- Joined
- 31 May 06
- Moves
- 1795
15 Aug 15
Originally posted by twhiteheadYes I do know this, and many other similar facts, being that I work with computer
No, it demonstrates that there is a balance to be found. Tamper proof food has not been implemented.
[b]My argument is that you should b able to trust that what you purchase is safe, and will remain so.
But should it be merely safe, or safe from malicious interference by others? In the case of medicine we have decided to take some extra precaution ...[text shortened]... thus subject to some amount of regulation. I am not sure how well regulated electric fences are.[/b]
support and spend a lot of my time reading up on computer security issues.
Including, as I say, Bruce Schneier's blog [and books] on the topic of security.
And of course I mean safe from malicious interference by others because that IS
the ENTIRE point of computer security. There is no other meaning to safety and security
in the computer world.
17 Aug 15
gf: "My argument is that you should b able to trust that what you purchase is safe, and will remain so."
If you buy a tire, you may expect that regulatory systems ensure that it has no manufacturing defects and is safe when sold. You may not expect that it will protect you from every possible road hazard you may run into (such as nails or broken glass or off-road obstacles). When you buy a computer, the same holds. It should have no manufacturing defects which could expose you to risk of electric shock (because the ventilators are faulty, for example). It is unreasonable and not feasible for manufacturers to offer you any guarantee that no matter what web site you surf to, you will be protected.
- Joined
- 31 May 06
- Moves
- 1795
17 Aug 15
Originally posted by moonbusOh, good. More strawman arguments.
gf: "My argument is that you should b able to trust that what you purchase is safe, and will remain so."
If you buy a tire, you may expect that regulatory systems ensure that it has no manufacturing defects and is safe when sold. You may not expect that it will protect you from every possible road hazard you may run into (such as nails or broken glass or ...[text shortened]... rers to offer you any guarantee that no matter what web site you surf to, you will be protected.
When I write posts [for example] about smart devices that contain absolutely no security whatsoever and are
programmable and can be, and have been, used as attack platforms on your internal network and suggest
that we need regulations to make sure that the hardware and software we use in the electronic devices all around
us meet proper safety standards and actually have decent and update-able security...
Why the hell do you make the idiotic assumption that I am trying to require impossible magic protection from all
possible harm.
Can you at least credit me with the intelligence to not be THAT dumb when you write your posts?
We have companies and governments conducting massive surveillance and data collection on us for THEIR benefit
and not ours, and at the same time failing to build in to many devices and systems proper security.
I could point out the recent spate of demonstrations of the ability to remotely hack into new 'smart' cars and take them
over due the the cars entertainment system being wired to the cars 'fly by wire' control system.
Or automated drugs dispensaries that can be wirelessly reprogrammed to deliver fatal doses of drugs to patients.
etc etc etc.
We evidently and obviously need regulations that say that 'no, you can't actually collect all that data on people to
sell to advertisers' and 'yes you do have to employ proper security codes and practices in designing your product because
yes you will be held liable for damages if you don't'. And we need governments to stop working to make our networks and
devices less secure and to stop encouraging companies to collect data they can then use that data to track and monitor
us because privacy is an important, no vital part of freedom and liberty and they are taking it away.
Perfect security and perfect safety are impossible. That is a given.
However if a plane crashes because it had a design fault the manufacturer is held liable because that's part of how you make
planes SAFER [as opposed to absolutely safe]. And when you get to a high enough level of 'safer' we just call it safe.
17 Aug 15
Originally posted by googlefudgeA smart phone is more like a private car than a commercial airliner. That is, the user is not a passive passenger, his life entrusted to pilots and ground crew; he is, on the contrary, solely actively involved in the use of the device and is therefore responsible for how he uses it. It is the responsibility of the manufacturer to ensure only that the hardware does not cause overt injury (for example by catching fire if the battery is overcharged); that is, safety standards apply only to physical injury, not to loss of data (read the fine print). It is the responsibility of the user to use the device wisely and pay due care and attention to how and where he drives (if it's a car) or surfs (smart phone). It is not the manufacturer's fault if a user surfs unwisely and gets his smart phone infected at a porno site or clicks on a bogus email and unwittingly installs a keyboard sweeper. No more so than it is Ford's fault if someone drives his SUV into a swamp, gets stuck there, and drowns. You wouldn't want a regulation to require automatically inflatable pontoons to be installed in every SUV, just in case some nitwit drives into a swamp. That would head straight towards the Nanny State -- no thanks!
Oh, good. More strawman arguments.
When I write posts [for example] about smart devices that [b]contain absolutely no security whatsoever and are
programmable and can be, and have been, used as attack platforms on your internal network and suggest
that we need regulations to make sure that the hardware and software we use in the electronic dev ...[text shortened]... ed to absolutely safe]. And when you get to a high enough level of 'safer' we just call it safe.[/b]
The problem with "high enough" security for devices which access the Internet is that the threats are constantly changing and the security patches are always a step behind. There is no such thing as an Internet vaccine, once and for all; security patches can be engineered only after a new threat has appeared (and actually affected a few machines). So there is no such thing as "high enough security" for the first wave of victims, and everyone is a potential first-wave victim. Given that security patches are always a step behind, how do you expect the law to keep up? Lawmakers are even farther behind than the technology; any law which could pass both houses of congress would be so out-of-date, it would be useless.
But even supposing the U.S. Congress got a law passed, why should any other country abide by it? The Internet knows no political borders.
- Joined
- 18 Jan 07
- Moves
- 12466
20 Aug 15
Originally posted by googlefudgeThat may be, but the issues surrounding Windows X are so severe that even a complete layman should be able to understand why you can't trust people who give you such a terrible Trojan horse (and yes, I use that term advisedly).
