[Klug-general] Re: Bill Gates the Stupid Image - not Bill Gates the Stupid Person

[Stuart Buckland]

On Tue, 2008-01-15 at 21:30 +0000, Stephen Ryan wrote:
> Message: 4
> Date: Tue, 15 Jan 2008 19:53:14 +0000
> From: Margot <margot at lawrence1961.f9.co.uk>
> Subject: Re: [Klug-general] Re: Bill Gates the Stupid Image - not Bill
> 	Gate	the	Stupid Person
> To: Kent Linux User Group - General Topics <kent at mailman.lug.org.uk>
> Message-ID: <478D0F2A.3080009 at lawrence1961.f9.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Stuart Buckland wrote:
> >> Perhaps you might post something much more important than the question
> >> of
> >> why after 30 years the PC software industry is a great deal less secure
> >> than
> >> it was when it began.
> >>
> > 
> > If that is indeed a fact, and I'm not saying it is or is not, there are
> many
> > contributing factors.  Arguably those having the greatest impact being
> > non-technical in nature.
> > 
> > What makes you say software is less secure now than 30 years ago and what
> > makes you think anybody was even thinking about security 30 years ago?
> > 
> > Stu
> > 
> 
> If you read what he actually wrote, you'll see that he said that the 
> *software industry* is less secure, not the *software*.
> 
> --Stephen said
> George/Stu/Margot, I am stating the obvious really. 30 years ago there was
> no internet, very few LANS, WANS, VLANS etc and confidential data was
> limited in terms of how much of it was maintained by computers. Companies
> might have had a mainframe and a few PC's came along in the early 80's which
> may have been hooked up for terminal emulation. Very few people knew how to
> hack into these systems and there wasn't much of interest to see inside them
> anyway. With the exception of a few choice targets. 
> 
> There was no training courses for engineers or manuals, and few tech
> supports lines - so you just stumbled around trying to fix things and
> generally hacked your way through. Many of us came from electronics
> backgrounds, so you could get right down in the hardware.

There certainly were training courses for service personnel and
employees of the mainframe manufactures.  Perhaps not training courses
as we'd recognise them today.  One difference, they were typically run
by people who understood what they were teaching and the content was
less about backing up the marketing.  That's coming from a person who's
been on too many vendor courses :)

> Later on in the mid - late 80's the likes of Bill Gates came along with a
> grand vision to make computers more user friendly. His argument was that if
> you change the aesthetic quality of the interface - then the devices would
> be more user friendly. The counter argument to this was that user
> friendliness should be more about making devices more secure - than just
> making them look prettier. Anyway, the world decided to trade prettiness off
> against security and we ended up in a world where human beings could
> interact much better with the technology - but effectively became much more
> ignorant about it - given the layers of abstraction required to support the
> GUI.

I'm not sure I can agree with that.  Was there ever a counter argument
against making personal computing accessible?  If there was then what
idiot made it?

And since when has making computing more accessible by the use of a GUI
been the opposite of security? 

> Today, we have the most confidential data sitting in insecure databases all
> around the planet. Whilst it looks much more prettier now - it is
> nevertheless held together by millions of lines of code that very few people
> would ever take ownership of. How could they?

Now that I definitely cannot agree with on any level.  I cannot think of
a single project I have worked on or been on the periphery of which has
not had security at or near the top of the agenda.  Identifying or
assigning ownership of every component of a system is a part of that.

It really isn't difficult to design and implement a secure system,
technical or otherwise.  The proviso is that to also be functional
certain levels of exposure and risk need to be accepted and/or mitigated
against.

It doesn't help that vendors put out buggy products.  I know why it
happens and I can understand it (though never accept it).  Once you
understand and accept it you can mitigate potential risks.

Rather than argue this industry (and I include the Open Source
Community) focus on security I believe the key points should be
reliability and determinism in both fully operational and fault
situations.  From those, technological security is relatively simple to
address.  The social aspect of security I'll to others :)

> 
> I believe that people like Bill Gates knows this and that he knows that he
> and others have effectively built a roller coaster which will be very
> difficult to get off of.
> 
> Enough said in this forum guys... but anyone can talk to me at
> sryan at intrench.com
> 

The last bit I can agree with.


-- 
Stuart Buckland <stuart at nightime.org.uk>