The assertion that "For most application X is perfectly fine" is wrong, when applicable to security. Because security as a whole is part of a persons life, it can be considered a system (do not confuse with the usual meaning of the term "security system") that is usually:
1. Physically distributed for a single person 2. Made of components made by different vendors for different purposes 3. And thus, is comprised of multiple domains of authority and significance.
Just like a usual security system is only as strong as its weakest link, so a security "system" of a person that spans his life both in space and time, is only as strong as the weakest link it has.
Using your own example, a PIN-protection. Mobile phones. People that enable PIN-access to their phones, usually feel they have to protect their contact list, messages, talk history etc. If going by your comforting proposal, indeed it may seem that a "simple" PIN protection is enough, because after all, it does not protect any money, nor a databank of personal data. However, breaking into a mobile phone (which by no means is hard for criminals, rest assured) is just a step in the hard way to gain access to money and personal data, it just requires some wit and social skills on the part of a criminal. It is debatable whether a compromised phone leads to a bigger hack in any case, but in good hands it is a useful tool. And so, one by one, security systems that may seem water-tight from and within themselves, fall. Cars get stolen for multitude of purposes, laptops that are protected with a Windows Vista (or god forbid Windows XP) password, carrying copies of personal records (that were themselves considered secure, BUT ON ANOTHER SYSTEM) get stolen.
So, please, do try and convince me how "for most applications X is perfectly fine". Now, I do not live in the world of absolutes, but I think I know a failure when I see one.
If I run a search on your username on Google, perhaps I find a reference to it on another site, a site that you cherish more than Slashdot, and perhaps only on that site, you either forgot or neglected to not type in your first name, or perhaps your forum signature has one. To cut to the chase, small steps that eventually lead me to your home address. And from there a whole option of possibilites again unfolds, that does not even need one to be a computer expert, only a mind of a good old-fashined thief.
Nobody forces designers to change peoples habits. Still, in the strict sense, people are a "problem" which needs to be solved or dissolved.
It does not mean people are idiots and are fundamentally problematic. However, in the sense that I have described, the situation needs to be approached as a problem that needs a solution.
We need not make fools of users, quite the contrary, build and design interfaces that assume people are not fools, and in fact implement solutions that assume a non-problem.
House keys, car keys and credit cards are not working. They work to the degree of competence and effectiveness they were advocating, not more nor less. People still forget their keys, get their credit cards stolen along with their wallets and paper money, and the more complex the solutions become, the more back-holes are found. And security as a thing will not work because it already is. That's like saying a circle is round because its end is connected to its beginning. The security "works" at great expense of its users. The very reason for the article, is a present effort to further minimize that expense. You, however, propose to freeze that effort.
So, the password never leaves my machine, but the machine I am trying to log on to sends me a random string that is encrypted with my password. Neat. Now, how does it all happen?
Still, punishment for murder is much greater than punishment for breaking into a computer system. Which means, the degree of effectiveness of a retina-scan biometrics is still formidable.
Now that I come to think of it, I also see that a password can be known by torturing the person who knows it, while the point of torturing a person for retina-scan or retina-sample is rather moot, I suppose. I am not sure what is more "pleasant" - to be dead or to be tortured.
Actually, the people who complain most about the idiotic "modern" technology (which really is a mutant that escaped from whatever place invented Unix and stuff like that) and how it forces us to memorize and type 10 passwords every time we use a computer, are the elderly and the disabled. Nice try though. Take pride in your ignorance!;-)
That's the sort of things I am talking about. Good some people have gotten to the point of actually implementing the security, most other wannabe-security company experts have no clue about, or only read through while taking their coffee in the morning.
I am not a big fan of thin-clients though. I am for separating the code and the data, in a way that still makes possible for clients to off-load server workload. Thin-clients only run the display and input devices, but when you have overloaded servers and lots of employees that fetch data and make server CPU usage go up because of remote desktop connection specifics, it may get ugly. Instead, I think, the client should share the server workload and actually do some work itself, but keep sensitive data in memory only, possibly manually wiping the memory too before shutdown.
Maybe the TPM (Trusted Security Module) may come in handy soon, instead of pushing the worthless DRM crap everybody shouts here and there.
Why, you must be new to moral and some logical thought?
You fucking absolutely NOT get treated better with money. In fact, you get treated RELATIVELY better when you have more money, because depending on situation it may be favourable or disastrous. That makes all the difference. You cannot fucking buy a "terrorist pass" onto a plane, because that monumentally idiotic. If that was allowed, seeing as terrorists possess formidable funds, they should be welcomed aboard the plane with explosives and offered whiskey, cigars and three-course meal? I doubt this is the policy in the U.S. of A.
