Re: Active X security hole reported

• To: www-security@ns2.rutgers.edu
• Subject: Re: Active X security hole reported
• From: c_dantonio@harvard.edu (Chuck D'Antonio)
• Date: Fri, 16 Aug 1996 13:14:56 -0400

John C. Pavao wrote:

>It sounds like we're heading for a Darwinistic future for the Web,
>Internet, and computing in general. A future where people who want to
>use their personal computers for "low-brow" tasks like doing their
>finances, recreational web browsing, etc., without desiring to become
>sysadmins and programmers will be weeded out and relegated to the
>uninformed masses.  Only the computer elite, who can dedicate all of
>their time and effort to keeping abreast of things like Java and ActiveX
>deserve to be able to use their computers with a telephone line
>attached.

Actually, the supposed computer elite can't usually keep up with everything
either.  The tone of many of the messages in this thread has been elitist,
but the key points are being lost therein.  I do not expect my users to
keep track of all of the latest web developments -- I expect that I'll
track security issues and keep them abreast of the potential for danger
from Java, Active X, and the next hot technology (connection to Inferno
purely coincidental).  I also expect some level of responsibility from the
vendors that I frequent with regards to providing safe software.  If a
particular browser or paradigm doesn't provide for adequate security, then
I'd rather my users not have access to it.  I have to fill the holes after
our security is breached, not the office or administrative staff who use
their computers to get the job done.  It's right that I should be angry
if they ignore a warning and end up creating extra work for me -- there's
plenty for me to do from day to day without firefighting!

>To say that the average user should be smart enough to not choose OK
>when choosing OK is just what you have to do all the time to do anything
>in Micro$oft Windows (name your version, name your application) is like
>saying that soldier should have known better than to step on that
>landmine because it was buried in the ground.

I don't click okay to warning boxes until I've become familiar with them.
And they can be written in such a way as to get your attention without
appearing as something to just click okay to and move on.  My problem
isn't with the users who chose to click okay, but rather with a vendor
that would make something as important as security seem so trivial.  To
draw on your landmine analogy, if my commanding officer said to charge
ahead into a field because fields never contain mines (much in the way
that Microsoft encourages you to click okay to a security warning since
most messages are trivial) then I would hope that his commanding officers
and the media and everyone else who felt some responsibility for my
well-being would be infuriated.  If however, he warned me that their
might be mines ahead in a way that registered, I'd expect a much different
reaction -- perhaps for everyone to think I was stupid.

>Those of us who seem to feel that it's just too bad for the cutting-edge
>technology illiterate would do well to remember that maybe people who
>don't make their living running other people's computers hardly have
>time to learn the pitfalls of the latest thing to pop out of the WWW
>fad.  I have no interest in learning medicine, but I want a bottle of
>aspirin that it's safe to take.  Shouldn't the doctor be able to sit
>down at his computer and be able to use the web without having to learn
>a second profession AND getting his computer FUBARed?

Part of being on the cutting edge is being cut.  And part of being cut
is knowing where the first aid kit is.  If you don't, step back from the
edge.  Come along later, or at least heed my advice today.  I take an
aspirin because I know it's safe -- I also wouldn't take it if the seal
were broken, much like not accepting an untrusted Active X control, don't
you think?  I agree with you that MS has a responsibility (as do I as a
system administrator) to make the use of web less dangerous.  But I also
think that it's your fault if you charge ahead without understanding
what's really going on.  I don't know how to climb a mountain, so an
experienced climber would be right in say I deserved it if I jumped into
doing so without learning how to do it.

>I subscribed to this list thinking it would be about ways to secure the
>web, not messages from elitists who think the average user should be
>weeded out.

I subscribed to this list to learn what to tell my average users about
potential security dangers on the web.  I maintain my subscription for
the same reason.  For this reason, I think it's a very valid place to
discuss the need for a higher level of user understanding when they use
the web than they have when they use a standalone PC.  The requisite
knowledge for using PCs is different from that for using terminals is
different from that for using punch cards.  Now that machines are more
and more interconnected, different knowledge is required.  And this
list is a perfect place for discussion of what that knowledge is vis a
vis security issues.  Like it or not, flames like those that irritate
you about this thread foster such discussion.

Chuck

--
Chuck D'Antonio
Programmer & Network Support Specialist
FAS Administrative Computing
Harvard University

• Re: Active X security hole reported
• From: "John C. Pavao" <pavaojc@rixix.sod.eds.com>

• Previous: RE: How to get OFF this list
• Next: Re: ActiveX security hole reported.
• Index(es):
  • Index
  • Thread