. Your customers don't want to
hear that you don't want to use the Web because of security issues; they
want the latest and greatest.
> >I subscribed to this list thinking it would be about ways to secure the
> >web, not messages from elitists who think the average user should be
> >weeded out.
>
> I subscribed to this list to learn what to tell my average users about
> potential security dangers on the web. I maintain my subscription for
> the same reason. For this reason, I think it's a very valid place to
> discuss the need for a higher level of user understanding when they use
> the web than they have when they use a standalone PC. The requisite
> knowledge for using PCs is different from that for using terminals is
> different from that for using punch cards. Now that machines are more
> and more interconnected, different knowledge is required. And this
> list is a perfect place for discussion of what that knowledge is vis a
> vis security issues. Like it or not, flames like those that irritate
> you about this thread foster such discussion.
Flames foster arguments, bickering, and ill-will. Civilized discussion
fosters discussion. I disagree most adamantly with you on this regard.
I feel that the biggest shortcoming of Usenet is the preponderance of
individuals who flame at will just because they're sitting safely behind
a monitor. That's childish behaviour.
John Pavao
(Opinions expressed are strictly my own and are in no way to be
connected with my employer.)
