There's been much talk about how Wikipedia is or isn't "elitist" or "anti-elitist".
Do you feel it needs to stay strongly anti-elitist? Or can a balance be struck which, while still upholding the virtues of a free encyclopedia that can be edited by anyone, has some acknowledged notion of the differential quality of different editors (and different articles)? Could a well-integrated feedback mechanism somehow be implemented (automatically and objectively applied) which would reward editors for the quality of their edits and their interactions with other editors, while simultaneously reducing the amount of damage which can be done by vandals, trolls, and incorrigible, argumentative POV pushers?
You can monitor these refrigerator-ovens from any Internet connection. For example, you can adjust and control the oven settings...
And of course the vendors, wisely learning from all the woefully insecure initial implementations of similar products in the past,
have made totally sure that you and only you will be able to do this monitoring and controlling. Totally.
do you realize how easy it is to get a Mac user to type in the root password when installing software, and giving a trojan full access to the system?
Sure, I realize how easy it is. Are you suggesting, therefore, that it's not worth asking for the password?
That it's fine (or even preferable) for Windows not to ask?
That its failure to ask has nothing to do with the staggeringly high numbers of malware programs which can typically be found installed on the average home PC?
...see that OSX is no more perfect than any other OS. PERIOD.
As a wise man once said, "There is no step function between 'safe' and 'unsafe'."
We've got tens of thousands of known Windows exploits in the wild, and you've just found maybe one for the Mac, and you're claiming there's therefore no difference in the relative perfection of their two security systems?
So I guess we could have a bunch of crackheaded drug addicts engaging in unprotected sex while rolling around naked in a garbage-strewn back alley littered with rusty used needles and leaking bags of infectuous medical waste, but you'd say (in response to our suggestion that the back-alley sex might not be such a good idea from a health safety perspective) that: since chaste, reclusive people can get sick too, there's NO SUCH THING as a perfectly healthy lifestyle. "Period."
It's a feeble argument, no question, but we can't quite dismiss it out of hand. There's no reason to assume that the relationship between a platform's market share and its attractivemness to malware writers is linear. There could be a "magnifying" effect where because the platform is so popular, every malware writer (not just 90% of them, or whatever) goes for the more-attractive target.
Here's what I want to know. Now, analyzing a multivariable problem is always harder. When we compare Windows and Mac, for instance, the two platforms have (a) vastly different market shares and (b) significantly if not vastly different security models. Which factor accounts for the vastly different level of malware threat? We don't know for sure.
BUT, to all the Windows apologists who are always saying it's not Windows's fault that there is so much malware for it, who are suggesting that it's all the malware writer's fault, who are implying it's unfair to criticize Windows for its popularity, I want to say: are you sure that the difference in security models doesn't account for any of the difference? Why are you (or, rather, why is Microsoft) so reluctant to try any of those "different" security techniques that Macs (and Unix and linux machines) use?
(But I guess I know what they'd say. "No system is 100% secure. There are vulnerabilities in the Mac, Unix, and Linux models, too...")
Outlook's built-in ability to read an email and automatically run its attachment is the sole reaon why virii are a problem.
Well, e-mail viruses, anyway. And I think some of the other Windows email clients (Eudora? Pegasus?) have had the occasional problem. But you're right, Outlook is responsible for well over 99% of that problem.
...while you're at it, please tell me why the Outlook problem exists. Are there really that many users who need their attachments to execute when they read the body of an email?
I would dearly love to know. You've hit the nail on the head; this is the $64,000 question.
(Actually, it's worth far, far more than $64,000!)
It astonishes me that this question doesn't get asked more often; it astonishes me that this glaringly obvious solution to the problem never gets considered.
If Windows simply didn't perform this automatic execution of untrustworthy code -- and note that I do not say "if Windows did not allow the execution of untrustworthy code" or "if Windows had better mechanisms for authenticating the sources of untrustworthy code"; those are harder to implement and not as reliable; what I'm saying is if Windows just fundamentally didn't have the designed-in ability to run code out of email or off the net at all -- the personal computer security landscape would be a very, very different place.
