> -----Original Message----- > From: cctalk [mailto:cctalk-boun...@classiccmp.org] On Behalf Of Toby Thain > Sent: 28 May 2016 01:56 > To: General Discussion: On-Topic and Off-Topic Posts <cctalk@classiccmp.org> > Subject: Re: Windows use in medical spaces (Re: vintage computers in active > use) > > On 2016-05-27 8:38 PM, Cameron Kaiser wrote: > >> You can hardly blame windows for the stupidity of people. This could > >> also happen w/ discreet stupid devices > > > > One word: Therac. > > > > Therac is not the same threat at all. What seems to be missing from the > process that leads to specifying Windows is, indeed, threat modelling. > The threat of a virus scanner disabling the machine is not the same as a virus > disabling the machine, and so on (a proper enumeration of threats would be > quite long). > > The point is that the threat model for a "discrete stupid device" is VERY > different from the threat model for Windows. Human error obviously appears > in both lists (and can be mitigated!) And these aren't the only > 2 options, either... > > I think we can all agree that when the outcomes are as bad as this, then the > engineering process was faulty. A virus scanner (or virus) is a very easily > foreseen problem.
Getting managers to understand that putting security controls in place may lead to a denial of service which is more serious than the original threat is hard. Evaluation of the residual threats after the controls are in place should be standard procedure. It is part of ISO 27001.... When I worked in E-Mail and was being sold Mail Scanners I always asked what about false positives? They would say you get a junior to check those, which is of course a bad thing, as the mails may contain bad things.... So I would say one of the senior directors mistresses keeps forgetting her Hotmail password and just sets up a new account so I can't white list her.. She e-mails rather fruity pictures to the director, would these get stopped and would the junior see them... Most of the salesmen just crawled away.... Dave > > --Toby