CD drive question

[David Maynard]

On Fri, 05 Aug 2005 11:37:45 +0200, Mxsmanic



Again, wrong.
MS sought to be the sole source of operating system on
PCs-for-the-masses. One can't argue these masses are
supposed to have advanced security oriented training, but
even if they did, it would be to CLOSE holes, prevent the
insecure features from infecting their system. That's the
opposite of secure.

I'm sorry but Mxsmanic is right and there's nothing you can do to make
something 'secure' from users without removing the users ability to control it.

Knives aren't 'safe' unless no one touches them. Cars aren't 'safe' unless
you remove the drivers. And computers aren't 'secure' unless you remove the
users.

The most you can do is add warning labels and safety features, like
scabbards and finger guards, but you can't stop some lunatic from running
across the skating rink with a blade in his hands and it's absurd to blame
the knife maker if he falls on the stupid thing.

 

[kony]

yeah yeah yeah should we wait for xinux? Give the rhetoric a
break.......You know what?, you all should have been around in the early
80's and 70's and used computers, with that experience behind you wouldn't
(shouldn't) be talking bulllshit. The problem with any OS is the element
that spends its every waking moment writing destructive code and use that to
make things insecure.

Dear clueless one, I WAS using computers in the 80's and
70's. Thanks for trolling by though!

Too bad we can't see the what things would be like if MS never
was...........

yes, it is a shame we can't have both perspectives
simultaneously.

I would think that this forum wouldn't even exist.

WOW, you truely are an idiot. "Hardware" groups would
unquestionably exist because usenet did.

I have been
waiting for an usable OS since 1989, alternatives are all but dead. ANYTHING
that YOUR machine does, gets itself into, gets infected, won't boot,
crashes, or whatever the hell else your complaining about IS YOUR FAULT.
Instead throwing up all the same old rhetoric, why don't you learn to USE
and SECURE YOUR system.

OK, then deny this quote (not mine):

"On August 9th, Microsoft is set to release six patches to
fix possible serious security holes in its Windows operating
systems:

Some of the vulnerabilities carry a maximum severity rating
of "critical," meaning they could put Windows machines at
risk of an Internet worm, even without any user action."



Now, if you had your head out of your arse you'd have noted
that I never claimed I didn't learn to use or secure "my"
systems. If you could read for comprehension you'd have
noted all along that the argument was that further actions
are necessary to do so, a clear sign it isn't yet secure for
the general populace to which it's marketed.

No matter how great you are at securing the boxes under your
control, OTHER peoples' insecurty can still effect you.

It's a matter of making a product suitable for the market
it's targeted towards. No matter how much you want to blame
the users, there's no point to it. They could similarly
claim you're cluess at any of their respective trades and
that you should become more competent at (whatever), but
this is not the scenario faced by avg joe computer users-
they are not expected to do brain surgery themselves, build
their own TV sets or any other technical endevours yet you
argue they should have operating system security insights.
Come back to reality, the grand idea doesn't work as proven
over the past few years of viri, worms, spyware, etc.

 

[Mxsmanic]

Do you advocate using Windows Update?

Not in automatic mode.

Do you expect people to use IE for it?
No.

How about Messenger, is it a running service by default?

I think it was, but I don't know now, although Windows Messenger is
harmless. I have it set to manual, though.

Again, wrong.

No, it's right. I've been doing security for a long time. Users are
by far the weakest link in IT security. Unless you can get them to
behave, the rest is a waste of time.

Exactly, you have to "try" to make it secure, because it isn't yet.

You can design it secure, which was largely the case with NT.

Yes, you're talking about managing them as much as
reasonable to minimize the insecurity that is in fact
present, and trusting them to not act in a way that makes it
likely they'll be exploited though these insecurities, or
trying to fix the holes left open so less trust is needed.

The major insecurity present is the users themselves.

Wrong. Most compromises are due to features that should not
be pre-configued to allow exploits.

Most users are too stupid to know of the risks. Modern computers are
very complex, and modern users are extremely ill-informed. It's a
wonder that they don't have even more trouble than they do.

I note that all users do not have the same level of trouble. Some,
like me, never have any problems; others have a non-stop series of
problems no matter what OS they run or what they do. And yet we're
all running the same software. What might this imply?

It should start out secure and with lower functionality ...

Systems configured like that don't sell. People don't want secure
systems, they want features.