...now that everyone's figured out that the article is from 6 years ago...
It was? Gad. I didn't notice that. Sheesh. Thanks for pointing that out.
(So I guess you mean, "now that everyone except ummit has figured out...":-) )
The Windows world is one in which no one has an immune system. They're all a bunch of paranoid hypochondriacs, popping pills like mad in a desperate attempt to stave off all the horrific infections they're afraid they'll get. The sad thing is, they're right to be so paranoid, because in their case, if they didn't pop all those pills, they would die. In that world, the only ones who are truly safe are the ones who, like David Vetter, live in sterile plastic bubbles for their whole lives.
Meanwhile, there's this other breed of people (who are, strangely, in the minority) who actually do have functioning immune systems. It's true, they still get sick from time to time, and there is even the occasional epidemic, but for the most part, these people can lead normal, productive lives... except for nuisances like the brickbats hurled at them by the hypochondriacs for being "too smug".
what actual products exist for OS X that would protect against infections?
I don't think this is the right question. No OS has perfect security, but if you need add-on products to "protect against infection" it's likely that there's something fundamentally flawed with the architecture of the underlying system.
Anything that the add-on product can do is somethng that could and should be done by the the underlying system.
The current "state of the art" (or at least, the art that gets all the attention) in virus protection for the "majority" OS involves scanning for patterns of known viruses. But of course, that's a reactive, close-the-barn-door-after-the-cows-have-gone approach. Even if your antivirus software is 100% up to date, there's still a window of vulnerability between the time a new virus is introduced and the time a new detection pattern for your antivirus software becomes available. You could get infected during that window, and the damage and expense that would result (lost data, necessity for complete wipe and reinstall) is just as great as if you had no protection at all. In fact, if you do a system-wide "virus scan" using a conventional antivirus program, and if it detects one that's somehow managed to install itself on your disk, you ought to do a complete wipe and reinstall anyway. No fun.
Yes, as a Mac (and Linux) user, I am smug about security. I'm not necessarily 100% invulnerable, but the immunity I have is based on solid, fundamentally good OS design, not a patchwork of kludges and an unwinnable arms race. And I reject the FA's implication that I'm somehow being lazy or irresponsible by not doing more than this. The notion that security is and must be the ongoing responsibility of the end user is one of several dangerously false ideas which has been foisted on the world by That Other Operating System. Once I've selected a properly-designed product, and as long as I keep it up-to-date with security patches, my job is mostly done. If I and millions of other mere users are supposed to do much more than this, if our security depends on (say) our being vigilant in never clicking on unsafe attachments or on installing and maintaining add-on security products which try to reactively do what the underlying OS can't, then we've got an untenable situation which will never be secure.
The vast majority of these "arguments" are in fact not used at all by supporters of Intelligent Design, but are created by their opponents to make everyone think they look stupid. Sure, they may stem from some comment made by some un-educated supporter, buy why in the world is anyone taking the word of some anonymous idiot as the viewpoint of the entire group?
Fair enough. So what are some of the group's better arguments, as used by the educated supporters?
There's no mystery about how bees fly, and there hasn't been for quite a while.
The notion that "science can't explain bee flight" is an urban legend, a meme.
I didn't realize the ID folks had picked up on it, but I guess it's no surprise; seemingly all of their arguments are witheringly obsolete.
I read about this in The Straight Dope ten or fifteen years ago.
The Cal Tech folks seem to have added some new nuances to the discussion, but it was adequately understood long before this.
The full story evidently goes back to the 1930s.
One way I'll know when Microsoft is no longer a monopoly is when I no longer have to keep myself equipped with tools for reading the Word.doc files people always send me assuming that it's some kind of standard for document interchange that everyone can read.
If it was designed well, the maintenance should be negligible.
I'm guessing the maintenance on these things would be hellacious.