It's not just a line, its a Security line. Which means every person may have the intention of blowing another 200 passengers up and the means to accomplish it. You can't jump THAT line. Then you can as well put up a big poster saying "Terrorist? Pay up in cash, and skip the security line!"
Wrong. Running around and being sloppy means nothing because no matter how "corporate" laptop is, it does not store any copies of any sensitive information. The person carrying the laptop is no more allowed access to such records, than any other.
Please give me ANY reason why and how a corporate employee with a laptop, however sloppy he or she is, should be carrying a copy of 33k of personal records with him, regardless of what company he works for, his position in the company and the type of computer.
There is a chance such access is required on a humans part, but not in security area. A person I know close was working as a translator for the refugees in a European country. The information refugees gave that made them eligible for asylum was to remain strictly confidential, but since she had to translate this information to the government authorities on behalf of the refugees, and since she did translate it, it all went through her head and thus was potentially leaked, as it was entirely up to her to occasionally recall and reveal all kinds of intimate details on these refugees to her friends and what not. Which she did, occasionally. That's sloppiness.
I find it funny that when it comes to money, most respectful banks realized it long ago that true security should exclude human interaction altogether, and try to replace parts of the system where human hands are due with electronics.
Time to value privacy and offer it the same kind of recognition.
It is not the corporate backing that contributes to usability, IMO. FOSS does not only attract programmers, it also attracts designers. And nobody asks programmers to develop user interfaces, in fact the whole point is they did not touch UI design in the first place. I don't want hackers and geeks of all shoddy and nerdy kinds, as successful at coding as they may be, touch my user interface. Let UI designers do their job.
On the other hand, if a project has one member, it most likely is a programmer (who would also call himself project lead and UI and graphic designer). That is the regrettable part of it.
It is therefore irrelevant what is more interesting to your average programmer - the coding or the UI design. He or she should indeed stick to coding - that which they are best at. What is relevant is that maybe it is smart idea to use less programmers and more UI designers. The coding power does not scale linearly with amount of programmers, but lack of a UI designer is what this discussion is all about, IMO.
You are essentially advocating for smarter UIs. The ones that adapt and cater needs not for the (much beaten) term "target audience" but a specific end-user, the one that happens to be using an instance of said software at the time. Good idea! (NOT sarcasm)
Just remember that UIs not necessarily need to start as dumbed-down and grow complicate from there. If the majority of users of said software are power users, it would be an annoyance for them to wait until the UI grows complicated enought for them to use it, as opposed to it developing the other way around - dumbing down gradually until the user finds it easy enough:-)
The bottomline is, a smarter UI implementation is called for.
Surely, you do not mean that developers should be UI designers as well? It is two completely different areas of expertise and knowledge.
Also, evolution is great, Nature seems to benefit from it too, but if a project has not been evolving in UI department since its original inception, there is hardly any difference between up-front-designing it and evolving (or, rather, not evolving) it subsequently. Nobody gets it right the first time, but let me correct you "evolution AND intelligent design". First being fundamental. Second is not.
I did not understand at all what you were trying to say here. I don't apologize for that, but would appreciate it if you tried again. Please:-) Thank you. At least it was something interesting (i suspect).
I for one think that free software often lacks in usability, because obviously as development resources are limited, in the world of ever evolving technologies, keeping functionality at par is a higher priority in any project than making the functionality easily accessible to the end user.
Does Linux not have a symlink for the primary harddrive (the one that boots and/or hosts the distribution for instance) which would abstract away the interface specifics?/dev/cdrom is a fine way to find the cd-rom, whether it is an PATA, SATA, SCSI or USB drive.
If such thing exists already, the it is your burning software that should be patched instead, because devices use different buses, and/dev/hd* stands for PATA devices, while/dev/sd* for SCSI and SATA among others. There is no rule that all cd-rom devices are PATA devices.
My two cents.
Oh, its my lack of education. All I know about Linux is obviously what I have been experimenting with, but I noticed some packages distribute in two versions - Gnome and KDE. That is strange, I thought, since there are more than these two - Xfce, Blackbox, Openbox, fluxbox etc, both managers and desktop environments.
I do assembly and C++ though, and have digged into the ACPI issue two days straight. Got a major headache from all the quirks, and reading about the state of ACPI implementation on newsgroups.
But, yes, you are right, I know squat about those libraries that bridge GTK and QT.
