Agreed. Technical media, just like the regular media, counts on ignorance and fear to boost circulation and pimp their advertisers. The problem is that most so-called "experts" are more than willing to help perpetuate the attitude that computers are hard and people shouldn't have to work to learn at least a little bit about what they're doing. Funny enough, most of those "experts" are the ones trying to make a buck off it...
I found that I got a lot farther in my education efforts with my users once I was able to make two attitude changes: 1) I had to stop thinking of the user as an idiot. Lack of knowledge is not the same thing as willful stupidity, and the latter is much more rare than many of us IT folks like to think. 2) I had to accept that it was okay for someone to be a computer user without being a computer enthusiast. I like my indoor plumbing, but I don't want to know how it works or be competent in pulling it apart and fixing it beyond basic level repairs. I have to know enough basics to know that I can't pour junk down my sink without expecting it to clog and back up, to leave a tiny trickle of water running during really cold nights so my pipes don't freeze and burst, and other basic stuff -- but I call the plumber when there's a serious problem. If I'm lucky, he's not secretly thinking that I'm a complete moron just because I don't have the tools and experience to replace a split pipe as quickly as he can. What is to me the most infuriating aspect of the whole FUD mentality behind computer security in general and Windows security in particular is that even when someone who knows what they're talking about speaks, the media tends to distort it in favor of hype. If you take the time to read through what Joanna Rutkowska (sp?) is actually saying about Vista and UAC in context, she's not nearly as critical of it as Ziff Davis et al would have you believe. Maybe we should institute an IT pro boycott of the periodicals and publishers who insist on promoting the FUD. -- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x1011 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ -----Original Message----- From: Jim Harrison [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 27, 2007 1:16 PM To: Devin Ganger; Thor (Hammer of God); Murda Mcloud; Focus-MS Subject: RE: Vista "complaints" You have some good points, but the fact remains that this article (like so many on another "security site") are taking full advantage of the relative ignorance of "Jo(sephin)e User". IMHO, it's incumbent upon "the collective few" to make as much counter-noise as they can to publicly, loudly and irrevocably debunk such garbage. The point remains; this particular "vulnerability" is non-existent until and unless the machine is compromised *by a completely separate act*. Until this occurs, the "waning to all" is just so much noise... As you yourself stated, we have to train Jo(sephine) User and as long as people continue to replicate themselves, this task will provide endless employment (and disinformation) opportunities. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devin Ganger Sent: Tuesday, February 27, 2007 11:38 AM To: Thor (Hammer of God); Murda Mcloud; Focus-MS Subject: RE: Vista "complaints" I agree with most of your debunking, but I think you (and many of the readers of this list) been doing high-level security work for long enough to not really remember what it is like for the average computer user (if you ever were at that level). I have four people that I think of when I think of the "average" user (my wife doesn't count, she's lived with me for 11 years and has picked up enough to permanently disqualify her from being an average user): 1) My dad. Mostly uses the computer for email, writing, and playing games. Does some basic office apps at work. 2) My mom. Uses the computer on a daily basis in a healthcare setting, which means specialized apps. 3) My sister. Basic home user, some active levels of online chatting and forums, as well as web-based recreation. 4) A user I supported in a previous job. She didn't hate computers, but they were just tools she used to accomplish her real work. She didn't own one at home and felt no need to. Was perfectly competent within her accustomed apps, but needed serious handholding to do anything new. All four of these users are good candidates for the click-through scenario. It's taken years to train my family to *pick up the phone and call me* if they see something they don't understand. My parents are not dumb people (neither is my sister). However, they don't have the frame of reference to understand the implications of the various dialog boxes. They know that the system is trying to warn them about *something*, but they're not sure how serious it is or what the correct course of action is. After they've seen a given warning a few times, they're good to go, until it's a new application -- and then my phone starts ringing again until they get familiar with it. I remember a couple Christmases back when I visted and sat down to clean out their computers and get them up on decent anti-malware protection. My mom sat down with me to watch. As I worked my way through the various tasks, she'd ask me why I'd answered a given dialog one way for one task and a different way for another. I realized that without the basis of my years of experience to draw on, giving her clear and concise answers to her questions -- enough for her to be able to understand the principles behind my choices -- was pretty difficult. The principles are easy; the application of those principles can require experience that the average user just doesn't have. Not because they're stupid, but just because they don't have the broad POV to know why X is the right choice in this situation. This, incidentally, is why I pushed my family to use the Windows Defender beta. As malware protection, it wasn't the best on the market -- but having the community feedback integrated in the warning dialogs sure made it easier for my non-geek family to get that sense of expertise on-tap. -- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x1011 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thor (Hammer of God) Sent: Tuesday, February 27, 2007 6:49 AM To: Murda Mcloud; Focus-MS Subject: Re: Vista "complaints" My thoughts? Well, I'll tell you ;) Complete and utter FUD. Plain and simple. And while I hate to say it, reading stuff like that makes me wonder if Whitehouse has any more grasp on reality than the man inhabiting our own Whitehouse today. Let's note this passage about what would have to happen *first*: "The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser." Oh, the awe a magician can inspire after "The Magic Rooting" takes place. The UAC would, of course, prevent this from happening in the first place. I also doubt the "magic assumptions" of "most users would just click through without a second thought." No, users would have to enter the admin username and password to install the malicious code to begin with. If they are running as admin, then they would have the opportunity of looking at what they were running, as well as the standard "This is from an unknown publisher" dialog even after "just clicking continue." But you wouldn't be running as administrator, now would you? No, you wouldn't. There are other technical inaccuracies, but I won't bother going into them because what comes after "if I can get this installed on the box" simply doesn't matter. In general, I find ramblings about what diabolical exploits can be crafted *after* you get whatever code you need installed on the box to be comical. But when they come from someone who should absolutely know (far) better, it is simply unprofessional, and comes off like the proverbial "grasping at straws" for attention. I believe it was Will Rogers who said "People who pay for things rarely complain. It's the people you give things to that you can't please" or something along those lines. Read: People will always find something to complain about, and will often go way out of their way to find justification for it. Status: Debunked. ;) And that is the skinny on that. t On 2/26/07 8:58 PM, "Murda Mcloud" <[EMAIL PROTECTED]> spoketh to all: > What are your thoughts on this Thor? > http://www.pcworld.com/article/id,129268/article.html > > (Surprise surprise ./ are loving this) >
