Path: utzoo!attcan!telly!problem!compus!lethe!torsqnt!news-server.csri.toronto.edu!qucdn!spraggej From: SPRAGGEJ@QUCDN.QueensU.CA (John G. Spragge) Newsgroups: comp.org.eff.talk Subject: Re: "Computers at Risk" Message-ID: <90349.014530SPRAGGEJ@QUCDN.QueensU.CA> Date: 15 Dec 90 06:45:30 GMT References: <1990Dec11.213718.13211@Think.COM> Distribution: na Organization: Queen's University at Kingston Lines: 49 In article <1990Dec11.213718.13211@Think.COM>, barmar@think.com (Barry Margolin) says: >The computer industry has been extremely lax about dealing with all the >issues of computer vulnerability. However, they are not totally to blame, >because computer purchasers frequently don't ascribe much value to >protection from vulnerability, so the vendors are simply responding to the >market. Perhaps purchasers are more concerned about protection from mistakes than they are from malice. I have certainly restored my share of files through the years, and I have never yet seen a file wiped out by a virus or a trojan. The majority of failures were due (depending on your perspective) either to user error, or to systems that were too hard to learn or understand. If a buyer asked me whether they should buy a hard to understand system with good security, or a user friendly system with little security, I would always recommend the latter. Losing data to someone else's malice is undoubtedly more traumatic: it's clearly a violation. However, on the scale of dangers, the person who is clearly most dangerous to any data is the primary user. Second in line is the person who wrote the editor/data processing system being used. Between those two, innocent mistakes account for the vast majority of failures I have ever seen or (shudder) lived through. > All parties need to be educated to the need, and the people making >purchasing decisions must be willing to spend a little extra to get less >vulnerable systems. If there were money in computer security, more vendors >would invest more research resources into it, and things would get better. The use of the word "educated" assumes that there is a consensus on priorities. I don't share Mr. Margolin's priorities. From the point of view of efficiency only, I believe the top priority is to establish efficient, error free systems (not, unfortunately, the case now). It is equally important to make them user friendly, so that user errors will not result in data loss. Then, and only then, comes security. >-- >Barry Margolin, Thinking Machines Corp. > >barmar@think.com >{uunet,harvard}!think!barmar disclaimer: Queen's University merely supplies me with computer services, and they are responsible for neither my opinions or my ignorance. John G. Spragge