It's really quite a punishing application: high-impact from (obviously) all the cars driving over it, and also heavy trucks, and then there's the fact that it'll get all wet whenever it rains (or, worse, wet and icy and salty, in some parts of the country during the winter months).
The initial, fantasy-world design of these things wouldn't last a week.
If someone worked really, really hard (spending a ton of money on design, and then again on manufacturing) it might be possible to build these things ruggedly enough that they merely required acceptable amounts of maintenance. But I'm guessing that achieving "negligable maintenance" would be next to impossible.
Actually, OS X is a great example of how asking for the admin password every time a modification of the central system is requested quickly trains the user to type in their password whenever "the system" asks for it in a popup window.
How often does this happen, really?
I realize I'm anything but a "typical user", but OS X (which I use every day) virtually never pops up these password wondows of which you speak. The only time I see them is when *I* initiate the installation of some software, and then of course I expect to receive them. They're not randomly popping up at other times. If they did, I'd be surprised -- but I think a novice user would be surprised, too. (Indeed, I suspect many novice users wouldn't know what to do, because it's not immediately obvious that the "administrator password" requested is typically your own user password.)
Firefox is tolerant of the spec violation and Safari and Opera are apparently not. I spent many years writing HTTP proxies and after working around many broken clients and server, I have little sympathy for those who violate the spec and then whine that others should work around the problem.
No, but on the other hand, this seems to be a problem that comes up a lot --
I've encountered it myself a couple of times, too.
This is arguably a place where the old principle of "be conservative in what you send, liberal in what you accept" ought to apply -- if it's no trouble for a browser to accept a relative redirect, perhaps it should.
(But yes, I see from later posts that the relative redirect probably isn't the real problem.)
[This is like a car salesman saying, "If I was extremely lucky, I could persuade them to go out and buy some seatbelts from AutoZone down the street, bring them back to us, and we'd install it them in their new car before they even drove it off the lot."]
But we expect that the cars would come to us from assembly plant with the seatbelts installed as per law. A better arguement would be "Why isn't Microsoft installing protection along with Windows?"
And that was exactly my point.
Or, even more to the point, why is so much protection needed?
To continue the car analogy, it's as if the factory-built cars not only didn't have seat belts and air bags, they didn't have brakes, either, but no one seemed to think this was a problem; the "smart" drivers bought aftermarket seat belts and air bags to protect themselves when they crashed, and made fun of the "stupid" drivers who didn't even bother to do that.
(Meanwhile, those few drivers who'd taken care to find the rare, properly-designed cars with working brake pedals laughed at the situation at first, until they noticed how much collateral shrapnel they were getting hit with from all the millions of brake-free drivers on the roads crashing into each other...)
And you're living in a defeatist world.
So the question is, which of these worlds is closer to reality?
Complexity is always a problem.
I said as much.
Witness the durability of bacteria compared to a human being.
Not sure what your point is here. I might point out that we have antibiotics while they don't have antihominids, but that's sort of a cheap shot, and anyway is beside my main point.
If you're trying to suggest that it's as inevitable for complex computer systems to catch viruses as it is for complex lifeforms, that would be true only if we discovered the computer systems under the same rocks we climbed out from under.
But we didn't discover our computer systems under rocks, we designed them, and we have more or less complete control over them.
The tragic thing about the personal computer virus epidemic is that the most virulent of those viruses use vectors which were designed and built in, deliberately, up front, at some cost, specifically to allow any untrusted programs (including viral ones) to propagate and run unchecked.
We didn't have to do that. We could have done otherwise. This problem didn't "just happen"; we caused it.
The viruses didn't accidentally discover some coincidental vulnerability we didn't know we had; they deliberately took advantage of obvious features which in many cases couldn't have been better designed to suit their needs if that had been our explicit goal.
