So what do you do when I add a picture to my files that makes it seem like they glow? If something is possible on an icon it's possible on every icon.
Nonsense. I can easily add some kind of effect to icons OS-side that is disallowed or technically impossible within the icon itself. For example, something that extends beyond the visual space of the icon itself, or a marker that is displayed next to it.
Technically any file is executable in the sense that when you double-click it, the OS may launch an associated app.
You may have noticed in my posting that this is what I consider the root cause issue - the one action (a double-click) can cause different things based on intransparent dependencies.
I'm not trying to solve all security issues with one stroke, that's impossible. I am showing an idea for one specific problem to demonstrate that solutions exist, we don't have to take some stupid idea some idiot once had up the arse for all eternity.
The dancing bunnies was an interesting blog idea with a good punchline and made a really good summary for a well-known problem. It is always worth to stop and think about it.
It is not, however, absolute truth from on high. It's a simplified aphorism on a real problem. Don't judge actual research against aphorisms. The funny thing about researching humans is that more often than you think, the truth is counter-intuitive, more complicated than everyone thought, or just outright strange.
For example, Miller and Wu ("Fighting Phishing at the User Interface", 2005) made a study where the change of a dialog element from buttons to a short drop-down list dropped the error rate of users from 30% to zero.
Welcome the the 21st century, I hope you had a restful cryo sleep. They should have told you in debriefing that this sentiment went out of business 10 years ago.
UAC has one and only one actual effect that has been verified by independent researchers: It trains people to ignore warning dialogs. I'm not joking, that is literally the result of studies done on the subject.
So, you were saying?
Now you tell ME friend, [...] can you stop that in ANY way by changing any part of a UI?
Yes, you can. Chameleon was a university prototyp designed specifically to deal with the malware download issue not by technological, but by UI means. That's just one example I can cite right away. If you research the topic a bit, you will find many ideas that have, at least in the lab, been shown to at least improve the situation, sometimes considerably.
If you're looking for a magic bullet, then I'm sorry, all I can offer you is the harsh truth of IT security: There are no magic bullets.
because its NOT a UI problem,
Says who, based on what studies?
HAISA (Human Aspects in Information Security Assurance) is a relatively new field, and as far as sciences go, quite immature (Stanton, "Empirical vs. Non-Empirical Work in Information Systems Security", 2007 - if I ask for studies, I should provide some for my points). As such, there is still a lot where we don't know, are partially or totally guessing, or have incomplete data. One thing we do know, however, is that in a THS triangle, only a small subset of security issues rest strongly in the "technology" corner. Many security issues are partially or strongly influenced by human and/or social factors. It stands to reason - and many studies, experiments and prototypes support the theory, e.g. the one outlined above or a couple of those listed in my keynote "Security & Usability" (DFN-CERT Workshopband, ISBN 9-783844-806885), that user interface improvements do have a measurable impact on those.
I'm sorry, but you can't fix a user problem with a tech solution
It's not a tech solution. It's a user (interface) solution. Just above you complained that it's not a UI problem, now it suddenly is a user problem. I'm sure you know what the "U" in "UI" stands for, so please make up your mind.
Not necessarily. Every other windows release sucks so badly, it could be sold as a vacuum cleaner. Since Win7 was fairly ok, Win8 is destined to be the one that sucks. Like Vista was after XP and ME was after 98.
The difference is that the last times, the total failures were a kick in the nuts for MS to shape up and produce something at least somewhat useable next time. This one might be the end of the OS division for MS. If Win8 fails really hard, the next Office could be running on Android and OS X.
What a stupid question. Of course grammar matters, but the comparison is stupid. Tweets or chat messages are todays equivalent of verbal speech and the rules are relaxed there. In spoken conversations, people of a certain standing still look out for proper grammar and more, but for most people, spoken and written language are slightly different. That some written language now uses spoken language form does not change that. Business letters won't contain Twitter language for a while to come, and I wouldn't suggest trying to apply for a good job with SMS language.
Doesn't work because you have quite a few programs that do not work with documents. Screensavers, utility programs (say, Quicksilver, Dropbox, etc.) and others.
Also, you have programs where documents are secondary at best. Most network tools (browser, e-mail, etc.)