Choice is great, but there has to be common interfaces that bridge the choices into a chain or something. I mean an API that hides the Desktop Environment details, abstracting it, so that the multiple choices may flourish. Drivers is one good example. Every implementation differs, because it targets the specifics of a device, however the driver exposes a known API to the environment, thus merging with it.
ACPI support is not finished yet, in terms of completeness.
The Intel X3100 Open Source driver DRI module exhibits issues, which send interrupts to the CPU every time screen refreshes - i.e. 60 times per second, preventing the CPU from idling, and thus eating battery and power.
USB driver interrupts the CPU without any device plugged in to the bus.
yenta_sockets module - same story.
The above may only hold true to the Thinkpad machines, but the laptop (mobile) Linux is just not there yet, given that my Thinkpad has a standard Intel graphics, and standard Intel USB controller. I am sure other notebook machines have similiar issues.
In addition to that Linux starts to exhibit side-effects of "too much choice". There are at least two desktop interfaces (GTK, and QT) so, half of the people only get half of the applications, because their desktop user interface is not supported. Things like that.
It may well be that Ubuntu != all linux distros, but the majority of packages are shared between distributions, and so most of the quirks, bugs and status-quos make it everywhere.
I admire the programmers, who implement newest hardware support in software for Linux though. Like ACPI. But there is more that needs to be done, and I don't have time to learn ACPI right now, so all I can do is complain:-)
This is what happens when a venture is noticed by those who just want it all for themselves. They buy their "share" into it, then start altering it from inside.
Linux started as something slightly, if not very, different, but now as every second smart-ass asks themselves a question "Should we not make Linux a commercial alternative to X?", these sort of questions start to appear.
With that kind of thinking Linux ends up being the same kind of lousy crap just about any closed source code product potentially is - a black box of secrets with a tag that says "We guarantee you it works!"
Well, bullshit. Yes, it should remain pure. But most of your wise-ass friends, who pretend to know the way world works would want you to think otherwise. After all, how can something that is developed for nothing in return succeed. Is not all time money, they think. The truth is give anything time and it stands up. Linux is not an example modern economists like to give, because frankly their school of thought cannot fit the concept.
Slashdot Mirror
The assertion that "For most application X is perfectly fine" is wrong, when applicable to security. Because security as a whole is part of a persons life, it can be considered a system (do not confuse with the usual meaning of the term "security system") that is usually:
1. Physically distributed for a single person
2. Made of components made by different vendors for different purposes
3. And thus, is comprised of multiple domains of authority and significance.
Just like a usual security system is only as strong as its weakest link, so a security "system" of a person that spans his life both in space and time, is only as strong as the weakest link it has.
Using your own example, a PIN-protection. Mobile phones. People that enable PIN-access to their phones, usually feel they have to protect their contact list, messages, talk history etc. If going by your comforting proposal, indeed it may seem that a "simple" PIN protection is enough, because after all, it does not protect any money, nor a databank of personal data. However, breaking into a mobile phone (which by no means is hard for criminals, rest assured) is just a step in the hard way to gain access to money and personal data, it just requires some wit and social skills on the part of a criminal. It is debatable whether a compromised phone leads to a bigger hack in any case, but in good hands it is a useful tool. And so, one by one, security systems that may seem water-tight from and within themselves, fall. Cars get stolen for multitude of purposes, laptops that are protected with a Windows Vista (or god forbid Windows XP) password, carrying copies of personal records (that were themselves considered secure, BUT ON ANOTHER SYSTEM) get stolen.
So, please, do try and convince me how "for most applications X is perfectly fine". Now, I do not live in the world of absolutes, but I think I know a failure when I see one.
If I run a search on your username on Google, perhaps I find a reference to it on another site, a site that you cherish more than Slashdot, and perhaps only on that site, you either forgot or neglected to not type in your first name, or perhaps your forum signature has one. To cut to the chase, small steps that eventually lead me to your home address. And from there a whole option of possibilites again unfolds, that does not even need one to be a computer expert, only a mind of a good old-fashined thief.
Nobody forces designers to change peoples habits. Still, in the strict sense, people are a "problem" which needs to be solved or dissolved.
It does not mean people are idiots and are fundamentally problematic. However, in the sense that I have described, the situation needs to be approached as a problem that needs a solution.
We need not make fools of users, quite the contrary, build and design interfaces that assume people are not fools, and in fact implement solutions that assume a non-problem.
House keys, car keys and credit cards are not working. They work to the degree of competence and effectiveness they were advocating, not more nor less. People still forget their keys, get their credit cards stolen along with their wallets and paper money, and the more complex the solutions become, the more back-holes are found. And security as a thing will not work because it already is. That's like saying a circle is round because its end is connected to its beginning. The security "works" at great expense of its users. The very reason for the article, is a present effort to further minimize that expense. You, however, propose to freeze that effort.
