Ryan Naraine
Dumb users
or
Dumb design
Justin James
Best Argument:
Dumb design
Audience Favored:
Dumb users (65%)
List of Events:
Opening Statements
Dumb users will continue to be dumb
Ryan Naraine: Let’s not beat around the bush. Users are stupid and can’t get out of their own way, even when it concerns their safety.
We’ve spent the better part of the last decade educating users about the risks associated with clicking on attachments in e-mails or clicking on links to “Britney Spears naked” or “Ghaddafi’s final moment” videos. Well, guess what? Users click on everything, even things they know are risky. According to Microsoft’s Security Intelligence Report, 99 percent of all attacks in the first half of 2011 distributed malware through social engineering and unpatched vulnerabilities. User interaction -- click on something and install the malware for the bad guy -- is still the go-to tactic for cyber-criminals.
We can chalk it up to laziness, human nature, stress, tiredness, whatever. Dumb users will continue to be dumb, despite software design choices.
Dumb design: Computers must serve people
Justin James: Decades of computer use have proven to us that no amount us training and education can ever change the behavior of some users. Unfortunately, computer security all too often depends on “herd immunity” because once a machine or account within the network has been compromised, the rest often fall like dominoes. In today’s world, it is just too easy for a single mistaken click to turn a healthy machine into a trainwreck within hours.
Computers serve people, not the other way around. If the systems we design are not secure with real world users, then they do not serve the users! If certain people will not drive a car safely, despite the obvious dangers, what makes you think they are going to learn to use a computer safely? Instead of trying to make better drivers, we need to be building better brakes.
The Rebuttal
Closing Statements
Save dumb users from themselves
Ryan Naraine
End users have gotten smarter about using technology but human vulnerability will always be the weakest link in the security chain.
The inquisitive nature of human psychology will always push us to click on that strange URL or open that e-mail attachment. Cyber-criminals make a living out of using social engineering to infect our computers and use your resources to make money. Dumb users will remain dumb but we have an opportunity to make software design decisions that can reduce the effectiveness of social engineering.
Our software products must start making decisions for end-users and remove the temptation of the lure. It's already happening. Modern e-mail clients have started to automatically block harmful attachments. Modern web browsers are putting up roadblocks to malicious web sites. Modern operating systems are using things like ASLR and DEP to block vulnerability exploitation without the end-user ever seeing anything.
We need to get to a world where the errant click means very little. We need software developers to bake security into design decisions to save dumb users from themselves.
You can't blame users - fix it!
Justin James
Modern exploits are getting better and smarter all the time. Can you blame users for clicking on something that looks legit and was sent by a contact? And let’s not forget just how many exploits do not even need user intervention to do their damage. User action may often be the catalyst for a successful attack, but it is simply the final step in a long chain of events.
Decades of computer usage have shown us that users cannot be trained very well. And the training is expensive, causes inflexible work patterns, and is overall a mess. If you want to kill the ROI and productivity gains on technology, throw in a heavy-duty training requirement.
The only solution: Make better, more immune systems -- such as iOS and WP7. Even the much-vaunted *Nix security model pales in comparison, because it maintains the myth of trusted applications and trusted users. The new smartphone operating systems take a zero trust model and combine it with a restricted API that does not allow system-damaging calls to be made. The result is a stable, highly secure environment with a limited, standardized set of features that even a small child can master.
Security's greatest threat? Dumb design
Jason Hiner
This is one of those debates that has been going on for as long as human beings have been building tools that they weren't going to just use for themselves but share with other people. In tech, this debate would have been a lot different even a decade ago, when virtually every tool in the computer industry required a manual and some training (or, at least a trial-and-error period). Today, the user expectations are different and the resources and capabilities of our product builders are a lot better.
I agree with Ryan that there's always going to be a level of human curiosity that will get people in trouble no matter how good the tools are, and there are always going to be some specialized, sophisticated tools that require a higher level of training. But, the vast majority of tech products need to get to the point where they are entirely self-evident and require no instructions. We're not there yet. Product builders need to get a lot more serious about human-centric design, and I think they will over the next decade as computer products follow the lead of consumer electronics. That's why I'm going to give Justin the nod in this week's debate.
In partnership with Ricoh Doc's final thoughts
Doc has to agree with Justin on this one and take Ryan to task for thinking so poorly of users. The bad guys are getting better and better at luring folks into their schemes, and Doc doubts very much that many people are falling for the old “Brittany Spears Naked” bit these days. You know, Ryan, that it’s not that simple anymore, and Doc’s willing to bet you’ve been fooled into opening something you thought was innocent.
