Anne Wilson posted on Mon, 10 Dec 2012 15:15:03 +0000 as excerpted:
> As an example of FUD, this message takes some beating. Just to deal
> with a few points -
FWIW, I'd definitely agree it's a bit over-the-top-one-sided, but OTOH,
that's what it can TAKE sometimes, to get people who "just want it to
work" and don't really /care/ about security, to get the message, and
START caring, at least enough to stay on something with a bit less chance
of being a danger to both themselves and others on the net with them.
> KDE is, for the most part, entirely stable - just stay away from
> KDE-PIM.
Definitely agree on kdepim, but I'd throw in pretty much the entire
semantic-desktop in there as well. Tho YMMV, as they say. But dE has a
point. One big personal example here, the one that finally triggered my
switch from konqueror to firefox as my default browser, was the so-called
stable series 4.6.2 konqueror infamous form double-submission bug. KDE
has supposedly been ready for ordinary users since 4.2 (tho I'm on record
as saying late 4.5, the 4.2 claim was pure unadulterated bunk, kde4 was
still ALPHA back then, as clearly indicated by the bugs where devs were
saying kde3-stable features weren't yet available in kde4, it wasn't even
feature-complete yet, the /classic/ definition of alpha!), yet here we
had the primary browser being broken for TWO so-called stable-series
"safe to upgrade to" releases.
People in the REAL world use their browser for such things as online
purchases, banking, etc, where form double-submission could result in
being billed TWICE for a purchase or online transaction!
Yes, bugs DO happen, even in "stable series". But with a properly
supported browser, the fix would have been out in DAYS once the problem
was public, not MONTHS. Especially so given that the bad commit was said
to be quite obviously a commit to stable that only should have gone to
master, and was easy to pin down and revert. Yet not only was a 4.6.2.1
(or whatever) bump never forthcoming, the fix didn't even make 4.6.3. It
was 4.6.4 before a fix finally appeared.
Clearly, if kde4 itself is claimed to be stable, then either the kde and
specifically konqueror (or kdelibs, IDR/K which) devs are playing
ENTIRELY irresponsible games with a browser they *KNOW* is being used for
online banking, etc, OR, they consider konqueror little more than a piece
of demoware, unfit to be used "in the real world" for online banking,
etc, in any case.
In a perfect world they'd actually make a public statement one way or the
other, but I've not seen any such thing here. However, other evidence
(such as the entire lack of GUI security cert management for several
feature releases AFTER kde4 was declared stable, and the fact that many
kde devs are known from blog comments, etc, to run firefox or chrome/
chromium as their primary browser) suggests that they simply don't
consider konqueror anything more than a toy. Once I realized that, I
switched within days, as I *DO* use my browser for "real life" tasks like
online banking, etc.
But the lack of that difinitive public statement about konqueror just
being a "toy" browser, on a platform kde continues to claim is stable,
fits the developed pattern all too well. I'm personally actually fine
with running pre-release software and in fact am running kde-4.10-beta2
(aka 4.9.90) right now. But it'd be nice to have it called such, when
such it is. Meanwhile, to the extent that I actually rely on things to
work, the trend here has been clear for some time. I'm gradually
switching off of kde for anything I actually depend on to work. Firefox
instead of konqueror, anything kdepim at all, the entire semantic-desktop
is, to the extent possible, opted-out of at build configure time, etc.
Now, I'm still using the core kde desktop, plasma, kwin, etc, plus games,
but if games break I can still get into my bank to pay the bills, kwin
has been remarkably stable for me since I upgraded graphics to support
it, and plasma and krunner (as well as kwin) as components can be
restarted if necessary, and have actually been quite stable of late
(since I quit building kde with semantic-desktop and kdepim support at
least) as well.
> You recommendation to mislead her on the spam subject is objectionable.
>
> Antivirus software definitely does work - as long as it is set up to
> receive signature updates regularly. The reason there are so many
> infected computers is that many people don't use an AV product at all,
> others install one, preferably a free-as-in-beer one, and don't properly
> set up updates. I know one user who has used Windows daily for 20+
> years and never had a single infection. Education on key risks is the
> key.
For a decade, until MS pushed me off with eXPrivacy, I was one of those
people. However, there's a big word there, EDUCATION. But behind it
there's an even bigger concept, ACTUALLY CARING. Of course, malware
spreading users aren't the ONLY ones who don't seem to actually CARE, see
the above about konqueror devs leaving their users with known financial-
transaction-sensitive bugs for months, with no security-bump-update, plus
the claim that kde (including konqueror) is ordinary user ready, when
it's lacking security-cert management for YEARS after that claim was
made, in an age where entire certificate authorities along with
everything they issued get revoked!
So I guess users get a bit of slack if even the devs can't be bothered to
CARE about security enough to either code-up or make a public statement
disavowing the platform's primary browser as fit for anything other than
a toy.
But, one point is often lost in the AV context. Signature-based AV
(where the updates primary update the sigs) is primarily if not
exclusively retroactive reaction-based. AV vendors have to have malware
reported and take it apart in the lab in ordered to develop those
signatures. That takes time, and while proper updates can keep detected
malware from spreading TOO widely, the system is predicated on there
being SOME victims first, to trigger the initial reports.
