[KLUG Members] Link on OS security problems

[Robert G. Brown]

On Sat, 10 Jan 2004 14:37:35 -0500, Peter Buxton wrote:

>On Tue, Jan 06, 2004 at 01:18:26PM -0500, Robert G. Brown was only escaped
>   alone to tell thee:
>
>> Even the premise bothered me: "we would not expect car manufacturers
>> to have made little progress on the safety of their cars, would we?"

>If you read Lee Iacocca's autobiography, you can read about him
>participating in Ford's '50's campaign to sell safety. It bombed. It
>turned out that car purchasers did not like to think about having their
>car destroyed under them -- or with them. It took years of gory NHTSA
>safety films showing that even large cars were vulnerable before people
>accepted that seat belts were necessary.

Even then, it didn't really work. Carmakers had to be forced to put them 
into cars, and eventually automobile occupants were required to use them.
Everyone fought this, every step of the way, and there were many reasons
for this, at many levels. IMHO, it was/is a cultral phenomena; the notion
of using this kind of safety equipment somehow runs deeply at odds with the 
American notion of what it means to use a car.

>Aircrew attitudes towards bomber construction in WWII were similar.
>Engineers found that the airframes were generally overdesigned. The
>frames could be lightened, leaving more capacity for heavier armor and
>guns. The aircrews refused to hear of it. The possibility of death at
>the hands of the enemy was easier to accept than that the pile of
>riveted sticks they rode on through the air might come apart around
>them.

Interesting point, and I wonder of there is a parellel to be drawn here.
Of course, combat air training highlighted the risk of flying against the
enemy, and the crew was also trained to trust themselves, each oterh, and
their airplanes. It is interesting that many aircrews customized their own 
planes in various ways, but were very resistant to others doing so.

>I expect that is the cause of many security breaches. People do not like
>to think their network is insecure, so they don't.

Absolutely correct. In the past week, I was told the following, in some 
cases by the very people who had signed contracts that would implement
changes:

1. Oh, we've never had a problem from that before, don't be silly!

2. I think the way things are being run right now is fine. Why risk any
   changes?

3. You're not going to last long around here is you insist on these kinds
   of procedures.

There's more; these are examples. Was I being told the above regarding
automobiles, network security, or something else? I claim that it almost
doesn't matter; we're faced with mental inertia, fear, and a lack of 
insight in each case.

>> Um, it was over 60 years, and extensive government regulation (in the
>> USA) that finally got car makers to make really good safety features
>> standard, even though they knew these features were needed.

>Also consider that adding safety features is a mixed bag. If you want
>car manufacturers to add air bags, you have to consider how many
>lawsuits adding them would create. For one thing, designs need to be
>tested in the real world, not in labs. They still detonate without
>reason and cause minor burns whenever they go off, but at a much lower
>rate than they did when they were still relatively untested.

Some of them break arms and noses, too, and crack ribs. One key point so 
many have missed s that they are ALIVE to SUE... they don't have estates
carrying on these actions.

The above reasoning was often used byautomotive manufacturers in their 
persistant opposition to saftey equipment in cars. Yes, it is a mixed bag,
but the mixture is very much in favor of survival now. Before, it was more
mixed, and rather more of the mixture was tense-modified people. Even some
of my European friends, who live in places where belts and bags are cultur-
ally accepted, and who feel that the USA is an excessively litigious place,
agree that a few more lawsuits are a small price to pay.

							Regards,
							---> RGB <---