Wrong. You keep thinking "feature". That's backwards. It
is not an added feature that makes it secure, it's
subtracting the insecure features, closing holes.

You cannot have features without insecurity.

This is where MS keeps going wrong, thinking that piling on more
crap somehow makes it palatable.

MS needs to sell its products, like any other company, and so it
builds products that have what people appear to want to buy. People
buy features much more willingly than they buy security, so MS
emphasizes features. So does every other successful software company,
unless they are military contractors.

I have never claimed a user can't wrongly act, but for the
most part a user does not seek to be exploited.

Almost all breaches are user errors.

It is unreasonable to expect every user to have the same security
skills you do ...

Then it is also unreasonble to expect their computers to be secure,
unless you remove all the functionality from the OS, turning the
system into a highly secure paperweight.

 

[JAD]

Dear clueless one, I WAS using computers in the 80's and
70's.

Then speak as though you have

Thanks for trolling by though!

I resent that as I have been logged into this group for many years, trolling
is not my speciality.
But I realize that its a good way of getting people not to read the other
side of the story.

yes, it is a shame we can't have both perspectives
simultaneously.




WOW, you truely are an idiot. "Hardware" groups would
unquestionably exist because usenet did.

un huh with what type of traffic? Oh wait I forgot, you would like just a
'select' few to use the web. A select few hardware producers and those who
can figure out xinux.
Lets go back to bulletin boards and z modem downloads. Hmm were things
'secure' then?

OK, then deny this quote (not mine):

Why?...its you who say its the software producers problem and I say its the
degenerates that produce viruses and exploit the holes instead of using
their knowledge to a positive end.

"On August 9th, Microsoft is set to release six patches to
fix possible serious security holes in its Windows operating
systems:

Much like MANY products, things are recalled because of defect, I do not see
an attack from degenerates as a defect. NOTHING (other than nature) is
perfect. Even though people try and sue the auto industry for their tires
being stolen, its utter bullshit and doesn't make it justified. Even though
people have tried to screw the auto industry, they turned around and offered
anti theft devices. They drive like idiots and roll over and its the tires,
its the car, its EVERYTHING else but them (thats the 21st century way). Its
not the manufacturers problem that there are ignorant drivers on the roads
anymore than there are crooks in the world, its our fault/problem.

Some of the vulnerabilities carry a maximum severity rating
of "critical," meaning they could put Windows machines at
risk of an Internet worm, even without any user action."

Yeah someone's porno jpgs may be in jeopardy or their 4th of July AVi's
maybe infiltrated. AFA commercial implications...PC-HOMEBUILT is the name of
these groups. From what I have seen, companies need to be way more picky
about WHO they hire to do their administrating and not worry what OS they
are running.

Now, if you had your head out of your arse you'd have noted
that I never claimed I didn't learn to use or secure "my"
systems. If you could read for comprehension you'd have
noted all along that the argument was that further actions
are necessary to do so, a clear sign it isn't yet secure for
the general populace to which it's marketed.

follow your advice, except I would compare you to an Ostridge with his head
in the sand.

No matter how great you are at securing the boxes under your
control, OTHER peoples' insecurty can still effect you.

It's a matter of making a product suitable for the market
it's targeted towards. No matter how much you want to blame
the users, there's no point to it. They could similarly
claim you're cluess at any of their respective trades and
that you should become more competent at (whatever), but
this is not the scenario faced by avg joe computer users-
they are not expected to do brain surgery themselves, build
their own TV sets or any other technical endevours yet you
argue they should have operating system security insights.

come on.....as long as there are humans that do 'evil' things, nothing is
safe.
A punk paints a tag on your wall, you blame the paint manufacture because it
didn't erase automatically?
Someone breaks into your car, you blame the glass company/auto industry
because your 12000$ stereo was too enticing?
Someone breaks into your house, you blame the door /window manufacturer
because it didnt hold up under the crowbar?

Microsoft does what it can to 'keep at bay' the people who spend their lives
trying to make a name for themselves.
They have never said that any software is 100% secure, thus(1 of the
reasons) you 'lease' and never buy...its always a work in progress, much
like all security issues. There are WAY too many scenarios for all the bases
to be covered for any amount of time.

Come back to reality, the grand idea doesn't work as proven
over the past few years of viri, worms, spyware, etc.

