License to Surf, Take Two

NaugaHunter writes "A story on Yahoo asks Should [a] License Be Required to Go Online? It appears to be suggested by Bruce Schneier, chief technology officer for Counterpane Internet Security Inc. 'It could be a four-year college degree, a one-month course. It might be a good idea.' The story also details efforts of some schools from simple orientation to threats of fines for spreading viruses, and questions exactly who would be responsible for keeping track of who is and isn't licensed." Not a new idea, but one that's going to keep coming up. Update: 09/13 18:11 GMT by M : Bruce Schneier notes that he isn't in favor of computer licenses.

All I can say is WOW.

[LinuxMan]

That is a bit too much control on our rights, in my opinion. I would think that if that can happen for the Internet, then it could also happen for TV, telephone, and any other type of communication device.

Though education is important, it is the software vendors who are really to blame for a lot of the problems... (i.e. RPC holes, etc) A lot of the propagation of viruses and worms is a result of software accessing flaws in the software, without user intervention.

Apple 10 GB iPod [amazon.com]

this article should be labeled

[Frymaster]

flamebait.

Blah. Blah and double blah I say.

[pavon]

First off this whole virus issue is just starting to get really bad. A few years ago it wasn't necisarry for the average user to be so vigiant. As it become necisarry, whose to say that they won't learn by collective experiance. And if you are going require licenses from anyone, lets start with the people writting poor software that is allowing the net to degrade the way it is? (and again whose to say that they won't improve on their own now that it is becoming more necisarry to do so).

But here's my real question. Why post such flaimbait? This article is just some nobody giving his foolish opinion in a non-influential news site. If this was on CNN, then i could kind of see posting it. It this written by a big name in IT, I could see posting it. If there was ANY chance that this guy would be taken seriously, i might understand posting it. But there is none. This article is pure flaimbait, and Bruce Schneier is a Nazi.

The problem isn't the users.

[Malor]

In essence, we are blaming users for things that aren't their fault.

The article talks about the need to install anti-virus software, and keep up on patches, and to read the fine print in click-through licenses to prevent spyware from being installed. All of these things need to be done to operate a computer safely, true.

But why the hell are they required? We are giving users HORRIBLE software that is prone to constant infection. Some companies are taking advantage of click-through licensing to hijack people's computers. And we're blaming USERS for not doing the right things?

That would be like making cars that exploded if you ran them at exactly 62mph for more than 12 continuous minutes, with brake systems on the outside of the car where anyone could walk by, flip a switch, and disable them, as well as aftermarket accessories that forced cars to drive on particular roads at particular times.... and blaming the drivers when cars blow up, can't brake, or cause traffic jams on certain roads.

People mostly just want to do email and read the web. We should be providing them software that does this with absolute security.

We are blaming users for faulty software.

Say nay to barriers to entry...

[Empiric]

Should License Be Required to Go Online?

No, but perhaps grammar skills should be required to work for the Associated Press...

Seriously, this is a terrible idea. This would open up chicken-and-egg problems across the whole range of learning endeavor computers and the internet offers.

The analogy of needing a license to drive a car is used repeatedly in the article, but I think that's not quite the right analogy; maybe requiring you to know how to rebuild an engine before you ever drive would be more accurate. One of the expectations mentioned is that you must know how to set up a firewall; is this really realistic to require before any unsupervised on-line time?

The internet is growing because it's accessible, reasonably. If I needed a license to buy a book, I might never have started reading--and a book is a more accurate analogy than a car.

Put the responsibility for viruses where it belongs, on the network admins and software vendors, not the newbies. Everybody's got to start somewhere.

Re:All I can say is WOW.

[Sneftel]

The TV and telephone are different, tho; nobody ever caught a virus from a telephone (Douglas Adams references aside), and you do in fact need a license to run a TV station. The point is that, as a computer user, you have the ability to unwittingly affect lots and lots of other people.

It's tempting to blame the vendors, and blame for stuff like the RPC holes should of course fall squarely on Microsoft's head, but keep in mind how successful trojan horses have been; some of the worst epidemics have required the uninformed cooperation of their victims.

this sounds impossible

[kaan]

In fact, this is not only impossible, but unrealistic and rather terrible. Why? Because there will be absolutely no practical way to enforce, encourage, or even suggest uniform "rules" (whatever they might be) in every country around the world.

The article plainly says that we are continually exposed to junk mail, viruses, etc., and this would help to eliminate such things, but one of the reasons that such nuisances exist is because there is no single governing body over the internet. As much as I'd like to see this idea take off and clean things up, I think it will never, ever fly.

