::scr Internet Explorer - Danger in numbers?
David Cantrell
scr@thegestalt.org
Thu, 7 Mar 2002 16:06:15 +0000
Arvid wrote:
> David Cantrell wrote:
> > Not really. Security needs to be designed in right from the start,
> > but once it is, it need not get in the way of usability*.
> Even if security is designed in from the start, the user must still
> be aware that there is such a thing as security and how that security
> works.
As I mentioned later on :-)
> As far as ii) goes, Unix IS an archaic command-line based
> interface and it IS hard for newbies to learn.
I don't see it as being archaic, nor do I see it being any harder for
newbies to learn than Windows or the Mac. Windows and the Mac only
*seem* easier to learn because people get more exposure to them. I,
on the other hand, found them both rather hard to learn and Unix easier,
as I had early exposure to a CLI. I won't believe that Unix is hard to
learn for a user until a proper double-blind test has been done, but
good luck finding your test subjects.
> And the only built-in sources of info are extremely
> terse man pages.
Have you tried to use the Windows help? I for one find it useless, as
it is too damned hard to find what I want. There are a few notable
exceptions - Pegasus Mail and Forte Agent have excellent online
documentation. Man pages, on the other hand, whilst terse, *do* usually
contain the pertinent information. What is wrong with terse? With
terse documentation, I will either find what I want or I won't. With
Windows "help" I won't find it, but I'll be convinced that it's just a
few mouse clicks away and I'll waste time looking for something that
isn't there.
> When it comes to Windows, the ScopeID thing is just plain
> idiocy, but all security issues in Windows are troubled by the
> fact that Windows cries wolf all the time. Windows warns you
> about everything all the time, eventually teaching users that
> all these warnings can safely be ignored. Poor usability in
> a nutshell.
Indeed. See the entry in RISKS about a technician blindly clicking to
close those things whilst setting up a machine to do laser eye surgery.
> Forcing functions can be nice (like requiring users to login),
> but it only works as far as people use passwords that are hard
> to crack. The human is always the weakest link in this chain -
> average users, lazy sysadmins (like the ones at Jönköping
> "university", where I have a friend - they refuse to switch from
> Telnet to SSH because "it's too much work to learn new things")
> and whatever else.
I don't think anyone who knows what they're talking about has ever claimed
that the security problem can be solved purely technologically. You need
both appropriate software *and* appropriate procedures for dealing with
people. The appropriate procedure for those admins would be beheading.
--
Lord Protector David Cantrell | http://www.cantrell.org.uk/david
"Dave, being Evil is no excuse for indenting like a moonshine-crazed lemur"
-- Aaron Trevena