::scr Internet Explorer - Danger in numbers?

[David Cantrell]

Arvid wrote:
> David Cantrell wrote:
> > Not really.  Security needs to be designed in right from the start,
> > but once it is, it need not get in the way of usability*.
> Even if security is designed in from the start, the user must still
> be aware that there is such a thing as security and how that security
> works.

As I mentioned later on :-)

> As far as ii) goes, Unix IS an archaic command-line based
> interface and it IS hard for newbies to learn.

I don't see it as being archaic, nor do I see it being any harder for
newbies to learn than Windows or the Mac.  Windows and the Mac only
*seem* easier to learn because people get more exposure to them.  I,
on the other hand, found them both rather hard to learn and Unix easier,
as I had early exposure to a CLI.  I won't believe that Unix is hard to
learn for a user until a proper double-blind test has been done, but
good luck finding your test subjects.

>                And the only built-in sources of info are extremely
> terse man pages.

Have you tried to use the Windows help?  I for one find it useless, as
it is too damned hard to find what I want.  There are a few notable
exceptions - Pegasus Mail and Forte Agent have excellent online
documentation.  Man pages, on the other hand, whilst terse, *do* usually
contain the pertinent information.  What is wrong with terse?  With
terse documentation, I will either find what I want or I won't.  With
Windows "help" I won't find it, but I'll be convinced that it's just a
few mouse clicks away and I'll waste time looking for something that
isn't there.

> When it comes to Windows, the ScopeID thing is just plain
> idiocy, but all security issues in Windows are troubled by the
> fact that Windows cries wolf all the time. Windows warns you
> about everything all the time, eventually teaching users that
> all these warnings can safely be ignored. Poor usability in
> a nutshell.

Indeed.  See the entry in RISKS about a technician blindly clicking to
close those things whilst setting up a machine to do laser eye surgery.

> Forcing functions can be nice (like requiring users to login),
> but it only works as far as people use passwords that are hard
> to crack. The human is always the weakest link in this chain -
> average users, lazy sysadmins (like the ones at Jönköping
> "university", where I have a friend - they refuse to switch from
> Telnet to SSH because "it's too much work to learn new things")
> and whatever else.

I don't think anyone who knows what they're talking about has ever claimed
that the security problem can be solved purely technologically.  You need
both appropriate software *and* appropriate procedures for dealing with
people.  The appropriate procedure for those admins would be beheading.

-- 
Lord Protector David Cantrell | http://www.cantrell.org.uk/david

  "Dave, being Evil is no excuse for indenting like a moonshine-crazed lemur"
        -- Aaron Trevena