Re:Great...

[Verteiron]

We license people to drive, but traffic cops and state troopers don't seem to have much trouble holding on to their jobs...

Re:this article should be labeled

[BrookHarty]

Yup. Paid by MS I bet.

Its not our fault our software has bugs, it the users for clicking on attachments, or surfing on the Internet with our software. Pass the buck, blame the user.

Lucky it will never happen, nice puff piece. But with all information moving online, you cant require a license to access the information, or read a newspaper.

Better idea

[rossz]

I think someone should have to take a course in the Constitution before making stupid fucking statements that would limit people's rights.

Re:this article should be labeled

[Serapth]

Actually... it is more a linux-esque type article. MS makes its billions off catering to the slobering masses... Linux is the soceity that tends to bash users for being too stupid to do anything... The whole "lets license users" type argument for surfing is a complete tech-elitest typical bs approach. Then again, you idiot proof something, the world builds a better idiot. The real answer is most likely to make a more modern, effective and adaptive education system... both in traditional school years, and there after.

That said, I agree... the article is total flame bait. Oh well.

Perhaps...

[Walker2323]

Perhaps we should require a license for AP writers. Or Windows programmers.

Re:Can we

[enomar]

Driver's test!? What about having children?

If I need a four year degree to surf the web, what will I need to procreate? A Nobel prize?

Re:Just Hold Responsible

[TwistedGreen]

So if everyone gets infected, does everyone get fined? I think it's ridiculous to get fined at all, let alone getting fined for deficiencies in software /you/ didn't write.

Just a quickie response

[Anonymous Coward]

The main reason the average person today needs to be more vigilant compared to a few years ago is that today many people have high speed 24/7 connections compared to a few years ago when only colleges and people who got isdn lines had the same connection types. The result is that with more cable modem subscribers and dsl connections, you get a large class of people who have no clue about their computers and don't know how to handle a 24/7 high speed connection and this is where most of the problems are at. At a typical company, you will have a few people who know lots about handling such connections and they will be given control including firewalling such connections and configuring the systems to handle this. But with a number of people who connect with high speed connections with the generally insecure default options, you get a nice group of systems that are very easy to compromise, always available, and have lots of bandwidth. Generally, these people won't know until someone wipes their hard drive they were even hacked to begin with.

Just had to get that off my chest. :)

Flamebaity, but not really flamebait

[Anonymous Coward]

The point I think our OP is trying to get at here is that people have been talking about forcing licensing for all manner of things, from Internet licensing to licensing for having a baby.

The solution isn't licensing, it's education. Education isn't something that is achieved through licensing, it's learned through a concerted effort to make people aware of the problems. Licensing only achieves getting people aware of knowing the answers to a test.

gentility

[sstory]

Be gentile in your responses, I read what he said, and he's just sort of hypothesizing, he's not really advocating.

Re:The problem isn't the users.

[tsg]

It's not a "black-and-white" issue. No software is 100% secure. No hardware is 100% secure. Users are going to have to patch their systems at one time or another. Users also have to know not to open attachments in email unless they're reasonably[1] sure it's not dangerous.

At the same time, software and hardware manufacturers (closed and open source alike) have to be diligent about shipping reasonably[1] secure products.

And let's not forget the people who supply the pipe through which the lusers with their horrible software are infecting every other computer on the planet. ISP's have to be more responsible for their users. Both in educating them and preventing them from being too dangerous when they do screw up.

All sides need to do their jobs better.

[1]For very large values of "reasonably"

Re:While we're at it...

[Serapth]

I agree... the current mail protocol would have to be replaced...

But, I dont think thats such a bad idea... lots of things need fixing anyways...

Not good

[Anonymous Coward]

This is a Very Bad Idea. They want to license Internet Access, like they license buying a gun, or getting a license to drive. As if the internet has as much effect as a gunshot or a car crash! Besides, the real problems are the fundamental flaws in the design of protocols and software on the internet (i.e. open SMTP relays, email viruses - Yes, Office XP/NAV helps a lot, but I'll bet you there are still tons of people using Office 2000 who will never upgrade to Office XP, and who never renew their virus update subscriptions, so those problems MS created are around for a while longer). Users can be blamed, but so must the software creators.

This is so ridiculus I can't imagine anyone ever thought of it. Not only would it be a content management nightmare, but you've got to realize... The internet isn't just in the U.S. of A! It's also part of the whole rest of the world! What about the people who live in south africa, who want to access the internet? Will they be forbidden to because they don't have a "Four-year college degree"?