It's almost as if all cars had secret remote-control ejection seats that nobody knew about, and then some punk kids discovered the feature and devised their own radio transmitter so that they could sit by the side of the road and eject drivers right and left for lotsa laffs. And instead of asking the manufacturers why their cars had these dangerous exploitable features that they didn't ask for and don't need, people instead accepted the situation as a natural, unavoidable consequence of driving, or went and paid extra money for jamming devices to block the malicious radio signals, until such time as the punks discovered a workaround...
The fact is, the HUGE majority don't even think about it at all. They just want to do their email, instant messaging, and download their sports scores and pr0n... simple as that.
Very true.
Most consumers, unfortunately, consider a computer an appliance, just like a toaster or a microwave.
Why is that unfortunate?
I'd say there's nothing wrong with that at all.
If you're talking about Vaxen et al....those computers sucked.
Actually, I was thinking about Multics. (Which I only used once, so don't worry, I'm not some die-hard Multics-worshiping zealot.)
They didn't have IM, they didn't have IE, they didn't play games over UDP...
Oh, the horror.
It simply isn't fair to expect modern machines to hold up to the standards of security that their simpler predecessors did.
Why in the world not?
Modern machines are thousands of times more powerful.
Modern programming environments are hundreds of times more productive.
Why should none of this power be devoted to the goal of security?
The old-school knowledge about how to design computer systems securely was not ignored by the new because it was inadequate. It was not ignored because it was thought to be inapplicable to new applications such as IM or IE or networked games. It was ignored because people didn't care or couldn't be bothered to even think about the issues.
But it drives me up a wall when people expect more complex systems to be as easy to write and debug as simpler ones. Security gets harder as complexity increases, it's about as fundamental a law to computers as thermodynamics is to physics.
Complexity is a problem, no question -- in fact it's a downright bug.
It's a problem that needs to be solved, not a fact of life that has to be put up with.
This notion that complexity is somehow conserved -- analogously to the way energy is conserved in physics -- is what drives me up a wall. It's simply not true.
It is possible to write simple, secure programs that solve complex problems.
If you don't understand this, you're certainly not alone, but you are part of the problem.
This defensive attitude towards IE and Outlook -- this continual whining that it's not their fault, that viruses and malware are theoretically possible under other applications as well -- is one of the biggest problems in computer security today.
The plain fact is that those two applications have been responsible for a huge part of the personal computer
security problem. If those two applications had ever paid any proactive attention to security (as opposed to all this knee-jerk, reactive, catch-up, band-aid stuff), the computer security problem would be a tenth the size it is today. Anyone who tries to deny this plain fact really isn't thinking clearly.
Yes, there would still be some problems even if those two applications had taken security seriously, or if they didn't exist.
But the problems would be on a vastly different scale.
Nor is it fair to blame the users. Many of the vulnerabilities in those applications have been automatic -- the users never even had a chance to say "no", or to decline to click on "okay".
And even for the remainder, where there might have been some choice, it's still not fair to blame the users.
Users shouldn't be asked to decide what's "safe" and what's not.
Most users will click on "okay" most of the time.
Even intelligent, responsible users will occasionally click on "okay" by accident, when they didn't mean to.
The punishment for a single accidental mouse click should not be that you have to reformat your hard drive to get rid of a bunch of ineradicable malware.
The problem isn't Internet Explorer. It's the people.
So why do cars have seat belts and airbags?
Why do twisty mountain roads have guard rails at the edges?
If drivers were more careful, we wouldn't need any of these things.
Slashdot Mirror
There's been much talk about how Wikipedia is or isn't "elitist" or "anti-elitist". Do you feel it needs to stay strongly anti-elitist? Or can a balance be struck which, while still upholding the virtues of a free encyclopedia that can be edited by anyone, has some acknowledged notion of the differential quality of different editors (and different articles)? Could a well-integrated feedback mechanism somehow be implemented (automatically and objectively applied) which would reward editors for the quality of their edits and their interactions with other editors, while simultaneously reducing the amount of damage which can be done by vandals, trolls, and incorrigible, argumentative POV pushers?
Anybody else remember the electric couch in Mr. M's house in William Pene du Bois's book The 21 Balloons?
