[KLUG Members] Link on OS security problems

[Adam Williams]

> >> Even the premise bothered me: "we would not expect car manufacturers
> >> to have made little progress on the safety of their cars, would we?"
> >If you read Lee Iacocca's autobiography, you can read about him
> >participating in Ford's '50's campaign to sell safety. It bombed. It
> >turned out that car purchasers did not like to think about having their
> >car destroyed under them -- or with them. It took years of gory NHTSA
> >safety films showing that even large cars were vulnerable before people
> >accepted that seat belts were necessary.
> Even then, it didn't really work. Carmakers had to be forced to put them 
> into cars, and eventually automobile occupants were required to use them.
> Everyone fought this, every step of the way, and there were many reasons
> for this, at many levels. IMHO, it was/is a cultral phenomena; the notion
> of using this kind of safety equipment somehow runs deeply at odds with the 
> American notion of what it means to use a car.

I suspect that this fought "every step of the way" is actually the
amplified vocalizations of a small percentage of the population.  I was
late teens / early twenties when seat-belt laws came into bieng and
heard about this ALOT.  But most people I knew were in the "Well, Duh?"
camp.  The anti-seat belt contingent also tended to coincide with the
contingent that felt there was no "real" evidence cirgerette smoking was
bad for you.  I think this was (to some extent still is) a manifestation
of a very deeply rooted anti-authority sentiment, pushing up from way
below any rational or cognitive position.  The "love" of the automobile
may be connected to that, but I don't think it is nearly that specific. 
It also manifest in the opposition to mass transit: No!  The
bus/train/tram comes at 7:45am, and I don't want to leave till 7:50, so
I'll own something that costs me hundreds of dollars a month, emits
pollutants, and isn't safe (certainly compared to a bus or train); but I
won't be a "slave" to some system.

If you want to go back to IT this is also visiable in more subtle ways. 
My best example (being painfully familiar with it) is LDAP schema.  To
create LDAP schema you have to acquire an OID number from IANA (a
central authority for such things).  It is free, as in costs nothing, 
all you do is fill out a form on a web page.  You would not believe the
volume of messages whining and complaining about this - "Do I really
really have to register?  Can't I just make on up? Why can't we have
something like 192.168.x for OIDS.......".  When the resounding answer
from the LDAP powers-that-be is "Yes, No, Very Bad Idea" the counter
response can border on 'snarling'.  Why?  I can only guess that it is
the same kind of anti-anything-vaguely-resembling-central-authority
sentiment.  Because it isn't reasonable.  And OID is free, no one wants
you to answer 100 questions to get one,  no one asks for a blood
sample;  and there are REALLY good rational arguments why manifesting
schema needs to be a controlled process with minimal overlap.

> >Aircrew attitudes towards bomber construction in WWII were similar.
> >Engineers found that the airframes were generally overdesigned. The
> >frames could be lightened, leaving more capacity for heavier armor and
> >guns. The aircrews refused to hear of it. The possibility of death at
> >the hands of the enemy was easier to accept than that the pile of
> >riveted sticks they rode on through the air might come apart around
> >them.

Well, I can understand this one.  You're depending on that air-frame the
entire time your flying;  you're depending on the armour only during the
brief time you're being shot at.  This makes sense to me.  If you come
back alive but your plane breaks apart on the landing strip it sorta
defeats the purpose of armour.

> Interesting point, and I wonder of there is a parellel to be drawn here.
> Of course, combat air training highlighted the risk of flying against the
> enemy, and the crew was also trained to trust themselves, each oterh, and
> their airplanes. It is interesting that many aircrews customized their own 
> planes in various ways, but were very resistant to others doing so.

And if my life depended over-and-over on some machine I'd feel the exact
same way.  

There is also the odd emotional attachment people develope to things
they carry or use or even see during high-stress experiences, 
particularly "repetitive" high-stress experiences.  I'd suspect this
certainly applies to war-time pilots.

> >I expect that is the cause of many security breaches. People do not like
> >to think their network is insecure, so they don't.
> Absolutely correct. In the past week, I was told the following, in some 
> cases by the very people who had signed contracts that would implement
> changes:
> 1. Oh, we've never had a problem from that before, don't be silly!
> 2. I think the way things are being run right now is fine. Why risk any
>    changes?
> 3. You're not going to last long around here is you insist on these kinds
>    of procedures.

Oh yea, heard all those.  Personally the last one is the scariest;  it
means the users of a system have more power over it than the [hopefully]
more educated poor sod whose bieng held responsible for it.

> There's more; these are examples. Was I being told the above regarding
> automobiles, network security, or something else? I claim that it almost
> doesn't matter; we're faced with mental inertia, fear, and a lack of 
> insight in each case.

Do the meme people have a fancy term for "mental inertia"?  Seems up
their alley.

> The above reasoning was often used byautomotive manufacturers in their 
> persistant opposition to saftey equipment in cars. Yes, it is a mixed bag,
> but the mixture is very much in favor of survival now. Before, it was more
> mixed, and rather more of the mixture was tense-modified people. 

Yep.