International implications aside, what would happen if someone were able to hack into the database being managed? Millions of internet user's information would be compromised.

Even if you consider mandatory computer education, how much time would have to be spent? The computer users who are the people who would need the education, for the most part have real lives. They do not have the time to think and learn about something which is incredibly new and would probably take quite a long time for many people to learn. The fact is, the operating system that is most common, Microsoft Windows, does not assume that the user is an idiot. By default, it gives them complete, unfettered access to the entire system. This makes it MUCH easier for viruses to take over control of system processes (Read: trojans), and allowing viruses to have such a widespread affect with VBS. Now, other operating systems would probably have similar issues if they were the most used. There's no denying that. However, Microsoft in general has the attitutde that they should not be responsible for their users. What they have already done is in the past. There isn't much we can do about it, since the effects will be with us for some time. However, the one real step they could take is to make a "Dummy User" mode. This means, that any script being executed, any system level process that is instantiated, would have an attention-grabbing window that the user COULD NOT simply click away from, that would detail what is going on, and if the user really wants to do this. If measures like this had been taken, we would have avoided much of the problems we have today, especially with email viruses. I'm not a professional engineer, so I don't know many details, but I feel that this fact should be obvious: There are people who do not want to learn about computers. These people need a user mode that assumes this, and will walk them through their experience of computer usage.

Blaming the user

[metamatic]

Of course we're blaming the users. The users choose to purchase PCs running Windows.

When people choose to buy Pop-Tarts, microwave them, and then eat them, we feel they have nobody to blame but themselves for the burns. Yet somehow when they buy Windows, ignore the safety directions that tell them to keep up to date with software updates, and hose the Internet, everyone seems reluctant to blame the idiots.

Windows is not necessary. I've never purchased any Microsoft software, and I'm doing just fine. In my view, anyone who decides to spend money on a PC running Windows deserves what they get. It's not like it's some big secret that Windows is full of bugs, hard to use and unreliable--just read any PC magazine, or look at the shelves full of books like "1001 Windows Annoyances" and "How To Get Out Of DLL Hell".

why bother reporting this? To fight it!

[twitter]

This needs to be reported because it needs to be combated. It need to be reported as long as "you need to keep up with the current patches and virus checkers and all that shit" is passed off as popular wisdom. M$ is trying to blame the user for it's own software failures and therby force restrictions on email, www, and all computer usage that would be benificial to themselves and harmful to free software.

The user is never at fault for poor software, especially closed source crap the user can't fix if they could or wanted to fix.

Virus checkers, email restrictions, firewalls and all that are in vain when faced with the reality of closed source distribution. I work for a small computer shop. The only software we can put on all the broken computers that come in for repair is the user's original software and any updates M$ lets you. The vast majority of computers out there run EOL'd systems like 95 and 95. Customers lack the skills needed to diagnose the problems or do the best fix, a wipe and reload. It cost them about $75 if they have all of their software, and they are loath to pay for the time it takes to load up all the patches and updates that won't protect them from next week's worm. I can't blame them for feeling that way. Nor can I blame them for wanting to email their friends. Those that have lost their software generally end up throwing their machine away or go find some nasty cracked copy of M$ shit because they don't want to spen the $109 and equpment purchase needed for an OEM copy of Windoze. The net result is the same in every case, boxes that are just as easy to bust as the day they were made. But, so what? Even the dilligent are getting burnt.

I have recomended Mozilla for people who absolutly must have M$. My little brother told me that an XP update broke Mozilla and made it terribly slow, but Netscape still works. Woot.

I'd recomend Debian or Red Hat and sell CDs for the same price as a driver disk, but my boss is worried about support. I'm not sure what kind of "support" could be worse than the mess most Windoze users now find themselves in. Still, he's the boss. The day, however, I can make money doing it, he's going to like it. I'm starting to think that the store's usual $4 per CD burnt and the 30 minutes it takes to install a dual boot of any linux system might be cheaper fixing Windoze. Blinding the windoze side to the network makes it last longer so that it can do the things it does well for the user.

I'm starting to see the path of least resistance here. Demo the system with Knoppix to prove hardware use. Blind Windoze, dual boot and set them loose. Actually doing something beats the hell out of bitching and moaning. It can work.

Re:Say nay to barriers to entry...