Justin has it right – it’s time to put even more effort into security and shore up our information resources. In other areas such as our food supply and our drug supply, we’ve built in systems to protect the manufacturing and distribution chains so that problems are relatively rare. Why should information be any different?
Yes, there will always be bad guys and mischief makers out there trying to game the system. But private enterprise (perhaps with a little more government support) is pretty resourceful and should be able to keep one step ahead of those wishing to bring systems down. Of course, users need to exhibit some basic common sense, but in the end, technology should be as foolproof as possible. Don’t let the manufacturers of our software and hardware off the hook here – they need to step up the effort and provide stable, hard-to-hack products.
Now please, Ryan, can you send Doc that link to the Brittany Spears photos?
More from "The Great Debate"
Dumb users you can never eliminate; dumb designs just requires an extra bit of thinking and hard-work.
@scholarsarena You clearly havent met enough LUsers.
@scholarsarena Your conclusion is backwards! Given dumb users can never be eliminated they will always be the greatest security threat; whereas, by your assertion, poor design can be rectified. Since the dumb user is the greatest threat to computing security, intelligent design must compensate for the ignorance of the "herd."
Dumb users or dumb design is the question. Yes is the answer.
@DKFlorida Agreed. They're both problems. Developers are, after all, humans just like the users. And they're just as dumb.
@Cylon Centurion
OTOH, we had Windows XP and Internet Explorer 6. BOTH can be categorized as dumb design. They're both STILL dumb design. I almost feel sorry for those still using it.
Dumb users and dumb design = Epic fail.
OTOH, we had Windows XP and Internet Explorer 6. BOTH can be categorized as dumb design. They're both STILL dumb design. I almost feel sorry for those still using it.
Dumb users and dumb design = Epic fail.
@Cylon Centurion I used both XP and IE6 for years with no problems whatsoever but other people I knew did get infected with things by falling for fake security alerts and links in emails. I'm firmly on the side of dumb users. I still think XP was and is a fine OS. I am now primarily on Win 7 but my older laptop is still running XP and always will until it dies.
@dch48
Despite that, Windows XP was fundamentally flawed. The data is out there to back that claim up as well. I personally think it's still flawed even after 10 years on the market.
Despite that, Windows XP was fundamentally flawed. The data is out there to back that claim up as well. I personally think it's still flawed even after 10 years on the market.
Our hope lies with (1) some users being willing/able to behave more responsibly, and with (2) some designers being willing/able to improve the systems. It'll help if software companies stop laying off their most experienced programmers in favor of lower paid high school grads.
Press any key to continue.
"But I don't see the any key."
"But I don't see the any key."
@Droid.Incredible
LMFAO. Hahahahahahahahahahahahaha. That's Funny. Having been in IT for 15+ years I am on the side of Dumb Users. I know you guys know hey ask the same question Over & Over Again. I think 90% of them are semi retarded.
LMFAO. Hahahahahahahahahahahahaha. That's Funny. Having been in IT for 15+ years I am on the side of Dumb Users. I know you guys know hey ask the same question Over & Over Again. I think 90% of them are semi retarded.
I fall into the camp that sees the real problem to be design limitations. 'User Failure' has always been the largest problem in bringing computing power to the wider world, and no-one brings software to release without, for instance, preventing alpha input into a numeric field.
I would not really characterize users as 'dumb'. What they ARE is comparatively unfocussed. Those of us in computer careers tend to forget that our level of concentration on the details is the ANOMALY, not the norm! Unfocussed and/or uncaring users should be expected, welcomed, and designed around. After all - were it otherwise they wouldn't need US to intercede with the machines...
Freebird54
I would not really characterize users as 'dumb'. What they ARE is comparatively unfocussed. Those of us in computer careers tend to forget that our level of concentration on the details is the ANOMALY, not the norm! Unfocussed and/or uncaring users should be expected, welcomed, and designed around. After all - were it otherwise they wouldn't need US to intercede with the machines...
Freebird54
@Freebird54 there is power outlet that CAN kill you. Same with the email attchments, social networking, etc. Humans are explorers by nature and they are going to click on those links just to see what will happen, some do not have enough experience to tell the difference, some are not paying enough attention. The wealthiest company in the world does pay attention to deisgn. Connect these things together and you will get the solution to this problem.
