RE: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]

From: Auer, Karl James (karl.auer@id.ethz.ch)
Date: Tue Aug 07 2001 - 00:07:08 EST

Next message: Adam Todd: "Re: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]"
Previous message: Sean Neakums: "Re: [LINK] Re: Unix {Was: Looking for some Web server statistics]"
Maybe in reply to: Dassa: "RE: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]"
Next in thread: viveka: "RE: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Many people Microsoft is actively selling to are not professional or are
not disciplined enough to read the MOUNTAIN of bumph delivered with
server software. It is probably more appropriate that Microsoft (or
Oracle or whoever) be the one to produce graded documentation, with the
important security stuff on page ONE, not buried in "Appendix F: Other
considerations".

Instead, Page One is typically a "Quick Start Guide", to "get you up and
running as quickly as possible". How many people will read the next 537
pages?

Microsoft sells its products at least in part by touting their
"simplicity", "user friendliness" and "ease of use", so I think they are
definitely busy hoisting themselves with their own petard on this one.

But leaving documentation aside, the fundamental mistake - and I believe
it is LONG past time that this mistake should have been recognised and
rectified - is that Microsoft delivers products (MANY products) with
highly insecure "features" and switches them ON by default. The list is
well-nigh endless - hiding filename extensions, running executable
attachments in mailers and unchecked access rights for application
macros are just the well-publicised tip of the iceberg.

NO non-blindingly-obvious feature should be on by default. "Ease of use"
should mean "easy to find and switch on, with a helpful warning before
you do so as to the security implications". And the ease of switching a
feature on should be inversely proportional to the damage it can do when
enabled.

Not that Microsoft stands alone in its shame - many Linux distributions
still come with (among others) ident, ftp, telnet, ssh, web and samba
servers enabled and running by default.

Regards, K.

> -----Original Message-----
> From: Dassa [mailto:dasssa@ozemail.com.au]
> Subject: RE: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft
in hot seat]
> How is this any different to expecting users of more powerful
> software to be aware of and keep their systems updated with the latest
security
> patches. Couldn't it be expected that users of an operating system
would
> be aware of the security implications of the default settings? There
is
> plenty of documentation covering this aspect. Where does one draw the
> line, are not all users to be treated the same?
>
> Isn't it more a case of people not reading the documentation they are
> supplied with.

Next message: Adam Todd: "Re: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]"
Previous message: Sean Neakums: "Re: [LINK] Re: Unix {Was: Looking for some Web server statistics]"
Maybe in reply to: Dassa: "RE: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]"
Next in thread: viveka: "RE: [LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:03 EST