cas at taz.net.au
Sat May 23 08:44:31 EST 2009
On Fri, May 22, 2009 at 09:03:38AM +1000, Stilgherrian wrote:
> > encouraging end-users to accept as a matter of course that arbitrary
> > web sites will run unknown code on their computer just because they
> > visited the site, is encouraging a scenario that inevitably results
> > in the rapid spread of viruses and spyware on insecure systems (i.e.
> > those running Windows - the majority of desktops).
> For the most part I agree. But part of me says this horse has well and
> truly bolted.
and, of course, there are so many criminals in the world that we might
as well give up and disband all police forces because that horse has
bolted too. and CO2 levels are so high now that it's pointless trying to
even ameliorate the inevitable harm. and so on.
> And, I think, network security won't ever be solved by users having to
> make better choices because users' knowledge will *always* lag behind
> that of the attackers -- unless they're full-time network security
> types. And even then...
i think you'll find that my point was the opposite of what you're saying
flash, java, etc by default - is an essential part of the solution.
software that requires users to make a positive choice "yes, i want
to run the executable content on this particular site" rather than a
negative choice "no, i don't want to run stuff from that particular
site". off by default, enabled by the user when they perceive a need.
users may be no better at making such positive choices than they are at
making the negative ones but:
- they'll be safe BY DEFAULT
- they'll have to think about the issue every time they decide to
enable executable content for a site.
- they'll get better at it gradually with practice
- web-distributed malware will have a MUCH smaller impact because it
will only directly affect those who make a deliberate choice to run
code from an infected site.
- incidentally removing some of the incentive for writing such malware.
and the price for this is that web designers will have to actually THINK
about what they're doing and not get carried away with their usual
thoughtless technophiliac fetishism ("ooh, shiny! pretty! it must be good")
small price to pay, IMO.
> The question is, given the current reality and the unchangeable
> characteristics of human nature, what practically can be done?
not saying "it's impossible, people are irredeemably ignorant so let's
give up" would be a good start.
craig sanders <cas at taz.net.au>
More information about the Link