[Xoid629]

The other major problem with the car analogy is that driving a very heavy piece of equipment at high speeds is dangerous not only to the driver but also to any anyone else around. What you do online may be annoying or troublesome, but it is extremely unlikely to kill anyone. (And requiring licences to simply use a computer seems utterly insane -- the article seems to imply that this might be part of the idea, although it may just be that the author personally can't distinguish between using a computer and being online.)

Anyway, I think the idea of trying to control access to the general internet is ridiculous, but I do wonder about the possibility of having alternate network(s) (probably running of top of the normal internet). A system that limited use a bit (without being too restrictive) and also discouraged commercial interests would be great in many ways -- something like the early internet, I guess (although I wasn't there so I don't really know). I'm not sure if a system like that would really be practical or necessary even a good idea, but I sortof like the general concept.

Re:Just Hold Responsible

[Anonymous Coward]

Yeah, and if someone steals your car and kills somebody with it, you're going in the slammer!

Re:All I can say is WOW.

[SampsonSimpson]

Viruses and the holes they exploit are the responsibility of the programmers, and they are in a better position to fix these problems rather than trying to distribute the responsibility to users. While preventative maintenance on behalf of the users should be encouraged as much as possible, it should never become a pre-requisite to internet use.

It's plainly impractical, (Given the global nature of the internet, how do we go about giving one entity the responsibility to handle all of those registrations?) and it would implicate much privacy concerns.

Also, (and possibly more importantly) I think there are very important First Amendment concerns raised with a mandatory licensing scheme - The internet is a communication medium, and I'm not sure a licensing requirement will strike the correct balance between security/safe computing and free speech; In ACLU v. Reno the Supreme Court viewed the internet as a "unique and wholly new medium of worldwide human communication" and that "the interest in encouraging freedom of expression in a democratic society outweighs any theoretical but unproven benefit of censorship." The Court was concerned with the CDA and its censorship of pornography, but I think the logic applies to all forms of government restrictions on internet communications. I think the court recognizes the importance of the internet and its impact on speech, and but for compelling reasons, free speech will be given more deference over restrictions that provide dubious benefits.

I don't think virus/exploit free computing is compelling quite yet, because I think I am capable enough to prevent most exploits on my computer. Whether someone else prevents it from spreading or not is irrelevant to me - only I have the ability to prevent it from attacking me. I shouldn't blame you for sending me a virus, I should blame myself for not being able to prevent it from infecting my machine

I suppose it's different when an intrusion is per se harmful to a third party (for example, when I start harming the RIAA after a virus infects my computer and starts sharing music files) but those situations should be handled on a case-by-case basis anyway.

Basically, my point is that licensing internet use is a bad idea, and possibly unconstitutional. Let's not even consider it.

and no, IANAL.

Re:Just Hold Responsible

[Anonymous Coward]

Sorry i just don't buy that. Most network admins have stupid rules like not letting anyone run a packet sniffer. This is not the way to secure a network or protect your users, people! Making lockpicks illegal doesn't make locks safe. Admins should be pushing people to use encrypted protocols, and should make encrypted protocols available for services they administer. You should just have bandwidth caps, and if somebody's virus infected Winblows machine maxes it out for them, well then they're screwed till next month. That will teach them better than anything. Network admins should walk softly and carry really big sticks.

Why exactly is a "license" the answer?

[QuasiEvil]

Why is the automatic knee-jerk reaction of some people to start placing restrictions and bureaucracy on things? Let's look at licensing for a sec:

- The internet is based on the free exchange of ideas between everyone - even those that I proclaim idiots. Many of these people have differing views on how things should be set up, what hardward/software to use, etc. Someone has to administer this license, and this just begs for abuse of power.

- Many of the affected in the latest virus round were technical corporations. These are big places filled with lots of really smart (or at least well-educated, which is not synonymous) people. One of my fellow engineers got nailed by Slammer, because he forgot to patch one of our systems that sits in a corner (and somehow the damn thing got through/around the firewall). These people would easily get internet licenses, but they still forget about machines or otherwise screw up.

- This is a bureaucratic solution (more paperwork, etc.) to a problem that either a) is purely technical in nature (buggy software) or b) isn't a problem but rather just the way things are. The last thing we need is more paper-pushers pushing paper rather than actual people solving the actual issues.

Blame the victim, eh?

[Safety Cap]

So, by your logic, if a woman gets gang raped and beaten to death, its her fault because she should've worn her burka [www.nca.no] and not gone out of the house unaccompanied by a male relative. Red-blooded, honest men cannot control themselves from the intoxicating effects of nearby females, and she should've known that!