@pupkin_z
If a person sticks a fork into the wall socket and hurts themselves? Or do we chalk it up to a bad decision by the person who did it? As long as users have the ability to harm themselves it will happen. Even phones are now subject to malware, and it's an OS based on Linux that has the lion's share of the problem. Even Linux can't protect a user who is willing to install any and everything they see without regards for what might happen.
IT departments are capable of dealing with this by not allowing users the ability to install said malware. That's not the case at home or even small to medium businesses. If you've got an office with 10 PCs and a server can you really afford to call out an IT company every time you need to install or update your accounting software? Especially when it's fairly straight forward. And because of that those users will continue to run with admin rights and have the ability to harm themselves no matter what OS they use.
If a person sticks a fork into the wall socket and hurts themselves? Or do we chalk it up to a bad decision by the person who did it? As long as users have the ability to harm themselves it will happen. Even phones are now subject to malware, and it's an OS based on Linux that has the lion's share of the problem. Even Linux can't protect a user who is willing to install any and everything they see without regards for what might happen.
IT departments are capable of dealing with this by not allowing users the ability to install said malware. That's not the case at home or even small to medium businesses. If you've got an office with 10 PCs and a server can you really afford to call out an IT company every time you need to install or update your accounting software? Especially when it's fairly straight forward. And because of that those users will continue to run with admin rights and have the ability to harm themselves no matter what OS they use.
@pupkin_z
Yes - a power outlet can kill you, but it is quite difficult to make happen. There is NOTHING about the design that presents the danger - in fact it is necessary to bring in something from "outside" (a screwdriver?) to create the danger. In fact, it can serve as an example of how design can lessen the degree and likelihood of dangerous events.
All I am contending is that design can be improved, and *IS* being improved slowly, to a point that mistakes with serious consequences are very difficult to make. Automatic backups, multi-level undo, hiding nonsensical options when unneeded are all steps on the journey - a journey that may well end up with a Wi-Fi implant in the brain. Then the DWIM command (Do What I Mean) may finally achieve reality!
Freebird54
Yes - a power outlet can kill you, but it is quite difficult to make happen. There is NOTHING about the design that presents the danger - in fact it is necessary to bring in something from "outside" (a screwdriver?) to create the danger. In fact, it can serve as an example of how design can lessen the degree and likelihood of dangerous events.
All I am contending is that design can be improved, and *IS* being improved slowly, to a point that mistakes with serious consequences are very difficult to make. Automatic backups, multi-level undo, hiding nonsensical options when unneeded are all steps on the journey - a journey that may well end up with a Wi-Fi implant in the brain. Then the DWIM command (Do What I Mean) may finally achieve reality!
Freebird54
@Freebird54
The ultimate goal of the machines, in my opinion, was to eliminate nepatism, favoratism, and corruption. Not become the corruption! Obfuscated by design and then lock-out the end user is precicely why you have click apathy. In state and federal government, you have 200 years of strategic division of labor specifically for this reason. A programmer that scoffs at and decides after.... Oh, say, 2 days, that he/she has a better way without looking at the verafiability of the tools they use... sell thier snake oil, then leave the tax payers with a program that had a 1 day self-life (in my opinion), because they developed it on an OS or language that uses fuzzy regular expressions including DNS look-up, has got me investing in lead (bullets), not gold and silver. Autistic morons. Security's greatest threat is apathy both users and programmers! Remove legal disclaimers and obfuscated or remote coding, then we will see some decent programming! We have bull-queered the entire world into a trust bankruptcy.
The ultimate goal of the machines, in my opinion, was to eliminate nepatism, favoratism, and corruption. Not become the corruption! Obfuscated by design and then lock-out the end user is precicely why you have click apathy. In state and federal government, you have 200 years of strategic division of labor specifically for this reason. A programmer that scoffs at and decides after.... Oh, say, 2 days, that he/she has a better way without looking at the verafiability of the tools they use... sell thier snake oil, then leave the tax payers with a program that had a 1 day self-life (in my opinion), because they developed it on an OS or language that uses fuzzy regular expressions including DNS look-up, has got me investing in lead (bullets), not gold and silver. Autistic morons. Security's greatest threat is apathy both users and programmers! Remove legal disclaimers and obfuscated or remote coding, then we will see some decent programming! We have bull-queered the entire world into a trust bankruptcy.
Instead of trying to make better drivers, we need to be building better brakes.