And of course the vendors, wisely learning from all the woefully insecure initial implementations of similar products in the past, have made totally sure that you and only you will be able to do this monitoring and controlling. Totally.
Sure, I realize how easy it is. Are you suggesting, therefore, that it's not worth asking for the password?
That it's fine (or even preferable) for Windows not to ask?
That its failure to ask has nothing to do with the staggeringly high numbers of malware programs which can typically be found installed on the average home PC?
As a wise man once said, "There is no step function between 'safe' and 'unsafe'."
We've got tens of thousands of known Windows exploits in the wild, and you've just found maybe one for the Mac, and you're claiming there's therefore no difference in the relative perfection of their two security systems?
So I guess we could have a bunch of crackheaded drug addicts engaging in unprotected sex while rolling around naked in a garbage-strewn back alley littered with rusty used needles and leaking bags of infectuous medical waste, but you'd say (in response to our suggestion that the back-alley sex might not be such a good idea from a health safety perspective) that: since chaste, reclusive people can get sick too, there's NO SUCH THING as a perfectly healthy lifestyle. "Period."
Here's what I want to know. Now, analyzing a multivariable problem is always harder. When we compare Windows and Mac, for instance, the two platforms have (a) vastly different market shares and (b) significantly if not vastly different security models. Which factor accounts for the vastly different level of malware threat? We don't know for sure.
BUT, to all the Windows apologists who are always saying it's not Windows's fault that there is so much malware for it, who are suggesting that it's all the malware writer's fault, who are implying it's unfair to criticize Windows for its popularity, I want to say: are you sure that the difference in security models doesn't account for any of the difference? Why are you (or, rather, why is Microsoft) so reluctant to try any of those "different" security techniques that Macs (and Unix and linux machines) use?
(But I guess I know what they'd say. "No system is 100% secure. There are vulnerabilities in the Mac, Unix, and Linux models, too...")
Well, e-mail viruses, anyway. And I think some of the other Windows email clients (Eudora? Pegasus?) have had the occasional problem. But you're right, Outlook is responsible for well over 99% of that problem.
I would dearly love to know. You've hit the nail on the head; this is the $64,000 question. (Actually, it's worth far, far more than $64,000!) It astonishes me that this question doesn't get asked more often; it astonishes me that this glaringly obvious solution to the problem never gets considered.
If Windows simply didn't perform this automatic execution of untrustworthy code -- and note that I do not say "if Windows did not allow the execution of untrustworthy code" or "if Windows had better mechanisms for authenticating the sources of untrustworthy code"; those are harder to implement and not as reliable; what I'm saying is if Windows just fundamentally didn't have the designed-in ability to run code out of email or off the net at all -- the personal computer security landscape would be a very, very different place.
It was? Gad. I didn't notice that. Sheesh. Thanks for pointing that out. :-) )
(So I guess you mean, "now that everyone except ummit has figured out..."
Meanwhile, there's this other breed of people (who are, strangely, in the minority) who actually do have functioning immune systems. It's true, they still get sick from time to time, and there is even the occasional epidemic, but for the most part, these people can lead normal, productive lives... except for nuisances like the brickbats hurled at them by the hypochondriacs for being "too smug".
A bit more? What are you smoking?
I don't think this is the right question. No OS has perfect security, but if you need add-on products to "protect against infection" it's likely that there's something fundamentally flawed with the architecture of the underlying system. Anything that the add-on product can do is somethng that could and should be done by the the underlying system.
The current "state of the art" (or at least, the art that gets all the attention) in virus protection for the "majority" OS involves scanning for patterns of known viruses. But of course, that's a reactive, close-the-barn-door-after-the-cows-have-gone approach. Even if your antivirus software is 100% up to date, there's still a window of vulnerability between the time a new virus is introduced and the time a new detection pattern for your antivirus software becomes available. You could get infected during that window, and the damage and expense that would result (lost data, necessity for complete wipe and reinstall) is just as great as if you had no protection at all. In fact, if you do a system-wide "virus scan" using a conventional antivirus program, and if it detects one that's somehow managed to install itself on your disk, you ought to do a complete wipe and reinstall anyway. No fun.