How do you decide what is "executable" and what isn't?
Good point, yes. I don't have an answer for that. The reverse would be easier: The system knows what kinds of file types it can handle that are not executables.
Users simply ignore this
Of course they do. We've trained them for a decade that warning dialogs are a nuissance, nothing important is ever in them, they're filled with techno-babble, and interrupt their work at the worst possible moments and the default option is almost always the one they want.
The reason is simplicity: We simply want the computer to "open" whatever it is we're interested.
I believe we've been trained to think that way. I remember times when that wasn't true. Early computers didn't have this metaphors. You did not "open" a document from the command line. You ran a program and then opened the file from that program's open dialog. I still remember that opening a document directly was confusing to me at first.
Download a good program and left-click it by habit
But that's today's habit. My thought experiment was assuming that what we have today never happened, so this habit has never formed.
Fundamentally it comes down to understanding the separation of the two kinds of files and why it's important to treat them differently. This requires technically informed users -- the very same flaw as simply displaying file extensions.
I do believe that users aren't that stupid - you just have to speak their language. File extensions and binary code isn't their language.
What we need are better metaphors. The ones we have suck. Humans are fantastic at applying metaphors. I'm not a linguist except by interest, so I don't think I can come up with the solution. But I've done enough research to believe that the solution lies somewhere in that direction.
It'll be a jump, one we can hardly imagine. Like multitouch - it seems to natural and obvious now that we've had it for a while, but 20 years back it wasn't obvious in the least. Gestures? Please. Go back 30 years and try to explain gestures to the C64 home computer crowd. A mouse was revolutionary in those days.
I believe we will solve this on the user interface design front, and then we'll look back and wonder how we could ever be so stupid.
You can't survey and demark an idea like you can a piece of land.
You can not copyright ideas. Only works. So that's not an argument against copyright.
Once upon a time, you couldn't patent an idea, either. You could only patent an implementation of an idea. You could patent the light bulb (the specific one), but not the general idea of creating light by heating something up.
Business and software patents are what is really insane. Most other patents have been dragged down with them. A simple and extremely effective reform would be back towards requiring a working model or prototype with a patent, and a much narrower reading on what exactly the patent covers.
So, basically, I find it quite ok that when you spend years of your life and maybe lots of money on making some invention work, your competitor can't simply go and copy it. But I don't like that your competitor can't come up with something similar, working in a different way, as an alternative solution. Basically, patenting the light bulb is good, but it shouldn't stop other people from coming up with alternatives.
Do you mean that the GPL needs copyright law?
Yes, it does. The FSF has probably an FAQ with the details.
Maybe, but free software doesn't.
Depends. BSD-style free software doesn't. But GPL-style free software does. The GPL guarantees that people can't make what is public property into private property. I like it. I am a big fan of the GPL and less so of the more permissive licenses.
You think that I could study computer science without realizing that? What you don't realize is that there is an important difference in running a known application and having it open a file and running an unknown application. Secondly, that there is a difference between running an application when you want to and know that you are doing so and running an application without realizing that you are doing so.
The bad guys will use whatever they can
That, exactly, is the point. Why do we give them so many ways to use?
You're stupid suggestions do nothing to make this better.
Sorry to burst your babble, but some of "my" suggestions aren't my own inventions but are from peer-reviewed articles that show they do have the desired effect. Unfortunately, much of this has never gone beyond prototype stage, because the major OS vendors aren't accepting the responsibility, either don't give a fuck (MS), are too focused on not breaking the consistency of their design (Apple) or are run by geeks who don't understand user interface design (Linux).
Making the user aware that they run a program to view a document will change nothing.
I see you are one of the people who believe that user awareness is the problem. It isn't. The futility of user awareness trainings, which we in the IT security industry have been running for decades to little effect, should've made clear that this isn't true.
There will always be stupid users and they will always outnumber smart ones
There is no such thing as a stupid user. Every time an IT security person uses the word "stupid user", he is trying to draw attention away from his own failures. I have done root cause analysis on "stupid user" topics, and I can show you a deeper cause for every issue commonly attributed to "stupid users".
Your attitude towards users is one of the reasons that things are as ugly as they are. If car makers would think the same about drivers, our highways would be slaughter houses and people would dread driving, not enjoy it.
