RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Michael Smith [mailto:mike () sane com] 
> Sent: Tuesday, September 30, 2003 9:54 AM
> To: full-disclosure () lists netsys com
> Subject: RE: [inbox] Re: [Full-disclosure] CyberInsecurity: 
> The cost of Mo nopoly 
>
> I think the point is that most people expect their cars to be 
> operational and do NOT do the maintenance themselves... they 
> DO outsource it to a mechanic.  The average user has A LOT 
> less control over their car than their computer.  A car is 
> basically a single function unit, point A to point B. 
> Computers never have been nor ever will be that one 
> dimensional.  At the most, I think we could hope for users 
> who learn to know better than to try to do the 'maintenance' 
> on their computers themselves.
Oh come on.  We don't expect our mechanics to brake and steer for us,
fer cryin' out loud.  We're not talking about *maintaining the computer.
We're talking about *operating* it.  Things like passwords, awareness of
attachment dangers, the need for routine patching (think oil changes)
and up to date antivirus software (think gas).  The car mechanic takes
care of repairs and maintenance, yes, but the driver is the one who has
to bring the car in.  That means they have to be *aware* that
maintenance is required.  They have to realize that if they don't change
the oil every 3000 miles they will have long term problems.

The same thing is true in computing.  Users must realize that
maintenance is required, and it's their responsibility to "bring it in"
for maintenance.  They can't just blithely assume that IT is doing it
for them.  They need to *know* if it's overdue (think missing patches)
or requires an overhaul (think new OS.)

We don't let people drive cars without some proof that they know how.
We don't even let them neglect the maintenance any more (think emissions
inspections.)  Why should we let people use computers with no training,
no awareness of the potential trouble spots, no idea what they're
getting in to?  That's insanity.  And that's why we have hundreds of
thousands of infections with every new iteration of a worm or virus.
And IT people contribute to the problem by throwing up their hands and
saying that the users don't want to learn or can't be taught.  They
*must* be taught.  There is no other way to solve the problem.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html