Yes, as a Mac (and Linux) user, I am smug about security. I'm not necessarily 100% invulnerable, but the immunity I have is based on solid, fundamentally good OS design, not a patchwork of kludges and an unwinnable arms race. And I reject the FA's implication that I'm somehow being lazy or irresponsible by not doing more than this. The notion that security is and must be the ongoing responsibility of the end user is one of several dangerously false ideas which has been foisted on the world by That Other Operating System. Once I've selected a properly-designed product, and as long as I keep it up-to-date with security patches, my job is mostly done. If I and millions of other mere users are supposed to do much more than this, if our security depends on (say) our being vigilant in never clicking on unsafe attachments or on installing and maintaining add-on security products which try to reactively do what the underlying OS can't, then we've got an untenable situation which will never be secure.
Fair enough. So what are some of the group's better arguments, as used by the educated supporters?
What's so unusual about that? (Seriously, it seems to happen every few months.)
I read about this in The Straight Dope ten or fifteen years ago. The Cal Tech folks seem to have added some new nuances to the discussion, but it was adequately understood long before this. The full story evidently goes back to the 1930s.
Nothin to see here, folks, move along.
One way I'll know when Microsoft is no longer a monopoly is when I no longer have to keep myself equipped with tools for reading the Word .doc files people always send me assuming that it's some kind of standard for document interchange that everyone can read.
I'm guessing the maintenance on these things would be hellacious. It's really quite a punishing application: high-impact from (obviously) all the cars driving over it, and also heavy trucks, and then there's the fact that it'll get all wet whenever it rains (or, worse, wet and icy and salty, in some parts of the country during the winter months).
The initial, fantasy-world design of these things wouldn't last a week. If someone worked really, really hard (spending a ton of money on design, and then again on manufacturing) it might be possible to build these things ruggedly enough that they merely required acceptable amounts of maintenance. But I'm guessing that achieving "negligable maintenance" would be next to impossible.
How often does this happen, really?
I realize I'm anything but a "typical user", but OS X (which I use every day) virtually never pops up these password wondows of which you speak. The only time I see them is when *I* initiate the installation of some software, and then of course I expect to receive them. They're not randomly popping up at other times. If they did, I'd be surprised -- but I think a novice user would be surprised, too. (Indeed, I suspect many novice users wouldn't know what to do, because it's not immediately obvious that the "administrator password" requested is typically your own user password.)
No, but on the other hand, this seems to be a problem that comes up a lot -- I've encountered it myself a couple of times, too. This is arguably a place where the old principle of "be conservative in what you send, liberal in what you accept" ought to apply -- if it's no trouble for a browser to accept a relative redirect, perhaps it should.
(But yes, I see from later posts that the relative redirect probably isn't the real problem.)
But we expect that the cars would come to us from assembly plant with the seatbelts installed as per law. A better arguement would be "Why isn't Microsoft installing protection along with Windows?"
And that was exactly my point.
Or, even more to the point, why is so much protection needed? To continue the car analogy, it's as if the factory-built cars not only didn't have seat belts and air bags, they didn't have brakes, either, but no one seemed to think this was a problem; the "smart" drivers bought aftermarket seat belts and air bags to protect themselves when they crashed, and made fun of the "stupid" drivers who didn't even bother to do that.
(Meanwhile, those few drivers who'd taken care to find the rare, properly-designed cars with working brake pedals laughed at the situation at first, until they noticed how much collateral shrapnel they were getting hit with from all the millions of brake-free drivers on the roads crashing into each other...)
And you're living in a defeatist world. So the question is, which of these worlds is closer to reality?
Complexity is always a problem.
I said as much.
Witness the durability of bacteria compared to a human being.