I'd like to hear his thoughts on how computers can be improved wrt security.
I'd like to hear his thoughts on how computers can be improved wrt security.
@ye
They could (and are) move to a more iOS style design where freedom is traded away for security. There is a trade off for sure and I think it is important that for those who want to take the risks that there are still OSs and computers offered that fulfill that requirement. For most people though, the breadth of applications that exist on iPad and iPhone are good enough to satisfy every single computing requirement that they have.
They could (and are) move to a more iOS style design where freedom is traded away for security. There is a trade off for sure and I think it is important that for those who want to take the risks that there are still OSs and computers offered that fulfill that requirement. For most people though, the breadth of applications that exist on iPad and iPhone are good enough to satisfy every single computing requirement that they have.
@toddybottom
Which platform is infected in 99% of the cases?
Which platform has the highest security related costs?
Which platform has always been a headache for people around the world?
Accusing people for something they have always been is just a way for IT-workers depending on the second rate, toy platform to steer the attention away from the real problem: Microsoft and their crap software.
Which platform is infected in 99% of the cases?
Which platform has the highest security related costs?
Which platform has always been a headache for people around the world?
Accusing people for something they have always been is just a way for IT-workers depending on the second rate, toy platform to steer the attention away from the real problem: Microsoft and their crap software.
@toddybottom: They could (and are) move to a more iOS style design where freedom is traded away for security.
Should freedom be traded for tighter control which reduces freedom.
Should freedom be traded for tighter control which reduces freedom.
@Mikael_z: Which platform is infected in 99% of the cases?
There's your answer.
There's your answer.
"Should freedom be traded for tighter control which reduces freedom."
I believe that there should always be options to purchase "unlocked" OSs for those who are not comfortable trading away their freedom. But the answer remains that the best solution for the "dumb" user is to take away their freedom to do "dumb" things, even if it takes away their freedom to do "smart" things too. For most people, that ends up not being a big deal because most people aren't able to do "smart" things with computers that don't currently limit their freedom.
I actually think that things like jailbreaking are a good thing. You have a nice, safe environment for 99% of the "dumb" public with the option of removing the safeguards for those who consider themselves "smart" enough to handle the extra responsibility.
BTW: I'm using "smart" and "dumb" in quotes because I'm referring to classes of behavior and not to the capabilities of the individual. I have not jailbreaked my iPhone because I'm happy being restricted to doing "dumb" things on my iPhone. I couldn't be bothered to take on the extra responsibility that comes with jailbreaking.
I believe that there should always be options to purchase "unlocked" OSs for those who are not comfortable trading away their freedom. But the answer remains that the best solution for the "dumb" user is to take away their freedom to do "dumb" things, even if it takes away their freedom to do "smart" things too. For most people, that ends up not being a big deal because most people aren't able to do "smart" things with computers that don't currently limit their freedom.
I actually think that things like jailbreaking are a good thing. You have a nice, safe environment for 99% of the "dumb" public with the option of removing the safeguards for those who consider themselves "smart" enough to handle the extra responsibility.
BTW: I'm using "smart" and "dumb" in quotes because I'm referring to classes of behavior and not to the capabilities of the individual. I have not jailbreaked my iPhone because I'm happy being restricted to doing "dumb" things on my iPhone. I couldn't be bothered to take on the extra responsibility that comes with jailbreaking.
@toddybottom
Then you deserve neither. That's true for the US government and it's true for computers.
Then you deserve neither. That's true for the US government and it's true for computers.
I'm very clear in my belief that things like jailbreaking should be allowed and even encouraged for those who want the ability to disable the security benefits of a walled system.
However to suggest that people don't deserve to get products that trade off freedom for security is quite extreme. The problem with trading freedom for security as a citizen is that there is no ability to ever opt out. There is no problem with choosing to trade freedom for security as long as tomorrow you are able to trade your security back for your freedom, at least not as far as I'm concerned. The problem isn't with willingly giving away some freedoms, the problem only occurs when you are unable to get it back. Jailbreaking an iPhone lets you get your freedom back.
However to suggest that people don't deserve to get products that trade off freedom for security is quite extreme. The problem with trading freedom for security as a citizen is that there is no ability to ever opt out. There is no problem with choosing to trade freedom for security as long as tomorrow you are able to trade your security back for your freedom, at least not as far as I'm concerned. The problem isn't with willingly giving away some freedoms, the problem only occurs when you are unable to get it back. Jailbreaking an iPhone lets you get your freedom back.