I know where I am, You have lost your way. If linux were 60% as popular as
windows, and Java, active X etc. enabled, and had an integrated
browser...how secure do you think it would be?

 

[Mxsmanic]

Why?...its you who say its the software producers problem and I say its the
degenerates that produce viruses and exploit the holes instead of using
their knowledge to a positive end.

A lot of bad guys aren't bright enough to be good guys. It takes more
brains to secure a system than it does to compromise it.

I know where I am, You have lost your way. If linux were 60% as popular as
windows, and Java, active X etc. enabled, and had an integrated
browser...how secure do you think it would be?

It would leak like a sieve.

 

[kony]

I'm sorry but Mxsmanic is right and there's nothing you can do to make
something 'secure' from users without removing the users ability to control it.

Untrue. The hole can be shut by default rather than open by
default, such that action by users is necessary to CAUSE
insecurity rather than prevent it.

Knives aren't 'safe' unless no one touches them. Cars aren't 'safe' unless
you remove the drivers. And computers aren't 'secure' unless you remove the
users.

Windows isn't secure even without the users.
On the contrary, it requires users to hands-on secure it.

The most you can do is add warning labels and safety features, like
scabbards and finger guards, but you can't stop some lunatic from running
across the skating rink with a blade in his hands and it's absurd to blame
the knife maker if he falls on the stupid thing.

That is completely wrong. The LEAST that could be done is
to make it secure with default settings, require the extra
effort (which users don't typically take) to open holes.

It's a bit like selling a car with a seatbelt kit stowed in
the trunk that a driver can install themselves.

 

[kony]

Not in automatic mode.

Then what mode?
Would that use IE?
Would you have to have features enabled that HAVE been used
to exploit IE to get WIndows Update to work? Yes.

No.

Then how did you propose the average joe, who has only
windows system, to get them?

I think it was, but I don't know now, although Windows Messenger is
harmless. I have it set to manual, though.

"Harm" is not constrained by your definition. Security does
not hinge on whether you consider something inherantly "bad"
or "harmful", rather than actions specifically undesirable
by the user or owner of the system.

No, it's right. I've been doing security for a long time.

You may know a great deal about security, but that doesn't
begin to mean you can blame users. Quite the contrary, it's
evidence that the users would NOT be expected to know these
things you've learned over a "long time".

Users are
by far the weakest link in IT security. Unless you can get them to
behave, the rest is a waste of time.

.... only so long as you assume windows is secure. Faulty
argument, if windows were secure then the typical user
behaviors would not result in security breeches.

Perhaps you fail to see who this OS is marketed towards.
It's intended to be used by the masses. It would be
ridiculous to claim the masses will be, should be highly
educated about every technology they come in contact with in
their lives. It is quite unreasonable and any other
profession could make same claim, instead of realizing that
technology does not exist to become a burden but to serve.

You can design it secure, which was largely the case with NT.

I'm sure it had a good beginning, then hole by hole it
degraded.

The major insecurity present is the users themselves.

Again, NO.
Users can indeed do stupid things, but the real chance of
insecurity exists without any user action. IN FACT, MS
themselves have issued critical security updates that
specifically mention risks without any user action. Do you
claim even MS is wrong?

This is a silly discussion, no matter how much you want to
argue it, the proof is all around you. People get infected
because they didn't take additional measures that are
unreaslistic to expect from those in unrelated professions.

You would like to claim you're right because of some vast
knowledge about it, but that's exactly why you're wrong,
because you keep ignoring the lack of security experience
that the avg. user has.

 

[kony]

Pardon me but you waaaaaaaaaaaaaaaaaay underestimate what people will
'install' even when they 'know'. Most people know there are 'viruses' but
they haven't a clue how they work and no matter HOW much you tell them to
not install things they still do because they don't think whatever it is is
a 'problem' for the obvious reason that malware doesn't come with a warning
sign attached to it. In fact, it's just the opposite. Malware tries to look
as 'nice and legit' as possible and people fall for it over and over even
after being bit.

Yes, it is in fact a reality that some people will install
such things. That is no proof that it doesn't happen
without a user making such a choice, nor that it is the
majority of cases.

And that's before you get to "the kids are always downloading things" and
popups that fake the close X or reverse the <yes><no> or have them both a
yes regardless of what the button says, people who will never get it
through their head that "readme.TXT.js" is not a text file, fake 'security'
emails, and "your account needs renewing."

