[KLUG Members] Link on OS security problems

[Robert G. Brown]

On Sat, 10 Jan 2004 16:36:09 -0500, Adam Williams wrote:
>>>>Even the premise bothered me: "we would not expect car manufacturers
>>>>to have made little progress on the safety of their cars, would we?"

>>>If you read Lee Iacocca's autobiography, you can read about him
>>>participating in Ford's '50's campaign to sell safety. It bombed. It
>>>turned out that car purchasers did not like to think about having their
>>>car destroyed under them -- or with them. It took years of gory NHTSA
>>>safety films showing that even large cars were vulnerable before people
>>>accepted that seat belts were necessary.

>>Even then, it didn't really work. Carmakers had to be forced to put them 
>>into cars, and eventually automobile occupants were required to use them.
>>Everyone fought this, every step of the way, and there were many reasons
>>for this, at many levels. IMHO, it was/is a cultral phenomena; the notion
>>of using this kind of safety equipment somehow runs deeply at odds with the 
>>American notion of what it means to use a car.

>I suspect that this fought "every step of the way" is actually the
>amplified vocalizations of a small percentage of the population. I was
>late teens / early twenties when seat-belt laws came into bieng and
>heard about this ALOT.

You missed a lot of the action. I recall when the regulations were passed
that not only required seat belts in cars, but also required that they be 
retrofitted into every car on the road at the time. Before THAT, there were 
years... decades (some of which even *I* missed! :) of stalling by lobbyists
and other manufacturer representatives, often with the flimsiest reasoning,
while people died on the roads.

>But most people I knew were in the "Well, Duh?" camp.  
Yes, by the time the seat-belt-wearing laws started to get passed, the numbers
were in, and they were indisputable.

>The anti-seat belt contingent also tended to coincide with the
>contingent that felt there was no "real" evidence cirgerette smoking was
>bad for you.  I think this was (to some extent still is) a manifestation
>of a very deeply rooted anti-authority sentiment, pushing up from way
>below any rational or cognitive position.
Limbic? Reptilian? These folk do not seem to remember that there is no right
to drive, and the physics of automotive movement are ruthless.

>The "love" of the automobile may be connected to that, but I don't think 
>it is nearly that specific. 
Right, carlove is not anti-authoritarian per se. If it was it would have 
died out by now, or have morphed into a lot of other areas of life.

>It also manifest in the opposition to mass transit: No!  The
>bus/train/tram comes at 7:45am, and I don't want to leave till 7:50, so
>I'll own something that costs me hundreds of dollars a month, emits
>pollutants, and isn't safe (certainly compared to a bus or train); but I
>won't be a "slave" to some system.

Yes, this may be closer to it. It's not so much anti-authoritarianism, but 
rather a sense of independence and self-reliance, even at odds with 
rationality. There's also a sort of network effect. I can't realy on 
mass-transit here, because it's too infrequent and unreliable to supprt the 
activities I need to do.

Constrast this with Manhattan, where other than taxis or limos, a lot of the 
natives don't ride in cars for years. They don't miss it because mass-transit
is pervasive; you can go anywhere in NYC at rock-bottom prices, and riding
the subway is not disparaged by anyone (the Billionaire mayor of the city 
rides the subway).

>If you want to go back to IT this is also visiable in more subtle ways. 
>My best example (being painfully familiar with it) is LDAP schema.  To
>create LDAP schema you have to acquire an OID number from IANA (a
>central authority for such things).  It is free, as in costs nothing, 
>all you do is fill out a form on a web page.  You would not believe the
>volume of messages whining and complaining about this - "Do I really
>really have to register?  Can't I just make on up? Why can't we have
>something like 192.168.x for OIDS.......".  When the resounding answer
>from the LDAP powers-that-be is "Yes, No, Very Bad Idea" the counter
>response can border on 'snarling'.  Why?  I can only guess that it is
>the same kind of anti-anything-vaguely-resembling-central-authority
>sentiment.  Because it isn't reasonable.  And OID is free, no one wants
>you to answer 100 questions to get one,  no one asks for a blood
>sample;  and there are REALLY good rational arguments why manifesting
>schema needs to be a controlled process with minimal overlap.

