Software and a Perfect Society
- From: DLR <news23@xxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Sep 2006 16:03:41 -0400
hancock4@xxxxxxxxxxxx wrote:
DLR wrote:
If you surf you may be exposed. The only way to stop this is to
disable java, activex, javascript, etc ... Which in todays web, makes
for a very restricted experience.
This is very frustrating. When I got my new machine at work I disabled
all that stuff. Then I found I couldn't browse anywhere since everyone
required it. Why, I don't know, it seemed sites were plenty able to
present information in an attractive way before those fancy features.
Further, my employer has me use sites that require fancy stuff. At
least my browser warned me clearly when I turned that on of the risks.
Lastly, why do such vulnerabilities exist in the first place? I keep
reading how the present Windows operating system is old; shouldn't all
the necessary fixes be developed by now?
Modern OS's have 10s of millions of lines of code. People buy
features. They don't buy future security problems. All those systems
designed with security as the first goal fell on the junk heap of
computing past and continue to do so. Well except for some very
special cases where market share and cost doesn't mater. But even the
NSA finds it cheaper to build totally isolated rooms, and I mean
totally, to run software on insecure systems than try and develop
custom things that are secure from the ground up. And they will likely
have holes also, just not as many. Maybe.
I'm still confused, but I think it's as you said -- people want features.
Computers do not _have_ to allow external entities to have control at
all. The developers have chosen to include this for "service and
features" and failed to put in proper controls at the start, IMHO. A
PC on a network, for instance, should not accept any networked
instructions or upgrades without a security key. What's to stop some
well-intentioned but incompetent user from issuing his own upgrades
over the network and screwing everyone up?
I'll note in contrast that in IBM's System/360, critical functions by
the operating system had to be done in 'supervisor state' which was
strictly controlled by hardware. You could submit and execute an
application program that does damage but you can't touch the operating
system. Application programs are subject to various checks and
all. The developers have chosen to include this for "service and
restrictions, including hardware blocks that was included in
System/360 from day one.
But the result is that the systems maintenance effort of a S/360 is
far more considerable than that required for a PC. Presumably few
owners would want to bother doing all the work necessary.
What people do not realize is that an off the shelf Windows or Mac
system with MS Office, Email, web surfing, iTunes, etc... is a more
complicated system that their car or even the Apollo moon shots. It's
very hard to touch one piece in isolation. And folks will argue that
if design "right" this could all be avoided. To some degree they are
correct. But it will never be perfect, even when folks try
hard. Things are just too complicated for our minds or even our
management structures to control it all.
I agree that it's complex. But I disagree it's insurmountable.
I am far from an expert. But IMHO too much sophistication was rushed
into the marketplace too fast without adequate protection built in.
IMHO the "young turks" didn't know their history and should've.
IBM's first real operating system for S/360, known as "OS" turned out
to be a disaster. It was extremely slow and a resource hog and
totally unsuited for low end machines as intended. They couldn't
release it as is. They developed some alternatives (DOS, BOS, BSP,
TOS), so people could at least use the new hardware and delayed
everything for about a year, almost secretly putting IBM into
bankruptcy (lots of costs, no revenues). The point is that they chose
to wait. They probably should've waited even longer than they did, I
think it took a while for the early production OS to be decent.
Modern developers should've learned from that experience: "The birth
of a baby takes nine months no matter how many women are involved" and
"adding people to a late project only makes it later", said the mgr of
OS.
If you read the history you'll find out that the biggest issue was
that OS/360 was designed around systems with lots of memory. When
marketing & R&D decided they could not sell systems with that much
memory due to costs a huge effort had to go into ways of running a
system initially design for XX amount of memory with only XX/4 or less
memory. That issue, in a myriad of ways haunted S/360 for the next 20
to 30 years.
In the very early days of computers the users were all programmers
presumably with good intentions and skills. But by the 1960s it was
clear the user community would be large with a variety of skill
levels. Computer designers put in safety checks so program bugs
(intentional or accidental) would only hurt the responsible user, not
everyone else. Things like file restrictions, time limits, resource
limits, kept control on things. Some controls were done by the human
operators who simply wouldn't allow certain jobs to run. By the 1980s
these controls were sophisticated and automated. A corporate
programmer couldn't go into the payroll system and give himself a
raise.
What I don't understand is why the PC world, especially when used in
networking and Internet service, failed to adopt the same controls the
mainframe world did.
Thanks again for your explanations!
People aren't perfect. The systems they design will never be perfect. Oh
there are a few wizards who can do really good things, but a wizard
can't program Windows Vista, Mac OS X, Linux, or whatever. It would just
never get done. Then add on the programs like Quickbooks, Office, CAD
software, etc ... and not even 10 or 50 people can do it. And as MS
proved to the entire world, features and perceived benefits will outsell
safe and dull every day of the week, Sundays included.
People want safety and security but they buy price and features.
Going back to my wife, she works for a major airline. Folks complain
non-stop about security but look what everyone says when it
fails. Then everyone, especially the ones who complained about the
searches, wants to know how "they" got through.
Look at what Y2K cost in terms of programming. All because programmers
and managers save money by ignoring the approaching century until it
hit them over the head. And then they tried to ignore it.
Yes you can engineer things so that most bad things will not happen,
but first you have to get people to buy your product. And you'll
usually lose to someone with a slipshod implementation that demos and
runs good out of the box. This kind of engineering needs rules and
laws. But when the industry changes faster than the election cycle,
these are hard to come by. Don't even get me started about CAN-SPAM
and how it increased SPAM.
And yes I have some history here. My first program was enter via front
panel switches on an IBM mini-computer in 1972. I wasn't there in the
beginning but I've been there for 80% of the relevant history. As a
programmer of systems, business applications, and now in systems
admin.
.
- Prev by Date: Re: Spammers Jump on Latest MS Hole
- Next by Date: Re: NYC Pay Phones
- Previous by thread: Yahoo Mail Gets Makeover
- Next by thread: Re: NYC Pay Phones
- Index(es):
Relevant Pages
|