Re:Just Hold Responsible

[aardvarkjoe]

If an incident occurs

and we find the person wasn't taking adequate precautions, they get fined.

They're not getting fined for deficiencies in software. They're getting fined for irresponsible behavior. What's wrong with that?

RTFA, for heaven's sake, before you trash the man

[melquiades]

For pete's sake, this has to be the most elitist article I have seen recently. Because Mr. Schneier knows what to do to keep his computer uninfected, let's blame the users and force them to be certified to be online.

Idiot.

Indeed.

How to read the article:

(1) Click the link.
(2) Read.
(3) Scroll down when necessary.

Following this simple procedure, you will find the entirety of Schneier's wry little quote, which I will copy and paste here (instructions on that omitted) for your benefit:

It could be a four-year college degree, a one-month course. It might be a good idea. The downside is everybody you know won't be able to have a computer anymore, and I like being able to send e-mail to friends.

For those of you following along at home, I'd say that with "everybody you know won't be able to have a computer anymore", he is suggesting he doesn't actually think it's such a good idea.

You're right though -- software does suck, and we shouldn't blame the users for what is mostly the fault of the software industry itself.

Re:The problem isn't the users.

[MotherSuperior]

How are we going to provide absolute security to users, when we can't even get it on our high-end systems?

Absolute security is an inherent impossibility in any situation.

That said, I think the idea is sound, and the comparison drawn to a driver's liscence is fair. However, as is also pointed out, who is going to implement this? I think we've basically got 2 hypothetical choices.

- The Government

- The ISP

In the first case, we clearly do not want the government making the decisions about who gets online, and who does not. In the second case, we'd have ISPs whose revenue streams depended on people actually passing the test - which rather defeats the purpose.

I think what we have here is a beautiful pipe dream. I'd love to live in a world where some magical, benevolent overseeing body decided who could get online, who could drive, and who could procreate.. possibly even who should be allowed to exchange oxygen for carbon dioxide. But the fact is, no authority exists on this planet that could be trusted to implement this in any fashion other than a complete travesty.

Re:Just Hold Responsible

[Lawrence_Bird]

If I go outside with a cold and you happen to get sick a week later, are you going to come to my house and fine me?

Re:While we're at it...

[Desert Raven]

and truly I dont think its a stupid idea

I do, it's an incredibly stupid idea.

I pay several thousand dollars a year to have a small handful of computers colocated so I can run email/web, etc efficiently. *I* paid for the computers, *I* pay for the bandwidth, and *I* pay for the storage. My users in turn, pay me for access to those systems.

Essentially, I own and operate the equivalent of a local post office. Who the hell has the right to tell me I've got to pay the government (or anyone else) to send email?

The Internet is not a public service to be taxed. It is almost entirely privately owned, with a standing "gentlemans agreement" between the owners that each will allow traffic to and from each others' property.

So unless you've got some bright idea for distributing that tax money to the folks like me who actually own and operate the equipment, you can take your email tax idea and put it someplace moist and dark.

Re:Well, you have to have a license...

[antiMStroll]

The manufacture of cars, airplanes and radio transmitters are also regulated by massive standards bodies and testing, far more strenuous than any training imposed on users. Doesn't it make more sense to start there if we're really concerned about enhancing "the safety of everyone using the medium"?

Re:All I can say is WOW.

[KrispyKringle]

TV and telephone aren't very different. In fact, you have a far greater claim to ownership--and legitimate, uncontrolled right to use of--the airwaves than you do the Internet or phone lines. If ATT wanted to shut off their phone lines, fine (although of course various telecom laws would actually complicate this matter tremendously; these are "artificial" anti-trust measures, not general issues of ownership). Comparitively, the TV airwaves are technically owned by the public and subletted to the license holders in exchange for them performing a number of favors for the civic good, such as showing air-raid warnings and such. You may not agree with this distribution, but the idea really was supposed to be that the airwaves aren't much good without regulation, so we'll make things best for everyone (especially the rich corporations).

The Internet is really the opposite, though. As more people use it, it becomes more valuable, not less. The airwaves are a means of communicating one-to-many. The Internet is many-to-many. If less people were allowed to use it, less would find value in it as well. Yes, irresponsible use like viruses, spam, and so forth do make it difficult sometimes. But if this is the only way to prevent them, it sounds like the cure is worse than the disease. A regulated Internet with only certain people being allowed to access it is an Internet neutered of any of its valuable assets.

And you can say that trojans are solely the fault of the user, but ultimately, they could still be prevented, theoretically, at least, by good programming.