@toddybottom Precarious by design, is that "good enough"? Maybe in your country where freedom to rape is touted and baby booms are punished. I sense a real disconnect between causality of one's actions and responsibility. There was once a gentleman who worked in IT for a steel company. The data store requirements prompted that gentleman to suggest creating a child company to absorb the risk. He bought a massive mainframe and saw thousands of cycles wasted. So, like any smart man, he started selling time share, most notably one such customer was a Japaneese firm ripe for expansion after dumping USA electronic companies into extinction. Strange, and not that I am suggesting anything, but it came as no surprise (to me) that all the steel industry production was absorbed by the aforementioned company and the steel company in Bethlaham, PA... hmmm? mostly a specialty local market provider and only because of a 1990 threat from USA trade threat. That time-share company? The guys with the proper dress code, Black suit, white shirt, black tie, black trousers, millitary oxfords... still survives today. Most of you knew them as EDS. [sigh] Yeah, @ye, perhaps precarious development is "good enough" but is it what they deserve?
@Mikael_z
Your playing right into the hands of US cyberspace atrophy. There are several thousand unfixable problems in UNIX and it's derrivatives. Becasue it is not as ubiqitous in the market, and because the carnival barkers are (or were, with Steve Jobs) in top form and have the spy industry drewling at the mouth, you will never be aware of 90% of them. So, I hope you will understand my irritation with your malfesent feature requests and nebulous chiding. Microsoft is crap. I don't condone thier adolesent appeasment to programmers, especialy in light of the H1B conudrum and persitant EU sueing for source. Same problem OSX faces that goes without saying because of some silent lucidity moratorium, waiting for the last US bation of cyber security to fall. Which it may anyway due to security company moles and thier H1B conudrum. Breath deep the gathering gloom... Moody Blues - Days of the Future Past - monlogue after Nights in White Satin.
Your playing right into the hands of US cyberspace atrophy. There are several thousand unfixable problems in UNIX and it's derrivatives. Becasue it is not as ubiqitous in the market, and because the carnival barkers are (or were, with Steve Jobs) in top form and have the spy industry drewling at the mouth, you will never be aware of 90% of them. So, I hope you will understand my irritation with your malfesent feature requests and nebulous chiding. Microsoft is crap. I don't condone thier adolesent appeasment to programmers, especialy in light of the H1B conudrum and persitant EU sueing for source. Same problem OSX faces that goes without saying because of some silent lucidity moratorium, waiting for the last US bation of cyber security to fall. Which it may anyway due to security company moles and thier H1B conudrum. Breath deep the gathering gloom... Moody Blues - Days of the Future Past - monlogue after Nights in White Satin.
I will give you the following example, loosely following above's example of "better brakes":
Given two vehicles - (A) which is a converted WWII Sherman tank, complete with 4 inches of defensive armor and weighing in at 20 tons, has ejection seats with parachutes, a 700 hp engine, and every safety-feature-known-to-man, and (B) which is made up of a paper-composite material, weighs about 300 lbs complete with engine, and has been rigged with an explosive front and rear bumper, no seatbelts, no roll-cage, no safety device AT ALL.
Question: Which vehicle is less likely to get into an accident?
Answer - "B". The driver will probably never get in the car.
Given two vehicles - (A) which is a converted WWII Sherman tank, complete with 4 inches of defensive armor and weighing in at 20 tons, has ejection seats with parachutes, a 700 hp engine, and every safety-feature-known-to-man, and (B) which is made up of a paper-composite material, weighs about 300 lbs complete with engine, and has been rigged with an explosive front and rear bumper, no seatbelts, no roll-cage, no safety device AT ALL.
Question: Which vehicle is less likely to get into an accident?
Answer - "B". The driver will probably never get in the car.
Well on one hand most users are incredibly dumb, even those with a supposed technological background.
On the other hand, when you know that the users are dumb you must take it in account in the design.
Thus for me Dumb design is almost worse than Dumb users.
On the other hand, when you know that the users are dumb you must take it in account in the design.
Thus for me Dumb design is almost worse than Dumb users.
I'm undecided, not because I can't decide which is to blame, but because both are about equally to blame. Security decisions made early on (blacklists instead of whitelists, for instance) shape the security landscape today, and are almost irrevocable. Users are told, "put up with these slowdowns and annoyances because the software causing them is there to protect you from the bad guys," and then maligned when they trust the protection they've been given.
