Thursday, March 25, 2004

Users make bad Security Decisions

Disappearing .Net Brand Invites Assimilation "Importantly, she then noted, "If you remember 'Hailstorm,' Microsoft's personal Web services technologies, a number of them are set to manifest in Indigo." Why position something as a pervasive set of user services that might frighten off privacy-sensitive consumers, when you can position it instead as a developer productivity tool that will be comfortably buried inside end-user applications and tasks?"

"Personally, I'm in a pretty grouchy mood at the moment about end users' apparent willingness to live with bad choices that developers make: specifically, choices that favor developer convenience over security and reliability and other boring issues. For example, I'll soon be sharing with eWEEK readers my comments on Greg Hoglund's and Gary McGraw's new book, "Exploiting Software: How to Break Code"; one comment from that book seems apropos. The specific subject is PHP, which the book calls "a study in bad security. … The mantra 'don't make the developer go to any extra work to get stuff done' applies in all cases." And yet, PHP is widely used, creating widespread vulnerabilities.

Likewise the developer and user convenience features of Internet Explorer and the Windows platform, which still pave the way for costly attacks. "

No comments: