Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Windows 7 UAC compromised
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Fri, 6 Feb 2009 09:36:32 -0500

2009/2/6 Yudi Rosen <yr42.lists () gmail com>:

But Joe the Plumber doesn't want to have to click on endless 'confirm'
dialogs every time he tries to use the computer. Simply having him run as a
non-admin user only fixes half the problem.

No, it doesn't fix anywhere *near* half of the problem; it doesn't
address that we have millions of people that use their computers
without knowing anything about them.

"But not every car driver needs to be a mechanic!" Yes, I know this,
but every driver needs to know that there are laws and rules
concerning how they drive and what happens when a 1200 kilogramme car
hits a 100 kilogramme pedestrian at 70 kilometres/hour. Every driver
needs to know they need to have their tyres rotated and their oil
changed. There are things you must know beyond, "accelerator,
decelerator and steering wheel".

"But a computer isn't going to kill anyone if someone gets infected by
a virus or trojan!" Yes, I know this, too, but if you're mixing
questionable software and surfing habits with online banking and
shopping, it's a recipe for destruction. Welcome to identity theft and
empty bank accounts.

We can either continue to pretend like it's *only* really crappy
software or we can realise that it's a combination of easily
exploitable software, user ignorance and user apathy. You can give
them an operating system that has been vetted and been through
multiple code reviews by people that really do know secure OS design
but they wouldn't be able to accomplish anything at all. So what do we
do? We give them operating systems that are less secure, hope they
don't shoot their feet off and turn them loose with it - but we don't
shoulder the burden of training them. Some of us do but we, as a
collective, do not. Until we can properly educate our users, all we
are doing is trying to mitigate risk in the best ways we can while
still providing them a service. I maintain that by not educating our
users we are failing in that goal.


Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]