So, the password never leaves my machine, but the machine I am trying to log on to sends me a random string that is encrypted with my password. Neat. Now, how does it all happen?
Still, punishment for murder is much greater than punishment for breaking into a computer system. Which means, the degree of effectiveness of a retina-scan biometrics is still formidable.
Now that I come to think of it, I also see that a password can be known by torturing the person who knows it, while the point of torturing a person for retina-scan or retina-sample is rather moot, I suppose. I am not sure what is more "pleasant" - to be dead or to be tortured.
Yeah, have you thought about that? *points at the post above* He ripped his eye out, and the system said "Hello".
Actually, the people who complain most about the idiotic "modern" technology (which really is a mutant that escaped from whatever place invented Unix and stuff like that) and how it forces us to memorize and type 10 passwords every time we use a computer, are the elderly and the disabled. Nice try though. Take pride in your ignorance! ;-)
That's the sort of things I am talking about. Good some people have gotten to the point of actually implementing the security, most other wannabe-security company experts have no clue about, or only read through while taking their coffee in the morning.
I am not a big fan of thin-clients though. I am for separating the code and the data, in a way that still makes possible for clients to off-load server workload. Thin-clients only run the display and input devices, but when you have overloaded servers and lots of employees that fetch data and make server CPU usage go up because of remote desktop connection specifics, it may get ugly. Instead, I think, the client should share the server workload and actually do some work itself, but keep sensitive data in memory only, possibly manually wiping the memory too before shutdown.
Maybe the TPM (Trusted Security Module) may come in handy soon, instead of pushing the worthless DRM crap everybody shouts here and there.
Ha-ha, very funny.
Japanese were/are ahead of the world with the CDP, as far as I am concerned.
In Japan, you pull off something like that, and it's Harakiri Time!
Elaborate please?
Why, you must be new to moral and some logical thought?
You fucking absolutely NOT get treated better with money. In fact, you get treated RELATIVELY better when you have more money, because depending on situation it may be favourable or disastrous. That makes all the difference. You cannot fucking buy a "terrorist pass" onto a plane, because that monumentally idiotic. If that was allowed, seeing as terrorists possess formidable funds, they should be welcomed aboard the plane with explosives and offered whiskey, cigars and three-course meal? I doubt this is the policy in the U.S. of A.
It's not just a line, its a Security line. Which means every person may have the intention of blowing another 200 passengers up and the means to accomplish it. You can't jump THAT line. Then you can as well put up a big poster saying "Terrorist? Pay up in cash, and skip the security line!"
Wrong. Running around and being sloppy means nothing because no matter how "corporate" laptop is, it does not store any copies of any sensitive information. The person carrying the laptop is no more allowed access to such records, than any other.
Please give me ANY reason why and how a corporate employee with a laptop, however sloppy he or she is, should be carrying a copy of 33k of personal records with him, regardless of what company he works for, his position in the company and the type of computer.
There is a chance such access is required on a humans part, but not in security area. A person I know close was working as a translator for the refugees in a European country. The information refugees gave that made them eligible for asylum was to remain strictly confidential, but since she had to translate this information to the government authorities on behalf of the refugees, and since she did translate it, it all went through her head and thus was potentially leaked, as it was entirely up to her to occasionally recall and reveal all kinds of intimate details on these refugees to her friends and what not. Which she did, occasionally. That's sloppiness.
I find it funny that when it comes to money, most respectful banks realized it long ago that true security should exclude human interaction altogether, and try to replace parts of the system where human hands are due with electronics.
Time to value privacy and offer it the same kind of recognition.
The technique may be simple, but I did not understand what you wrote at all.
yepp.
Blame capitalism!
That shit never worked, man.
True. In parts...
It is not the corporate backing that contributes to usability, IMO. FOSS does not only attract programmers, it also attracts designers. And nobody asks programmers to develop user interfaces, in fact the whole point is they did not touch UI design in the first place. I don't want hackers and geeks of all shoddy and nerdy kinds, as successful at coding as they may be, touch my user interface. Let UI designers do their job.
On the other hand, if a project has one member, it most likely is a programmer (who would also call himself project lead and UI and graphic designer). That is the regrettable part of it.
It is therefore irrelevant what is more interesting to your average programmer - the coding or the UI design. He or she should indeed stick to coding - that which they are best at. What is relevant is that maybe it is smart idea to use less programmers and more UI designers. The coding power does not scale linearly with amount of programmers, but lack of a UI designer is what this discussion is all about, IMO.