Re:Blaming the user

[LordLucless]

"anyone who decides to spend money on a PC running Windows deserves what they get"

And there are, like, so many options too. It's fine for me, I build all my computers from parts. But the truth is, most people buy ready-made, plug-em-in-and-they-work type boxes. And most of those come with Windows. Not to mention that anyone who wants to play most games these days has to run Windows. Or just the fact that they know windows, and are comfortable with it.

And lets face it, if clueless newbies adminned Linux boxes, they'd be almost as insecure Windows machines. Unpatched, permanently logged in as root, all files chmodded to 777 so they don't get any errors, no firewall, cause ipchains is just too tricky. I'd agree that Linux is a technically superior OS, but as we all know, technical superiority don't mean jack when it comes to the desktop market.

Re:Better idea

[rossz]

That's why the internet is so important. It gives EVERYONE the opportunity to participate in that freedom of press thing.

Don't take the word "press" to literal. It's intent was that everyone had the right to publish their opinion and make it available to the public. At the time the Constitution was written, this meant a printing press. With new technology, the means may differ, but the concept remains the same. When you post a rant in your blog, you are publishing your opinion and making it available to the public. You are exercising your freedom of press.

Should we be required to have an internet license, we would be yanked back to the situation we had prior to the internet -- newspapers and such controlled by just a few large corporations all with pretty much the same message and no viable alternatives. I don't want that. I hope you don't want that.

Re:Just Hold Responsible

[Gogl]

What makes more sense to me (and what they do at the university I attend) is to not fine those who get viruses, but rather to require that they have all service packs installed and a virus scanner (they can download one for free from ITS if necessary) before they can access the internet, and then if they still manage to get a virus just cut off their internet access until they're clean again. Makes sense to me, at least.

Re:While we're at it... small tangent

[BrynM]

Actually, thats not so bad of an idea... well... anyways the taxing email part.

The problem with that is people like me with a private e-mail server. Do I have to become a business? Do I have to stop running the server? Do I have to clear every new account with some external authority and provide a paper trail for every user? Do I have to have someone come into my home and audit my server? Am I responsible for the tax if one of my users doesn't pay? Do I have to pay a tax for administrative e-mail I send?

So far, no proponant of taxed e-mail has been able to give me an answer to those questions short of "you shouldn't be allowed to have a server - no civilian should", which I can't agree with for numerous reasons. Don't get me wrong, the tax idea has merits. I just think it's a pipe dream without some government authority getting draconian and ruining a lot of what makes the internet such an open ended learning experience.

Re:Our Own Network

[Tom]

Your problem is that you will still suffer from the next Melissa/CodeRed/Blaster/whatever outbreak, because when the pipes are saturated, they are saturated and your encrypted tunnels go down.

If all the windows viruses would only affect windows systems, I couldn't care less. It's that they affect us all that bothers me.

screw surfing; they need a license to BREED

[iamhassi]

If they're going to start requiring licenses for stupid things then how about a license to breed?? Less stupid people would mean we wouldn't need licenses to surf.

Why make an unenforcable licence?

[Kjella]

Come on, noone is going to verify such a licence. If anything, one person in the household will pass and the rest ignore it. Teaching basic computer safety should be part of the general education, as almost everybody that grows up today will be or come in contact with computers.

Anti-virus - the importance of running one, but also some common sense. Like, if someone sends you an .exe on irc, and asks you to "test" it, would you run it? Trust me, many would.

Automatic patching - seriously, I run an up2date cron job on my Linux box. What's the big fuzz over Microsoft's automatic updates? Your average desktop doesn't have a testbed anyway, so might as well patch when it's available.

Firewall - With anything and everything connecting to the net these days, it's growing less and less useful for Joe Average because there's so many programs, they don't know which are good and which are bad anyway. Not to mention some of the biggest virus sources are web and email (read: Outlook and IE), which are allowed through anyway.

Kjella

Re:The Quote is Wildly out of Context

[Bruce Schneier]

As I read through the SlashDot comments, it becomes clear to me that some people don't understand how newspaper interviews work.

Generally they're conducted by telephone. The reporter calls with a story idea. He's looking for information, background, quotes, etc. He asks a bunch of questions and has a conversation with the interviewee. In this case, the AP reporter was writing a story on licensing computer users, and he wanted to know what I thought about it. I spoke with the reporter for about ten minutes about this idea.

The reporter eventually hangs up. He talks to other people. Then, he writes the story. His job is to string together the facts and quotes into an interesting and entertaining news article.