Hmm, guess I'm not so undecided after all. Users can be very dumb, but we've spent years telling them we'll protect them from themselves. I'm for dumb design.
Hmm, guess I'm not so undecided after all. Users can be very dumb, but we've spent years telling them we'll protect them from themselves. I'm for dumb design.
@bknabe@...
Were caused by not installing patches that were already out or by social engineering, you're saying that something that caused 1% of the infections is a bigger problem then something that caused 99%. That doesn't make any sense.
Were caused by not installing patches that were already out or by social engineering, you're saying that something that caused 1% of the infections is a bigger problem then something that caused 99%. That doesn't make any sense.
@LiquidLearner
Let's put it this way. If back in the beginning the decision had been made to use whitelists instead of blacklists, then when we told users a system is safe from infection, it would be (or at least more than it is now) because only programs on the whitelist could run on it. But the decision was made to use blacklists, so that everything could run except what was on the blacklist.
Of course, we would still have to deal with social engineering and people giving out passwords, but simply clicking on a link would not be a great disaster, at least not without a lot more work from the attacker than is necessary now.
So I say that dumb design is a bigger problem. Though not by much
Let's put it this way. If back in the beginning the decision had been made to use whitelists instead of blacklists, then when we told users a system is safe from infection, it would be (or at least more than it is now) because only programs on the whitelist could run on it. But the decision was made to use blacklists, so that everything could run except what was on the blacklist.
Of course, we would still have to deal with social engineering and people giving out passwords, but simply clicking on a link would not be a great disaster, at least not without a lot more work from the attacker than is necessary now.
So I say that dumb design is a bigger problem. Though not by much
@LiquidLearner
Yeah - lets design by exception.....
Yeah - lets design by exception.....
Today, people aren't as pecky as they used to be. The only peopel who actually check sources and stuff like that are people who research because the typical user doesn't really care. That fact makes him for voulnerable because he doesn't pay attention if something is true or not. That's how the phising anti-virus apps work for example.
I am actually for "both" here. No one can ever stop ignorant people from being harmed by the dumb things they do without at the same time (severely) inhibiting knowledgeable people from doing what they know is right for them. Hardware and software purveyors can do a much better job at, um, COOPERATING and improving the ecosystem so that those of us who do know what we're doing do not get infected by the actions of "those people" (tongue somewhat in cheek). In all honesty, though, I am not particularly optimistic, because advancing the ecosystem is very expensive and is thus not a good fit for a capitalistic business model. It's just too easy to blame the dumb user.
Anyone I've taught how to use computers has never had a problem since. Unfortunately there are too many people who aren't in the know!
Give a man an antivirus and he'll be secure for a day. Teach a man not to install crapware and toolbars and he'll be secure for a lifetime
Give a man an antivirus and he'll be secure for a day. Teach a man not to install crapware and toolbars and he'll be secure for a lifetime
This seems to be what Justin James is asking for. I seem to remember Microsoft suggested something similar during the past 12 months, "quarantine" was it? But it wasn't a popular idea. If it was a good idea we'd already be doing it. But Ryan's is a more accurate view.
Google, Microsoft, Oracle, IBM developers are the best paid in the world and they always release patches to fix security holes in their products, most of the time is not the user's fault, it's because there was a dumb design.
Most of these enterprise world wide products are built using object oriented programming language with C++.
C++ is a very complex language since it can access devices, CPU and memory directly, it's because of programming errors, that some of these buffer overflows errors occur, it is time to teach in college to students that 90% of code is not in the design, so only experienced developers know how to deal with these issues.
Most of these enterprise world wide products are built using object oriented programming language with C++.
C++ is a very complex language since it can access devices, CPU and memory directly, it's because of programming errors, that some of these buffer overflows errors occur, it is time to teach in college to students that 90% of code is not in the design, so only experienced developers know how to deal with these issues.
@Gabriel Hernandez 90% of exploits are due to C not having a proper string object. Instead you just have an array of characters and its easy to overwrite the end and cause mayhem. If C had fixed length strings, with auto truncation, most exploits would not be possible. Most of the worlds code is based on C or its descendents: we're all suffering from a fundamental design flaw made in the 60s.
@The Star King
And there you have it! Code - the original design. Bravo!
And there you have it! Code - the original design. Bravo!