And heuristic-based action analysis and prevention anti-malware is
fraught with false-positives, to the point that it can never be anything
close to even 90% effective, because either it's turned up to the point
that it warns about EVERYTHING, and people either turn it off or start
ignoring it and automatically clicking right thru the warnings (a problem
MS has clearly had with its own efforts), or it misses enough potentially
hazardous actions that it's quite possible to work around.
There simply is NO alternative to the REAL solution, getting people to
ACTUALLY CARE enough so EDUCATION (the word you used) can work.
But human nature, which is what we're up against, is a hard nut to
crack. Some people just /don't/ care. Others, like me with my decade on
MS before switching, uninfected, and that guy you mentioned with 20 years
on MS, clearly DO care, and spend significant time and energy on keeping
up with developments enough to defend themselves. But we're clearly a
minority, and prove nothing about the "just don't care" susceptibility of
an ordinary user on MS.
dE's method of /scaring/ them into caring, at least enough to keep them
from running MS most of the time, is arguably what it takes in some
cases, as arguably surface-deceptive as it may be. I have serious doubts
as to whether it's particularly effective long-term, but with older
people who honestly in all likelihood don't /have/ "long term" to worry
about, or for those (older or not) who are sufficiently uncomfortable
enough with the whole computer thing to limit their monthly exposure to
the point where the scare tactic may last long /enough/, it /may/ work.
That's not saying I'd use the tactic myself, but I understand it.
Meanwhile, if over-stating the issue GETS them to care, even (somewhat)
short term, perhaps it's simply like deliberately shouting and otherwise
pretending to be angry simply to get a point across, sometimes it's what
it takes. And if the target and others they'd affect are safer for it,
even relatively short-term, who's to say it's wrong?
But like you, Anne, I'm still uncomfortable enough with the tactic that
I'm unlikely to use it myself.
> And no, Linux isn't safe from malware. Safer than Windows, yes, if you
> leave holes in Windows, but an unprotected computer, whichever OS it is
> using, is likely to be compromised sooner or later.
Ultimately, it all comes down to the end user, and how much they actually
CARE about it. There's simply no getting around that fact.
In some way's, it's like drunk driving. At least here in the US, MADD/
SADD and other efforts have finally seemed to have some effect, according
to recent studies. Even among the drinking/partying set, there's now
relatively strong PEER pressure, in addition to LEGAL pressure, to have a
designated driver who does NOT drink, and at parties, a keymaster, whose
responsibility it is to take driver's keys and keep them safe during the
party, and give them back only to a taxi driver if he judges the key
owner unfit to drive.
(Well OT but with the recent state pot legalization, with Washington's
law specifically setup to handle driving while intoxicated with pot
similar to the way they deal with drunk driving, likely kicks off an era
when we see the laws evolve to handle other drugs similar to the way
alcohol is handled, driving-wise. Of course some states already do that
to some extent, and that in fact has been one of the arguments behind
drug legalization as well, there's better control over drunk driving,
BECAUSE alcohol is legal and the laws have been allowed to evolve to deal
with it, than illegal drugs, where such developments really haven't had a
chance to properly evolve due to the illegality of the drugs in the first
place.)
Ultimately, just as with drunk driving, as long as people simply get a
slap on the wrist and simply told to be good boys/girls now and not do it
again, a lot of people SIMPLY WILL NOT CARE. It's only when the
consequences become drastic enough, both from a legal and peer
perspective, that these people care, and society's actions as a whole
begin to change.
Arguably, overstating the risks of NOT CARING is a way of motivating the
desired changes. As with alcohol and drugs, the chances of it working
long term over the general population are nill. Behavior as a system
won't change until the acceptance of that system to said behavior
changes. But if there's someone you care about, scaring them into
compliance /might/ work... long enough. OTOH, there's significant risk
of it backfiring, too, if they ever figure out that you simply scared
them into compliance, and thus discount the truth of even the valid
statements, due to the demonstrated overstatements. Oh, well...
But what worries me is people who get the wrong idea that Linux IS
invulnerable, and thus see it as a panacea for actual CARING about
security, believing that if they run Linux, they don't HAVE to care.
THAT is what SCARES me!
Because as you said, given someone who doesn't care (or a sufficiently
high target profile from the attacker's perspective), no (real-world
general-purpose) OS is invulnerable. All will fall, sooner or later.
The only way to avoid that is to CARE enough to take the time to educate
yourself and to act on what you learn. And ultimately, part of what you
learn is simply how to keep your attack profile and ease of successful
attack low enough that there's always someone else that's easier to
attack, for the given reward it'd bring. People who are juicier targets
thus have to have correspondingly stronger defenses, while the ordinary
user simply has to ensure that the doors are locked and the valuables out
of sight, as they say. And arguably, it /is/ true that locking those
doors and keeping those valuables out of sight is easier on Linux, but
that doesn't make it impossible to lock them and keep the valuables out
of sight on MS. It just lowers an individual's attack profile a bit,
good as part of a larger solution which by definition must include CARING
about the problem in the first place, but not sufficient in and of itself.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
___________________________________________________
This message is from the kde mailing list.
Account management: https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.