I never get to see what quote he uses. I never get to approve the context. I never see the story before it appears in print.

People are misquoted all the time. Be careful about judging someone by a single quote they say in print, especially if it's something you wouldn't expect them to say. I'm always aware of the high error rate in news stories, but not everyone is.

Bruce

Re:why bother reporting this? To fight it!

[truffle pig]

You make some Interesting points but I do question one of your major ones.

You seem to indicate that the biggest problem your customers have is the time, knowledge and effort it takes to load patches for Windows and the solution to end this would be to provide them with Debian or Redhat on their computers. If you can't get people to install updates for Windows how are you going to get them to load updates for Linux, OS X, BSD, Amiga, BeOS or whatever the next hot OS is.

Neither Debian or Red Hat are going to be set and forget installs. At some point a home computer user is going to have to load updates for thier OS of choice, if the want to help insure the continued security of their computing enviroment. I think you are setting a bad example by implying to your customers and boss, that by loading Linux they will be forever free of having to load updates or be concerned about security of their computer. Things like that are going to get people burned by the next exploit script for Red Hat or Debian that they are not patched against.

I don't want to take away from the good points of your post. I think you point about Blinding Windows from the Network is an interesting one.

I can't say that I share you're level of rage against Microsoft I do agree that there is a problem with the closed source method of software distribution but I don't think that there is a OS today that is the single solution to all of these security problems. At some point there needs to be a balance between better products both open and closed source and better process and computing habits on the part of all computers users, not just the "stupid" ones. The latter is needs to invlove educating people with the best way to keep their computers up to date with patches, good password practices, good firewall setups, and smart email practices to help protect against spam and other email born threats.

Re:All I can say is WOW.

[zaphodbblx]

Well I feel I pay my licence fee EVERY FREAKING MONTH when my 37.00 cable bill is paid. We pay every time a piece of software is bought! If the onus is on any one to close the massive freaking holes the hackers exploit it should be the SOFTWARE companies like "Microsoft". Why? because they knowingly leave big security holes in their product just so they can rush a new version to market every six months

Re:this article should be labeled

[hankaholic]

Linux is the soceity that tends to bash users for being too stupid to do anything... The whole "lets license users" type argument for surfing is a complete tech-elitest typical bs approach.

To some extent, possibly, although I've often seen Slashdotters stand up with comments such as, "What about people in China (et. al) using the Internet for purposes which aren't condoned locally? The Internet can be a way to communicate with the world despite the wishes of the local governance."

Given this viewpoint, many Slashdotters would realize (and vocalize about) the idea that requiring licensing from the locally ruling bodies could restrict speech in those localities in terrible ways.

It seems to me that Slashdotters often seem to hold freedom over security.

Re:All I can say is WOW.

[Mr. Slippery]

The Internet is really the opposite, though. As more people use it, it becomes more valuable, not less.

You sure about that?

I started using the net in 1988. I thought it would be really neat if someday everyone had e-mail.

I reconsider that with every penis enlargement spam that hits my inbox.

The Internet becomes more valuable as more knowledge traverses it; but as Zappa observed, information is not knowledge. Most of what's being added now is static, not signal.

MS' proposed 'cure' worse than the disease

[The Monster]

Viruses and the holes they exploit are the responsibility of the programmers, and they are in a better position to fix these problems rather than trying to distribute the responsibility to users.

Well, here's what the article says about that [emphasis mine]:

To combat threats, software companies have been trying to make technology easier to use -- Microsoft Corp., for instance, is considering automating the download and installation of software fixes.

No user intervention required.

Think about this, folks.
Think very, very hard about it.
I'll wait.

. . .

Did you get it yet? Isn't installing programs without user intervention the PROBLEM? What happens when a cracker compromises a machine in a position to play Man In The Middle? and some of the 'software fixes' you get are actually worms?

I'm sure that part of the scheme will include installing the pubkey of MS' software update authority, and code that refuses to install a patch not signed by the corresponding privkey. But I am confident that someone will eventually find a loophole in the implementation and be able to impersonate MS to the computers.

And in the meantime, in the guise of fighting viruses, MS gets to absolutely control all software on your computer.
Did you know that Open Office, Mozilla, and the GIMP are viruses? (Remember that MS is already on record as describing certain license terms as 'viral'.)

Re:fsck those 4$$|-|013$

[The Spoonman]

Why do you think Linux doesn't have these security holes?

You're an idiot if you don't believe Linux has these security holes. It does, just try reading the changelogs of the kernel, of apache, of ssh, of most of the apps you use. They're there. The simple fact is that Linux isn't as wide-spread as Windows, so when there's a hole in Windows, it's exploited on millions of boxes. When one is found in Linux, it affects a very small number, so no one cares. Once Linux becomes widespread, you'll start to see the same kinds of issues, because there will always be hackers. It will also be a lot worse, because Windows is easy to patch, and it still isn't done...Linux, OTOH hand will always be beyond the capabilities of my grandmother. At least with Windows Update, she can keep her computer moderately safe.

As for buggy code, fuck, dude...the one that was responsible for blaster affected W2K, which is just under four years old. I, for one, am not about to wait for four years of testing to ensure EVERY fucking bug is found. Linux is also not immune to bugs, there are plenty to be found if you just open your eyes. And, don't give me the stale rhetoric of "well, if one is found, it's patched within 24 hours", that might be true, but the patch for blaster was released a full month before the problem.

Nope, I fear the day that Linux becomes the dominant OS. Things will only be much, much worse. Especially with dumb-ass pricks like you who a) don't help people fix their machines, you just whine about "well, it's your own fault, grandma, you use windows!" and b) are ignorant of the flaws in this system you love so much. It makes you immeasurably more ignorant and naive then they are!

Diversity the real fix

[k12linux]

I'd like to argue that lack of diversity on the Internet is a much bigger problem than users who don't patch weekly.

Having everyone running the same version of "secure Linux" with "the perfect web browser" and "the perfect e-mail client" isn't the answer to viruses and worms. A homogonous computing landscape like that might eliminate nearly all viruses and worms. BUT if a hole was found, the virus that exploits it would spread like wildfire. Users would be less careful because they think they can be, and with everyone running the same thing, everyone would have the same vulnerability.

That's why we need diversity on the Internet. We need a lot more diversity than we have now. As long as the unwashed masses are running Windows with Outlook, MS will have to have 100% security in their products. Anything less is asking for the problems we have now. And so far MS is nowhere near 100% in that regard.

That is why we need Linux.. and BSD and OS/X. That's why we need competition. That's why we need multiple Linux distributors who ship with different compiler settings that they think are "best." That's why we need to have choices of web browsers and e-mail clients.

That is why CHIOCE is a good thing when it comes to operating systems and software. Real choice breeds diversity. Believe me, if there were real choices, people would NOT all make the same one. (Real choice does NOT mean having only one OS ship on all PCs with only a single mail client pre-installed and a single web client pre-installed!)

Having choices that work together are why open formats and open standards should be in the headlines (not the crap like this article on user licenses.)

If file formats and network protocols were required to be open, it would eliminate many of the problems we face. Over the past 20 years, incompatibility between formats or protocols has been the #1 thing that I've seen cause people to change their OS. It has also been the #1 cause that I've seen for a change in the software they used.

How many companies are running MS-Office because they "need to be compatible" with customers or corporate? How many switched from WordPerfect for that very reason? How many articles have you seen that review OpenOffice and the #1 complaint (sometimes the only complaint) is incomplete or inconsistent ability to open/save MS-Office files? How many perfectly good software products have vanished because they weren't compatible with propietary products?

If file formats and network protocols were open, then Microsoft would have the chance to do what they are always claiming they want. They'd have the level playing field they always tell the press they want. The level playing field they claim open source advocates try to deny them by trying to pass laws requiring "considering" open source software in government.

In the real world, biodiversity keeps the first fatal disease from coming along and wiping out the entire population. On the Internet software-diversity would do the same thing with viruses and worms. Sure, a virus might still do damage to a section of the population, but it wouldn't have nearly the impact that one does now.

So, software-diversity is critical to the future of the Internet and open formats and standards are needed for it to exist. Maybe it's time for everybody to start demanding these things from their software. And maybe it's time for legislation to demand that software companies open formats and protocols enough to be interoperable... at least if their product has a significant market share.

Geek cred.

[Johnny Mnemonic]

There used to be a minimum amount of computer knowledge that was required to get online. It's once the bankers and marketers invaded online space, and tried to make it available to the unwashed consumer masses, that we started having all these issues. Returning the internet to the geeks, who were largely self-policing, would do away with the vast majority of problems.

Doing away with DNS would cure most of the issues, I think. How about having to remember the IP address for every site that you visit? If that's not enough, require three lines of CLI input before going anywhere. That'll stop the issues cold.

I'm only half-kidding, actually. These assholes that broke our internet want to certify us to get back onto it? Maybe they should just be dis-invited.