Shenan
Sat May 13 16:53:03 CDT 2006
Imhotep wrote:
> Shenan Stanley wrote:
>
>> Kerry Brown wrote:
>>> The user is the strongest or weakest link in the security chain.
>>>
>>> Well said.
>>
>> Imhotep wrote:
>>> No the weakest link in the security chain is the software the user
>>> is using...If the software does not allow the users to do anything
>>> stupid, then stupid users can use software! :-)
>>
>> That's like saying vehicle wrecks are the vehicle's fault. Or the
>> road's fault. Or the weather's fault.
>> It is a combination of all those things and the driver(s) in most
>> cases.
>
> BS. If the car is defective than it is the car manufacturers fault.
>
>> Same with computers.
>>
>> I cannot say that Windows is the most secure OS.
>> I cannot say that Linux is the most secure OS.
>> I cannot say that Mac OS X is the most secure OS.
>
> What does this have to do with this thread???? This thread is not
> about which OS is more secure...
>
>> The security level of all those depend on the user/administrator
>> of the system - as was pointed out by Imhotep by the explanation
>> of a particular way to configure linux. So yes - the
>> user/adminstrator is the *hub* of the security system.
>
> This is where we disagree. The software is the *hub*. An
> administrator only assists where necessary, if necessary.
>
>> It only makes sense - the computer itself would have little to do
>> (as a tool) without the user - just like the vehicle would have
>> little to do without a driver. Both are tools to accomplish a
>> purpose - and like any tool - much of its longevity, usefulness
>> and quality of resultant work are determined by the person
>> using/managing such tools.
>
>> For a non-computing example - look at a set of auto mechanics
>> tools at an auto mechanic shop. Let's say that the mechanic is
>> mediaocre - does okay work, fixes carfs but not quickly. Someone
>> else who works there (but is not
>> a mechanic) takes care of all the tools that the mechanic uses.
>> Keeps them cleaned and oiled and rust-free. (In computer terms -
>> the user is wreckless, the administrator does what they can to
>> keep the computer running tip-top.) However - when the mechanic is
>> actually using the tools (and perhaps not in
>> a skilled way) - the tools are out of the non-mechanics' hands.
>> They may come back broken from use, perhaps a screwdriver gets
>> used across a starter and gets blown in half or a wrench drops in
>> a running belt system and gets
>> mangled. Perhaps the tool just shatters under pressure (even if
>> it was rated to that pressure.)
>
> Again, you are assigning blame to users. Which is nothing more than
> a shameless way of avoiding any blame to yourself. If your users
> are using unsafe software, then you are at fault for not finding
> safe software for them to use...pure and simple.
>
>> As you can see - even with a careful maintenance person (admin)
>> and even the
>> best tools, if the mechanic mistreats the tools - things can go
>> wrong. If the tools are badly made - it would be up to the
>> maintenance person to point
>> this out and rework the tools or suggest new tools. Sure - you
>> could fire the mechanic and get a better one - but that is not
>> always the case with computers - as those tools are so common now,
>> everytone thinks they should be able to use it. And in the home
>> computing world - the mechanic and the maintenance person
>> (home/shade-tree mechanics *grin*) are usually the same person.
>>
>> Going back to pure computing - the user *is* the HUB of the
>> computer. The computer is a tool the user utilizes. If the
>> computer is not being used (and that would mean there is a user -
>> even servers have users) --> it is likely pretty darned secure.
>> There is little to no chance that someone will click on the wrong
>> thing, start snooping in the wrong place, try to configure/get
>> around something - etc. As most users are also the administrators
>> on at least one system in their everyday life - this can cause
>> issues. If that is not their job - if they do not know how to
>> properly secure a computer system (whatever OS it is) - they put
>> themselves
>> at risk. This is the majority of people who come here for help -
>> not system
>> admins. So in comments here where "users are usually the weakest
>> point in the security system" - it is likely true - as the posts
>> here would be best represented by the home user who is also their
>> own administrator.
>
> Would you use a faulty unsafe screw driver? Well, if the screw
> driver is broken and unsafe, isn't time to replace it?
>
> There is no reason for an email application to shell out and run an
> executable attachment. The only reason this happends is because it
> was *programmed* (hence designed) to do just that! In other words
> your "screw driver" is flawed....
>
> Deep down inside most of us here know this. The real difference
> between you and me is: I will openly say it.
>
> Again, an IT Admin's job is to protect and assist your users to
> accomplish the many tasks that they have. If one "tool" does not
> work, get them one that does and stop making excuses....
>
>> So - like everything else in life - if things weren't used, they
>> would be safer and probably last longer than if they were. You can
>> only go so far with making a smarter OS that allows less
>> experienced users utilize the tool without danger to themselves or
>> the system. It's like the person who sued McDonald's years ago
>> because they were burned when the spilled the hot coffee in their
>> lap (and won the case.) Now "HOT" is printed on all the cups
>> because someone was too stupid to know that when you order coffee (
>> a hot beverage ) - it may be HOT. How stupid-proof do you bother
>> to make things? As popinted out in this thread - yeah - you can
>> configure linux to be fairly secure - and the same is actually true
>> with Windows and other OSes - but you had to know what you are
>> doing to do this. You have to be a computer admin. Not a
>> shade-tree mechanic.
>>
>> Should the computer OSes come out of the box like that? I guess
>> the answer is no - because its possible to do right now - but the
>> regular user would be at a loss on how to then install things/use
>> the system and it would cease to sell/get used. McDonald's didn't
>> quit selling hot coffee - but now every cup has cautionary
>> statements on it. Common sense - the more we sanitize and label
>> things - the lower the level of common sense seems to get around
>> the world - because no one has to wonder "Is that sharp?" "Is that
>> hot?" "Should I open this email attachment without scanning it?"
>> -->> Everything gets labeled. (The latter is a bad example for now
>> - but I think it would be moronic to get to that point.)
>>
>> So - the weakest link being the software?
>> Nah. I could go buy the strongest and best wrench in the world..
>> One that a skilled mechanic/maintainer could use for decades
>> without issue and I try to use it incorrectly and shatter it in a
>> week - even if I oiled it and cleaned it after every proper use.
>> Is it the wrenches fault it shattered when the same tool could be
>> used by the skilled mechanic/maintainer for decades?
>>
>> So - the weakest link being the user?
>> (Which can also be the admin..)
>> Nah. You could have the most skilled mechanic in the world. If
>> you buy their tools from some third-rate equipment manufacturer and
>> give them a horrible environment to work in - and they have no say
>> in changing it or are otherwise incapable of maintaining the tools
>> - sooner or later something *will* go wrong. And probably faster
>> than if you combined the best mechanic with the best tools.
>>
>> Whose to blame depends on the situation. It's bad to make a
>> blanket analogy in ANY direction.. OS, user, admin, hardware, etc.
>>
>> I still like this article, personally:
>>
http://www.ranum.com/security/computer_security/editorials/dumb/
You avoid the points well.
The point is - there is no central point of blame.
There is no exuses given. The OS is a tool. The har