If a user goes out on the 'net and enters their personal
info into a fake website, I wouldn't consider that an OS
security breech. If a kid downloads a file and runs it,
that is not an OS security breech either, it is what the
user chose to do. I'm not trying to lump together every
possible malware on the planet nor every possible user
mistake and blame the OS for it all. On the other hand, IF
a user did none of these things, they still don't have
security.

True, people do not intentionally infect their systems but they do it all
the time, in droves, by their own actions. And I assure you that when asked
they'll tell you they haven't done a thing because they don't know they did it.

That's a large part of why the holes shouldn't be open in
the first place.

 

[Mxsmanic]

Untrue. The hole can be shut by default rather than open by
default, such that action by users is necessary to CAUSE
insecurity rather than prevent it.

All insecurity is caused by the actions of users.

Windows isn't secure even without the users.

All operating systems are secure without users.

That is completely wrong. The LEAST that could be done is
to make it secure with default settings, require the extra
effort (which users don't typically take) to open holes.

The market doesn't want systems that are configured for high security
by default.

 

[Mxsmanic]

You may know a great deal about security, but that doesn't
begin to mean you can blame users.

One of the things that long experience with security teaches is that
users are the cause of just about all security problems.

I'm sure it had a good beginning, then hole by hole it
degraded.

Nobody wanted a secure NT.

 

[Mxsmanic]

That's a large part of why the holes shouldn't be open in
the first place.

Every feature of an operating system is also a hole.

 

[David Maynard]

Untrue. The hole can be shut by default rather than open by
default, such that action by users is necessary to CAUSE
insecurity rather than prevent it.

It doesn't work. The first thing they'll do is turn on/off/bypass whatever
it is and all you'll accomplished is to irritate the hell out of the user
because it was such a pain to find out how to get around your 'security'
features.

You, of all people, should appreciate that, what with simply having the
game CD in the drive being such a monumental copy protection burden.

Default everything to 'closed' and I assure you they won't even bother to
'configure' it, they'll flat turn the whole subsystem off (firewall being
an example), assuming anyone buys the 'pain in the butt', 'never works',
'what the hell were they thinking', unfathomable monster.

Windows isn't secure even without the users.

Sure it is. No one to turn it on.

On the contrary, it requires users to hands-on secure it.

ANY computer system has to be configured.

That is completely wrong.

Not so.

The LEAST that could be done is
to make it secure with default settings,

Already addressed above.

require the extra
effort (which users don't typically take) to open holes.

Nonsense. The FIRST thing they do is open all the holes because it's such a
pain in the butt to use with them closed.

It's a bit like selling a car with a seatbelt kit stowed in
the trunk that a driver can install themselves.

No, it's like selling cars that won't start without the seat belt buckled
and you may remember the hue and cry when they attempted that one.

But the seat belt is only one thing and you're claiming the "system isn't
secure" if you can find ANY way to get into it. So add to that a speed
limit detector, so we know what it is, and a throttle pedal control. Then a
road sensor for steering control. And proximity sensors for too close. And...

Well, I haven't figured out the 'drive over a cliff', "that other car is
about to ram me," "martha is doing her lipstick while driving," and "John
just bloody well went to sleep at the wheel" sensors yet.

And you will note that none of those things 'default' to 'safe' and they
depend on the user having some level of 'expertise' to operate it properly.

Even if it were possible to make a 'perfectly secure' OS, and it isn't
because there's no such thing as a perfect man-made anything, you simply
can't have both an easy to use 'computing appliance' and a bazillion
security hoops at the same time nor can you prevent the user from screwing
it up at will.

 

[kony]

All insecurity is caused by the actions of users.

That has been proven wrong and MS has repeatedly posted
critical updates on their site that clearly state systems
are vulnerable without any action necessary from users.

It's not my burden to convince you of what MS themselves
already admit. I'm done with the thread.

 

[David Maynard]

Yes, it is in fact a reality that some people will install
such things.

That's what I mean about you waaaaaaaaaaaaaaaaaaaay underestimating it. It
ain't just 'some people'.

That is no proof that it doesn't happen
without a user making such a choice,

Now that's a silly comment. Of course they do it 'by choice', whatever it
is vs whatever they thought it was, and no one suggested otherwise.

nor that it is the
majority of cases.

