> DLR wrote:
>> If you surf you may be exposed. The only way to stop this is to
>> for a very restricted experience.
> This is very frustrating. When I got my new machine at work I disabled
> all that stuff. Then I found I couldn't browse anywhere since everyone
> required it. Why, I don't know, it seemed sites were plenty able to
> present information in an attractive way before those fancy features.
> Further, my employer has me use sites that require fancy stuff. At
> least my browser warned me clearly when I turned that on of the risks.
>>> Lastly, why do such vulnerabilities exist in the first place? I keep
>>> reading how the present Windows operating system is old; shouldn't all
>>> the necessary fixes be developed by now?
>> Modern OS's have 10s of millions of lines of code. People buy
>> features. They don't buy future security problems. All those systems
>> designed with security as the first goal fell on the junk heap of
>> computing past and continue to do so. Well except for some very
>> special cases where market share and cost doesn't mater. But even the
>> NSA finds it cheaper to build totally isolated rooms, and I mean
>> totally, to run software on insecure systems than try and develop
>> custom things that are secure from the ground up. And they will likely
>> have holes also, just not as many. Maybe.
> I'm still confused, but I think it's as you said -- people want features.
> Computers do not _have_ to allow external entities to have control at
> all. The developers have chosen to include this for "service and
> features" and failed to put in proper controls at the start, IMHO. A
> PC on a network, for instance, should not accept any networked
> instructions or upgrades without a security key. What's to stop some
> well-intentioned but incompetent user from issuing his own upgrades
> over the network and screwing everyone up?
>> I'll note in contrast that in IBM's System/360, critical functions by
>> the operating system had to be done in 'supervisor state' which was
>> strictly controlled by hardware. You could submit and execute an
>> application program that does damage but you can't touch the operating
>> system. Application programs are subject to various checks and
>> all. The developers have chosen to include this for "service and
>> restrictions, including hardware blocks that was included in
>> System/360 from day one.
> But the result is that the systems maintenance effort of a S/360 is
> far more considerable than that required for a PC. Presumably few
> owners would want to bother doing all the work necessary.
>> What people do not realize is that an off the shelf Windows or Mac
>> system with MS Office, Email, web surfing, iTunes, etc... is a more
>> complicated system that their car or even the Apollo moon shots. It's
>> very hard to touch one piece in isolation. And folks will argue that
>> if design "right" this could all be avoided. To some degree they are
>> correct. But it will never be perfect, even when folks try
>> hard. Things are just too complicated for our minds or even our
>> management structures to control it all.
>> I agree that it's complex. But I disagree it's insurmountable.
>> I am far from an expert. But IMHO too much sophistication was rushed
>> into the marketplace too fast without adequate protection built in.
>> IMHO the "young turks" didn't know their history and should've.
> IBM's first real operating system for S/360, known as "OS" turned out
> to be a disaster. It was extremely slow and a resource hog and
> totally unsuited for low end machines as intended. They couldn't
> release it as is. They developed some alternatives (DOS, BOS, BSP,
> TOS), so people could at least use the new hardware and delayed
> everything for about a year, almost secretly putting IBM into
> bankruptcy (lots of costs, no revenues). The point is that they chose
> to wait. They probably should've waited even longer than they did, I
> think it took a while for the early production OS to be decent.
> Modern developers should've learned from that experience: "The birth
> of a baby takes nine months no matter how many women are involved" and
> "adding people to a late project only makes it later", said the mgr of
If you read the history you'll find out that the biggest issue was
that OS/360 was designed around systems with lots of memory. When
marketing & R&D decided they could not sell systems with that much
memory due to costs a huge effort had to go into ways of running a
system initially design for XX amount of memory with only XX/4 or less
memory. That issue, in a myriad of ways haunted S/360 for the next 20
to 30 years.
> In the very early days of computers the users were all programmers
> presumably with good intentions and skills. But by the 1960s it was
> clear the user community would be large with a variety of skill
> levels. Computer designers put in safety checks so program bugs
> (intentional or accidental) would only hurt the responsible user, not
> everyone else. Things like file restrictions, time limits, resource
> limits, kept control on things. Some controls were done by the human
> operators who simply wouldn't allow certain jobs to run. By the 1980s
> these controls were sophisticated and automated. A corporate
> programmer couldn't go into the payroll system and give himself a
> What I don't understand is why the PC world, especially when used in
> networking and Internet service, failed to adopt the same controls the
> mainframe world did.
> Thanks again for your explanations!
People aren't perfect. The systems they design will never be perfect. Oh
there are a few wizards who can do really good things, but a wizard
can't program Windows Vista, Mac OS X, Linux, or whatever. It would just
never get done. Then add on the programs like Quickbooks, Office, CAD
software, etc ... and not even 10 or 50 people can do it. And as MS
proved to the entire world, features and perceived benefits will outsell
safe and dull every day of the week, Sundays included.
People want safety and security but they buy price and features.
Going back to my wife, she works for a major airline. Folks complain
non-stop about security but look what everyone says when it
fails. Then everyone, especially the ones who complained about the
searches, wants to know how "they" got through.
Look at what Y2K cost in terms of programming. All because programmers
and managers save money by ignoring the approaching century until it
hit them over the head. And then they tried to ignore it.
Yes you can engineer things so that most bad things will not happen,
but first you have to get people to buy your product. And you'll
usually lose to someone with a slipshod implementation that demos and
runs good out of the box. This kind of engineering needs rules and
laws. But when the industry changes faster than the election cycle,
these are hard to come by. Don't even get me started about CAN-SPAM
and how it increased SPAM.
And yes I have some history here. My first program was enter via front
panel switches on an IBM mini-computer in 1972. I wasn't there in the
beginning but I've been there for 80% of the relevant history. As a
programmer of systems, business applications, and now in systems