Not sure what your point is here. I might point out that we have antibiotics while they don't have antihominids, but that's sort of a cheap shot, and anyway is beside my main point.
If you're trying to suggest that it's as inevitable for complex computer systems to catch viruses as it is for complex lifeforms, that would be true only if we discovered the computer systems under the same rocks we climbed out from under. But we didn't discover our computer systems under rocks, we designed them, and we have more or less complete control over them.
The tragic thing about the personal computer virus epidemic is that the most virulent of those viruses use vectors which were designed and built in, deliberately, up front, at some cost, specifically to allow any untrusted programs (including viral ones) to propagate and run unchecked. We didn't have to do that. We could have done otherwise. This problem didn't "just happen"; we caused it. The viruses didn't accidentally discover some coincidental vulnerability we didn't know we had; they deliberately took advantage of obvious features which in many cases couldn't have been better designed to suit their needs if that had been our explicit goal.
It's almost as if all cars had secret remote-control ejection seats that nobody knew about, and then some punk kids discovered the feature and devised their own radio transmitter so that they could sit by the side of the road and eject drivers right and left for lotsa laffs. And instead of asking the manufacturers why their cars had these dangerous exploitable features that they didn't ask for and don't need, people instead accepted the situation as a natural, unavoidable consequence of driving, or went and paid extra money for jamming devices to block the malicious radio signals, until such time as the punks discovered a workaround...
You think?
Very true.
Most consumers, unfortunately, consider a computer an appliance, just like a toaster or a microwave.
Why is that unfortunate? I'd say there's nothing wrong with that at all.
Actually, I was thinking about Multics. (Which I only used once, so don't worry, I'm not some die-hard Multics-worshiping zealot.)
They didn't have IM, they didn't have IE, they didn't play games over UDP...
Oh, the horror.
It simply isn't fair to expect modern machines to hold up to the standards of security that their simpler predecessors did.
Why in the world not?
Modern machines are thousands of times more powerful. Modern programming environments are hundreds of times more productive. Why should none of this power be devoted to the goal of security?
The old-school knowledge about how to design computer systems securely was not ignored by the new because it was inadequate. It was not ignored because it was thought to be inapplicable to new applications such as IM or IE or networked games. It was ignored because people didn't care or couldn't be bothered to even think about the issues.
But it drives me up a wall when people expect more complex systems to be as easy to write and debug as simpler ones. Security gets harder as complexity increases, it's about as fundamental a law to computers as thermodynamics is to physics.
Complexity is a problem, no question -- in fact it's a downright bug. It's a problem that needs to be solved, not a fact of life that has to be put up with.
This notion that complexity is somehow conserved -- analogously to the way energy is conserved in physics -- is what drives me up a wall. It's simply not true. It is possible to write simple, secure programs that solve complex problems. If you don't understand this, you're certainly not alone, but you are part of the problem.
The plain fact is that those two applications have been responsible for a huge part of the personal computer security problem. If those two applications had ever paid any proactive attention to security (as opposed to all this knee-jerk, reactive, catch-up, band-aid stuff), the computer security problem would be a tenth the size it is today. Anyone who tries to deny this plain fact really isn't thinking clearly.
Yes, there would still be some problems even if those two applications had taken security seriously, or if they didn't exist. But the problems would be on a vastly different scale.
Nor is it fair to blame the users. Many of the vulnerabilities in those applications have been automatic -- the users never even had a chance to say "no", or to decline to click on "okay". And even for the remainder, where there might have been some choice, it's still not fair to blame the users. Users shouldn't be asked to decide what's "safe" and what's not. Most users will click on "okay" most of the time. Even intelligent, responsible users will occasionally click on "okay" by accident, when they didn't mean to. The punishment for a single accidental mouse click should not be that you have to reformat your hard drive to get rid of a bunch of ineradicable malware.
So why do cars have seat belts and airbags? Why do twisty mountain roads have guard rails at the edges?
If drivers were more careful, we wouldn't need any of these things.