And you base that on what? The well known sophistication, savvy, and
expertise of the average computer user?

If a user goes out on the 'net and enters their personal
info into a fake website, I wouldn't consider that an OS
security breech. If a kid downloads a file and runs it,
that is not an OS security breech either, it is what the
user chose to do. I'm not trying to lump together every
possible malware on the planet nor every possible user
mistake and blame the OS for it all.

The point was that 99% of the time you'll never know they didn't do
precisely that, or something else equally unfortunate.

On the other hand, IF
a user did none of these things, they still don't have
security.

There's a hell of a lot of other things they can, and do, do too.

That's a large part of why the holes shouldn't be open in
the first place.

Well, it would solve the problem by no one having the patience to operate
the computer, much less buy it.

Wouldn't make them 'secure', because nothing is; there just wouldn't be any
to speak of.

 

[David Maynard]

kony writes:




Every feature of an operating system is also a hole.

Hehe. True. And since nothing mankind does is perfect, it's like trying to
seal off a hole with plugs that have holes.

 

[G]

I'm pretty sure this will not have any affect, but for the benefit of
all of us: PLEASE, DROP IT!


Isn't there anything productive you guys are interesting in learning?

Glen

 

[Mxsmanic]

That has been proven wrong ...

No, it has not.

... and MS has repeatedly posted
critical updates on their site that clearly state systems
are vulnerable without any action necessary from users.

You have to use a system to make it vulnerable.

It's not my burden to convince you of what MS themselves
already admit.

Good, since you're not very persuasive.

I'm done with the thread.

You've said that at least three times now, if I'm not mistaken.

 

[Mxsmanic]

Hehe. True. And since nothing mankind does is perfect, it's like trying to
seal off a hole with plugs that have holes.

One sees the same phenomenon with computer programming languages. For
decades, everyone has sought the holy grail of a computer language
that can be used for anything and is completely flexible and yet
somehow prevents the programmer from making coding or logic errors.
But such a language is impossible. The more flexible the language,
the easier it is to make mistakes with it; the harder it is to make
mistakes with a language, the harder it is to use it to program
anything useful.

A classic example of this misunderstanding is Ada, which was supposed
to make all programming safe. It did nothing of the kind, of course,
and it was so huge and complex and impractical that even its principle
proponent (the Department of Defense) formally waived the Ada
requirement systematically for just about every programming project it
undertook. I don't recall anyone else ever using Ada at all, although
I suppose someone did.

COBOL-85 was another joke, but I won't go into that.

 

[David Maynard]

kony writes:




No, it has not.




You have to use a system to make it vulnerable.

I think you've overstated the case here and are using what might be called
a 0 divided by 0 kind of argument: an interesting but impractical and,
hence, essentially meaningless equation. By that I mean a system that isn't
used is a useless situation (0) and you wouldn't have such a system to
begin with (0). And who would make something to not use? "Use" is implicit.

The practical question is whether a system, with which the user of that
system makes no mistakes whatsoever, can be compromised and I think Kony is
correct in saying that is proven to be the case.

Frankly, I was rather surprised when you made the absolute 'user' statement
to begin with because, from your other message about programming language
fallibility, it's obvious you recognize that any complex man-made system
can, and by nature must, be flawed itself.

 

[David Maynard]

David Maynard writes:




One sees the same phenomenon with computer programming languages. For
decades, everyone has sought the holy grail of a computer language
that can be used for anything and is completely flexible and yet
somehow prevents the programmer from making coding or logic errors.
But such a language is impossible. The more flexible the language,
the easier it is to make mistakes with it; the harder it is to make
mistakes with a language, the harder it is to use it to program
anything useful.

A classic example of this misunderstanding is Ada, which was supposed
to make all programming safe. It did nothing of the kind, of course,
and it was so huge and complex and impractical that even its principle
proponent (the Department of Defense) formally waived the Ada
requirement systematically for just about every programming project it
undertook. I don't recall anyone else ever using Ada at all, although
I suppose someone did.

COBOL-85 was another joke, but I won't go into that.

Yep. And it applies to any process involving human beings. Which includes
the man derived systems intended to prevent man from making mistakes.

It's not simply an esoteric intellectual amusement either because the most
common flawed argument is "oh this <insert process/system> is no good
because I can point to a 'flaw' in it." Of course you can. It's man made,
isn't it?