You are essentially advocating for smarter UIs. The ones that adapt and cater needs not for the (much beaten) term "target audience" but a specific end-user, the one that happens to be using an instance of said software at the time. Good idea! (NOT sarcasm)
Just remember that UIs not necessarily need to start as dumbed-down and grow complicate from there. If the majority of users of said software are power users, it would be an annoyance for them to wait until the UI grows complicated enought for them to use it, as opposed to it developing the other way around - dumbing down gradually until the user finds it easy enough :-)
The bottomline is, a smarter UI implementation is called for.
Surely, you do not mean that developers should be UI designers as well? It is two completely different areas of expertise and knowledge.
Also, evolution is great, Nature seems to benefit from it too, but if a project has not been evolving in UI department since its original inception, there is hardly any difference between up-front-designing it and evolving (or, rather, not evolving) it subsequently. Nobody gets it right the first time, but let me correct you "evolution AND intelligent design". First being fundamental. Second is not.
I did not understand at all what you were trying to say here. I don't apologize for that, but would appreciate it if you tried again. Please :-) Thank you. At least it was something interesting (i suspect).
(i am not being sarcastic)
Right on point.
I for one think that free software often lacks in usability, because obviously as development resources are limited, in the world of ever evolving technologies, keeping functionality at par is a higher priority in any project than making the functionality easily accessible to the end user.
Does Linux not have a symlink for the primary harddrive (the one that boots and/or hosts the distribution for instance) which would abstract away the interface specifics? /dev/cdrom is a fine way to find the cd-rom, whether it is an PATA, SATA, SCSI or USB drive.
If such thing exists already, the it is your burning software that should be patched instead, because devices use different buses, and /dev/hd* stands for PATA devices, while /dev/sd* for SCSI and SATA among others. There is no rule that all cd-rom devices are PATA devices.
My two cents.
Oh, its my lack of education. All I know about Linux is obviously what I have been experimenting with, but I noticed some packages distribute in two versions - Gnome and KDE. That is strange, I thought, since there are more than these two - Xfce, Blackbox, Openbox, fluxbox etc, both managers and desktop environments.
I do assembly and C++ though, and have digged into the ACPI issue two days straight. Got a major headache from all the quirks, and reading about the state of ACPI implementation on newsgroups.
But, yes, you are right, I know squat about those libraries that bridge GTK and QT.
Choice is great, but there has to be common interfaces that bridge the choices into a chain or something. I mean an API that hides the Desktop Environment details, abstracting it, so that the multiple choices may flourish. Drivers is one good example. Every implementation differs, because it targets the specifics of a device, however the driver exposes a known API to the environment, thus merging with it.
Agreed.
ACPI support is not finished yet, in terms of completeness.
The Intel X3100 Open Source driver DRI module exhibits issues, which send interrupts to the CPU every time screen refreshes - i.e. 60 times per second, preventing the CPU from idling, and thus eating battery and power.
USB driver interrupts the CPU without any device plugged in to the bus.
yenta_sockets module - same story.
The above may only hold true to the Thinkpad machines, but the laptop (mobile) Linux is just not there yet, given that my Thinkpad has a standard Intel graphics, and standard Intel USB controller. I am sure other notebook machines have similiar issues.
In addition to that Linux starts to exhibit side-effects of "too much choice". There are at least two desktop interfaces (GTK, and QT) so, half of the people only get half of the applications, because their desktop user interface is not supported. Things like that.
It may well be that Ubuntu != all linux distros, but the majority of packages are shared between distributions, and so most of the quirks, bugs and status-quos make it everywhere.
I admire the programmers, who implement newest hardware support in software for Linux though. Like ACPI. But there is more that needs to be done, and I don't have time to learn ACPI right now, so all I can do is complain :-)
This is what happens when a venture is noticed by those who just want it all for themselves. They buy their "share" into it, then start altering it from inside.
Linux started as something slightly, if not very, different, but now as every second smart-ass asks themselves a question "Should we not make Linux a commercial alternative to X?", these sort of questions start to appear.
With that kind of thinking Linux ends up being the same kind of lousy crap just about any closed source code product potentially is - a black box of secrets with a tag that says "We guarantee you it works!"
Well, bullshit. Yes, it should remain pure. But most of your wise-ass friends, who pretend to know the way world works would want you to think otherwise. After all, how can something that is developed for nothing in return succeed. Is not all time money, they think. The truth is give anything time and it stands up. Linux is not an example modern economists like to give, because frankly their school of thought cannot fit the concept.