I'm for Dumb Users, but just want to point out that just because some users are dumb when it comes to technology/computers, does not make them dumb overall. Some people, particularly from the last generation are quite intelligent, yet are just not used to computing, you can't blame them for that, perhaps the day will come when the same could be said for us!
@zack.j
a very, very simple fix. He did something incredibly silly and it took all of 2 minutes to correct the issue. He says to me "I bet you go back to the office and talk about how stupid we are". I told him that the best part of my job is that I get to see incredibly smart people, which this guy most certainly was, make stupid mistakes every day. I also told him I'd look like a total fool if I tried to represent someone in a court room. So you're point is exactly right. The problem is the people who prey on those who have better things to do with their time than worry about learning how to correct or avoid problems on a PC.
a very, very simple fix. He did something incredibly silly and it took all of 2 minutes to correct the issue. He says to me "I bet you go back to the office and talk about how stupid we are". I told him that the best part of my job is that I get to see incredibly smart people, which this guy most certainly was, make stupid mistakes every day. I also told him I'd look like a total fool if I tried to represent someone in a court room. So you're point is exactly right. The problem is the people who prey on those who have better things to do with their time than worry about learning how to correct or avoid problems on a PC.
While I'm voting "Dumb Users", it's the savvy users who cause the most trouble - they like finding shortcuts, using tricks that make their job easier, and running their preferred software.
I've seen
- folks running unauthorized browsers from USB drives, which they've tweaked with custom proxy settings to avoid the blacklist-enabled network proxies
- someone plug a AirPort Express into the company network so he could use his personal laptop to access work files (and watch streaming content using his personal AppleTV)
- users sharing device certificates to get their iPads on the secure WiFi
- people using digital TV tuners, connected directly to their monitor, so they can watch "the big game" either full-screen or picture-in-picture
- the sharing of login ID's and passwords because "hey, it's just easier".
(Side note: The most common offenders are Apple users. The company supports Apple products, but the users either don't call for approval, or they don't want the additional security software installed (ie disk encryption, device certificates, backup software, remote wiping, "find my device"-esque software) - things that make "their" computer slower or less convenient-to-use but also more secure from a corporate standpoint.)
I've seen
- folks running unauthorized browsers from USB drives, which they've tweaked with custom proxy settings to avoid the blacklist-enabled network proxies
- someone plug a AirPort Express into the company network so he could use his personal laptop to access work files (and watch streaming content using his personal AppleTV)
- users sharing device certificates to get their iPads on the secure WiFi
- people using digital TV tuners, connected directly to their monitor, so they can watch "the big game" either full-screen or picture-in-picture
- the sharing of login ID's and passwords because "hey, it's just easier".
(Side note: The most common offenders are Apple users. The company supports Apple products, but the users either don't call for approval, or they don't want the additional security software installed (ie disk encryption, device certificates, backup software, remote wiping, "find my device"-esque software) - things that make "their" computer slower or less convenient-to-use but also more secure from a corporate standpoint.)
If the techies would be intelligent enough to make great easy design, there wouldn't be dumb users. I say: dumb engineers.
@themarty
Using your logic: You the engineer, design a golf ball and give it to a golfer (user), the user eats it. dumb engineer.
Using your logic: You the engineer, design a golf ball and give it to a golfer (user), the user eats it. dumb engineer.
@Frenz9 If you've worked any with "normal" users, the non-engineer bunch, you would have learned that they don't think like engineers. They don't care about learning, they just want to get their task done. Most people are not dumb, they just want what they use to work.
And some things do require learning, like driving a car or flying a plane. It's possible that one day engineers will be strong enough to build cars and planes that don't require some learning to use.
Your example is not particularly bright. Any user buying product X (golf ball) knows what it's used for (play golf).
As for security, it's our job to make our systems as secure as possible. We are the professionals after all. Not the users.
And some things do require learning, like driving a car or flying a plane. It's possible that one day engineers will be strong enough to build cars and planes that don't require some learning to use.
Your example is not particularly bright. Any user buying product X (golf ball) knows what it's used for (play golf).
As for security, it's our job to make our systems as secure as possible. We are the professionals after all. Not the users.
Im for dumb users, but regardless of the users knowledge at the end of the day the user needs to be able to work it, hence better design is a better way to combat it as you will never be able to educate everyone.
Throwing away the nice guy here, i believe just like any area/job/activity users should be first educated on the product before they use it.
You cant drive a car without first learning to drive, using a computer is no different.
Throwing away the nice guy here, i believe just like any area/job/activity users should be first educated on the product before they use it.
You cant drive a car without first learning to drive, using a computer is no different.
Sorry guys either way you cut it - it's both.
In the real world computer software is a blizzard of jargon for the inexperienced user - e.g. spreadsheet/workbook/worksheet; directory/folder; memory-stick/thumbdrive; far to many acronyms and mnemonics; error and pop-up messages appear to the untrained eye to be in a new language only vaguely similar to the local one. And find another word for format!
On the dumb users side there is stupidity, laziness, carelessness, and mistakes.
The first of these is irredeemable, just like some people will never drive a vehicle, the only thing for it is to restrict their access to the bare minimum - a pedestrian of computing. The next two are easily the majority of problem users. They are always too busy to learn - the lazy are trying hard to avoid work; the careless are trying to catch-up with the last deadline. No amount of training will stop them screwing-up; they are always calling for IT help.
Then there is the mistakes, almost pleasant compare to the rest as this can show a positive outcome if successful and usually a lesson is learned.
I'm not undecided both need work!
In the real world computer software is a blizzard of jargon for the inexperienced user - e.g. spreadsheet/workbook/worksheet; directory/folder; memory-stick/thumbdrive; far to many acronyms and mnemonics; error and pop-up messages appear to the untrained eye to be in a new language only vaguely similar to the local one. And find another word for format!
On the dumb users side there is stupidity, laziness, carelessness, and mistakes.
The first of these is irredeemable, just like some people will never drive a vehicle, the only thing for it is to restrict their access to the bare minimum - a pedestrian of computing. The next two are easily the majority of problem users. They are always too busy to learn - the lazy are trying hard to avoid work; the careless are trying to catch-up with the last deadline. No amount of training will stop them screwing-up; they are always calling for IT help.
Then there is the mistakes, almost pleasant compare to the rest as this can show a positive outcome if successful and usually a lesson is learned.
I'm not undecided both need work!
Dumb user.
A knowledgeable techie user can always cover the holes of some dumbly designed software. He can download and run the latest patches of his software or run some tools and utilities to make his software safe from attacks. But uber geeks can patch and cover the holes on their own even without the source.
A knowledgeable techie user can always cover the holes of some dumbly designed software. He can download and run the latest patches of his software or run some tools and utilities to make his software safe from attacks. But uber geeks can patch and cover the holes on their own even without the source.
How do I change my vote?!
I cam to realize that it's a really good point: users are always dumb, design should adjust to that constant. It's much like the use of electricity: all machines make use of it, how silly would it be if some of them suddenly tried to use something else?
I cam to realize that it's a really good point: users are always dumb, design should adjust to that constant. It's much like the use of electricity: all machines make use of it, how silly would it be if some of them suddenly tried to use something else?
to LiquidLearner
i am sorry but thats not "trading freedom" as in a sense of political rights. you still have the option, but the default is dumb proof. modern unixes have a built in safeguard against rm -rf /. thats not fascistic, but is a good safeguard that can be bypassed by the user, if necessary. im for dumb proof design, thats safeguards but does not block a feature
i am sorry but thats not "trading freedom" as in a sense of political rights. you still have the option, but the default is dumb proof. modern unixes have a built in safeguard against rm -rf /. thats not fascistic, but is a good safeguard that can be bypassed by the user, if necessary. im for dumb proof design, thats safeguards but does not block a feature
Join the conversation!
Debate Event Reminders
The Great Debate Newsletter
With the Great Debate newsletter, you get a front-row seat to every argument until the final gavel falls.
Upcoming Debate
-
Can PC makers survive in a post PC world?
May 29, 2012 | 7:00 AM PDT
Add to Calendar
Comments from the floor
Facebook Activity
RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design
i am sorry but thats not "trading freedom" as in a sense of political rights. you still have the option, but the default is dumb proof. modern unixes have a built in safeguard against rm -rf /. thats not fascistic, but is a good safeguard that can be bypassed by the user, if necessary. im for dumb proof design, thats safeguards but does not block a feature
RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design
Microsoft is the biggest threat to computer security
RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design
Thank you. I just wish this sentiment was more ubiqitous and influential when someone decides to light-up the world's largest 3G network with Android, that by network design is less security aware than let's say, England's Wireless. ...and now, let's provide android phones to DOD!>?! Have we fixed the stealth corruption on the preditor systems yet?
RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design