I don't agree at all.
It's not even remotely reasonable to expect more than a small minority of the population to be or become sufficiently expert in dealing with computers and/or security to be able to understand the issues and make informed and rational decisions based on them.
That more people don't is, frankly, their problem, not any more that of the security experts. You can try and educate the people, but if they choose not to be educated... tough, eat the consequences, then, you were warned. There are subtle issues surrounding computer security, yes. The issues afflicting Windows X are, however, not subtle, and can be understood by anyone who bothers to look.
- Joined
- 18 Jan 07
- Moves
- 12466
20 Aug 15
Originally posted by googlefudgeFood? Most food will not remain safe if you leave it for a month or so, and that's not the food industry's problem. Similarly, most computer products will not remain safe if you execute every executable you get mailed to you from persons unknown, and that is not the computer industry's problem, either.
My argument is that you should b able to trust that what you purchase is safe, and will remain so.
Yes, you should be able to trust that what you purchase is safe at the time of purchase, but if you then mistreat it or are insufficiently careful in use, beyond reason, then you can't expect for your actions (or lack thereof) not to backfire on you. The great public expect miracles from computers, and they expect to get away with things on the internet that, if they did similar to their homes, they wouldn't dare admit to their insurers. Sorry, I have little sympathy if you use the same password for your internet banking that you use for RHP.
24 Aug 15
To those who use Firefox, be aware that a major re-write is in the works. The envisaged new verions (40+) will enforce updates and reject unsigned add-ons. This will not be reverse-compatible with earlier versions of FF and will automatically disable (break) previously installed add-ons.
For those who do not wish to subject themselves to "robot security" and forced updates, you might want to switch to FF ESR (or some other browser) before the projected roll-out (this coming autumn).
Word to the wise ....
- Joined
- 31 May 06
- Moves
- 1795
24 Aug 15
https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/
.........
The power of add-ons
We love add-ons and wouldn’t want to browse the Web without the enhanced experience they offer. I myself have 22 active add-ons at the moment, with another seven disabled but on hand just in case. Firefox add-ons aren’t restricted to a limited API for manipulating Web content and parts of the browser. Add-ons can use, manipulate, or even replace just about any aspect of Firefox internals. Add-ons are one manifestation of a freedom so important to us that we have enshrined it in our Mozilla principles: Individuals must have the ability to shape the Internet and their own experiences on the Internet.
The adware scourge
The Web experienced by tech-savvy developers, however, is not the Web experienced by most people. While only fourteen add-ons hosted on our addons.mozilla.org site have more than a million users, and only two of those have more than 3 million, many tens of millions of users have non-hosted add-ons that were installed without their informed consent. Users run the risk of picking up unwanted extra add-ons and other software every time they download software over the Internet. Even updates of software that many users find indispensable or software from download sites run by trusted news organizations come bundled with these unwanted extras. Their Internet experience is being shaped by these third party add-ons in ways they did not choose and that benefit third parties and not the user. Most of these unwanted add-ons are advertising related in some way, tracking user actions and altering content. These add-ons are not created with user security in mind and can break fundamental browser security. These violate another of Mozilla’s basic principles: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.
Signing Add-ons
The solution we are pursuing, as described in our last post, is for the builds used by the majority of Firefox users to require that add-ons be signed by Mozilla. It is heartbreaking that there are so many malicious developers in the world intent on taking advantage of others, but we’ve reached the same conclusion as other similar ecosystems that there needs to be a referee looking our for the user’s interests. Firefox users will still be able to shape their online experience through installing add-ons created by others: for the vast majority of them nothing will have changed in that regard. This does, unfortunately, place an additional burden on add-on developers: they will have to develop against an unbranded but otherwise identical version of Firefox that we will provide.
Many developers have asked why we can’t make this a runtime option or preference. There is nowhere we could store that choice on the user’s machine that these greyware apps couldn’t change and plausibly claim they were acting on behalf of the user’s “choice” not to opt-out of the light grey checkbox on page 43 of their EULA. This is not a concern about hypotheticals, we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons. By baking the signing requirement into the executable these programs will either have to submit to our review process or take the blatant malware step of replacing or altering Firefox. We are sure some will take that step, but it won’t be an attractive option for a Fortune 500 plugin vendor, popular download sites, or the laptop vendor involved in distributing Superfish. For the ones who do, we hope that modifying another program’s executable code is blatant enough that security software vendors will take action and stop letting these programs hide behind terms buried in their user-hostile EULAs. .....
The part in bold is what I am talking about.
The number/proportion of people who came into my IT shop who's computer/web browsing experience was being ruined
[and their security/privacy destroyed] by exactly that was huge and heart breaking.
Those smug and arrogant 'tech-savvy' people who blame everyone else for not being computer experts can shove their
ignorant opinions where the sun doesn't shine.
This is an improvement for the vast majority of people who use computers.
- Joined
- 31 May 06
- Moves
- 1795
24 Aug 15
Originally posted by moonbusNext time you want to make a snarky comment, make sure you're right so you don't look like an idiot.
Next time you've got a brain tumor, tell your surgeon he's smug and arrogant and see whether you wake up with a lobotomy.
The correct analogy would be a diagnostics specialist who calls their patients stupid for not being medical
experts and being able to diagnose their own diseases.
The problem isn't knowing stuff about computers and computer security.
The problem is calling the overwhelming majority who don't know this stuff and whop cannot possibly be expected to
learn, stupid for not doing so and saying that these people deserve whatever problems they get for being so stupid as
to not turn themselves into computer security experts.
That is arrogant and stupid.
That is what you are saying.