[LINK] Schneier on Storm Worm

Kim Holburn kim.holburn at gmail.com
Mon Oct 8 08:43:38 AEST 2007 

On 2007/Oct/07, at 10:49 PM, Craig Sanders wrote:

> On Sun, Oct 07, 2007 at 07:57:37PM +0200, Kim Holburn wrote:
>> I don't think we really disagree on much.  I just think that a lot  
>> of work
>> needs to be done so that computers do all the really hard part of  
>> the work
>> on security.
>
> i think we disagree on a pretty fundamental point from which all the
> rest follows. you think that a complicated, infinitely tool like a
                                              (infinitely tool?)

> computer CAN be made as simple as a toaster or a car.  I don't.

I know it can.  I have a dedicated computer that solves NP complete  
problems on the fly and is so incredibly simple to use that virtually  
anyone can use it, it is the size of 2 cigarette packets, can easily  
fit in my pocket and can work for 5 hours.  I never thought such a  
thing would be possible.  Did I mention it runs linux, although I  
didn't find this out for several months?

Making distributed networks of general purpose computers as simple as  
a toaster is a bit harder of course, but not by any means impossible.

> in fact, i think that that ideal of simplification is a big part of  
> the
> problem.

Sorry, computers and networks are only going to get orders of  
magnitude faster and more complex from here on in.  Unless part of  
that power is given over to helping us use them they won't be  
possible to use and definitely won't be used well.

To connect to the interweb I used to have to program modems in hayes  
talk.  It used to really annoy me when given the right environment I  
could simply plug a computer into a network (without a modem) and I  
would be connected and also that fax machines which effectively used  
the same modem technology could just be plugged in and they would  
just work.  We make this stuff hard to use.

> sure, bad technology is also a big part of the problem and better
> technology WILL help a lot, but over-simplification and protecting the
> user from all the "too-hard" details is a form of bad technology.
>
> unfortunately, the phrase "irreducible complexity" has been  
> hijacked by
> loony creationists but computers are the area where the term actually
> applies...it is only possible to simplify them so far until you  
> sacrifice
> the utility (or security or whatever) that you are aiming for.
>
> Windows is insecure only partly because of bad technology (sloppy
> programming AND bad design). another part of the reason is the  
> misguided
> urge to protect the user from all the nasty details.

I think MS software is insecure for at least 4 main reasons:

1) bad defaults - the defaults are designed to be easy to setup and  
to use rather than for security.  Still.  After all this time.  This  
can on occasions make it very easy to do very dangerous things.   
(This could be relatively easily fixed.)

2) bad underlying design

3) a large percentage of the innovation is spent on sneaky ways to  
lock people into MS systems.

4) you can never get under the hood, you never have any real control  
over your system.


--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list