Crazy. There are some people who are just completely against filling out
forms, or "applying" for ANYTHING. I wonder what the percentage of the 
populace this really is....

>>>Aircrew attitudes towards bomber construction in WWII were similar.
>>>Engineers found that the airframes were generally overdesigned. The
>>>frames could be lightened, leaving more capacity for heavier armor and
>>>guns. The aircrews refused to hear of it. The possibility of death at
>>>the hands of the enemy was easier to accept than that the pile of
>>>riveted sticks they rode on through the air might come apart around
>>>them.

>Well, I can understand this one.  You're depending on that air-frame the
>entire time your flying;  you're depending on the armour only during the
>brief time you're being shot at.  This makes sense to me.  If you come
>back alive but your plane breaks apart on the landing strip it sorta
>defeats the purpose of armour.

That's right, but again we're talking about something not entirely rational...

>>Interesting point, and I wonder of there is a parellel to be drawn here.
>>Of course, combat air training highlighted the risk of flying against the
>>enemy, and the crew was also trained to trust themselves, each oterh, and
>>their airplanes. It is interesting that many aircrews customized their own 
>>planes in various ways, but were very resistant to others doing so.
>
>And if my life depended over-and-over on some machine I'd feel the exact
>same way.  

Perhaps you would FEEL the same way, but it's not really reasonable. It
makes sense that any modifications reccomended by the militray or the plane 
maker are well-intentioned (if not completely correct), since it's not in 
their interests to see planes fall outta the sky for no reason, either.

Of course, merely because something is not entirely rational doesn't mean
that it's going to be followed, or even considered right. After all, the memo
written by some aircraft engineer in California is all well and good, but 
when it has to be relied upon by some flyer over enemy territory (whatever
that means this week), it may become another thing. It's the old bacon and
egg thing... The Chicken is involved, but the pig is COMMITTED.

>There is also the odd emotional attachment people develope to things
>they carry or use or even see during high-stress experiences, 
>particularly "repetitive" high-stress experiences.  I'd suspect this
>certainly applies to war-time pilots.

Absolutely!

>>>I expect that is the cause of many security breaches. People do not like
>>>to think their network is insecure, so they don't.
>>Absolutely correct. In the past week, I was told the following, in some 
>>cases by the very people who had signed contracts that would implement
>>changes:
>>1. Oh, we've never had a problem from that before, don't be silly!
>>2. I think the way things are being run right now is fine. Why risk any
>>   changes?
>>3. You're not going to last long around here is you insist on these kinds
>>   of procedures.
>
>Oh yea, heard all those.  Personally the last one is the scariest;  it
>means the users of a system have more power over it than the [hopefully]
>more educated poor sod whose bieng held responsible for it.

That's right. When it's said to me, I simply note it, perhaps for further
action later. I'm certainly not interesting in working for anyone who really
believes it.

As a consultant/contractor, I almost ALWAYS have less of a stake in the 
organization than the people who say these things. Ultimately they (and the 
organizations they're in) will suffer more than I. It bothers me, but I don't 
feel threatened or intimidated.

I recall someone losing patience with me during some project (I was insisting 
that we do something "right", he was under pressure to get it done Thursday),
and he threatened to fire me if I didn't co-operate. My response:
"OK, fire me if you please. I'll go find better opportunities, and you'll 
still be here, facing this deadline, and you'll have no one who knows how to 
deal with it."

I walked out of that place in my own good time, thanks.

>Do the meme people have a fancy term for "mental inertia"?  Seems up
>their alley.
Maybe... um, stupidity? insanity?
I like the defintion of "insanity" that goes somethig like "A mental condition
that causes one to try something over and over, even though it doesn't work".

							Regards,
							---> RGB <---