Actually, I disagree strongly with you. A part of how I make my living relies on copyright, and even the GPL does what it does through copyright law.
I'll agree that the current versions are insanity incarnate. That doesn't mean the concept is flawed. There are many aspects in this that people overlook in their zeal. For example, the arguments against extending copyright past the author's death overlooks that in prior times and in many cultures today, giving your children something to inherit is a big motivator. For people building physical things, that's easy. For people building with their minds, copyright law is what makes it possible.
Does that mean I agree with "life + 70 years" ? No, I don't. I think that's insane. I think it should be a fixed number of years from publication, and the number should vary by what it is - no computer game from 20 years ago is providing measurable amounts of income for anyone today, but books that age regularily do.
But the EU does have a parliament, and it has been made more powerful with the latest reforms.
The UN doesn't have a parliament. Would that help your fears? Considering that more than half of the representatives (if selected by population sizes) would be from Asia? And only about 5% from the USA?
That's a solution requiring technically informed users.
I propose something different: Icon markings. Executable files should have some kind of visual clue that can not be faked and is added by the OS and only to executable files. A designer will have to work out the best option there. For this example, assume that it is a glow - executables glow, nothing else can ever glow, there is no way to make other symbols glow.
Users could be trained to look for that cue, that something that glows is a program, no matter what it otherwise seems to be, and that if an alleged image glows then it isn't an image.
Of course, that's a workaround. The real fix would be to realize that the metaphor is wrong that opening a program and opening a document are the same thing, because they aren't.
Imagine that nobody had ever thought of making a click do two different things. Imagine that from day one, we would have agreed that left click opens a document file, while right-click runs a program. All of those stupid e-mail attached trojans would fail, because the users would left-click them, expecting a picture or word document, and they would get their picture viewer open or word, showing them that the file is corrupted. They'd be none the wiser that it is a trojan, but a) they would not have been infected and b) it is highly unlikely that they would try to right-click it.
Over here in Europe, the Polish are famous for stealing cars. There's a bit of truth to it - quite a few stolen cars end up in Poland. In fact, I once had a polish girl friend, and she told me that she and her parents didn't leave anything of value inside the car when they were going back home to visit relatives, and were quite concerned with having their car stolen there.
A lot of people would comment on that because where do you think most of the money for those programs, or the free food would come from? That's right, the US. We already have enough problems ourselves that we have to fix first.
I can relate to that argument better than you think, because I'm german and we germans are the ones largely paying for the whole EU thing.
However, we are also profiting from the EU a lot more than the mainstream media or the politicians care to admit.
I wouldn't be surprised if the same would be true for the US. Of course, the facts won't be easily available, because politically, the UN is the perfect scapegoat.
You know, we here in the US do kind of have cause to be uncomfortable with being controlled by a higher body. I mean, the country itself exists only because Americans got tired of being ruled over by a government that they saw as foreign and insensitive to their needs and only wanted to exploit them to fund it's wasteful wars and other expensive programs.
That's pretty ironic because the end result of it all has been that you've created your own government that is insensitive to your needs and only wants to explout you to fun its wasteful wars and other expensive programs. And give you an illusion of control. When's the last time elections in the US really changed anything?
That is because people don't like to give up sovereignty.
Strawman. They already have. The question is not giving it up or not, the question is solely to whom.
What exactly are you saying, that I am pro-patent wars or something like that?
No, I'm saying that you (plural you, as in your country) apparently can't get this shit sorted out on its own, so everyone else (as in the UN) needs to give you a push.
Just like invading Taliban Afghanistan or Nazi Germany was justified because those people couldn't get their shit together without outside help and were hurting others. No, that's not on the same level, which is why the proper answer isn't a war, but a UN directive.
Now when you've whiped the foam from your mouth, you will realize that it already works that way in many other areas. We don't let people who haven't studied medicine performe liver transplants. We don't let people drive a car if they haven't demonstrated that they know at least the basics of it. And we have further rules saying that if you are so intoxicated that you can't drive safely anymore, then you are not allowed to drive.
Same thing here. If your computer has become a danger to others, it does not belong online. Clean it up (aka, sober up) and then you can go online again.
Doesn't sound all that conspiracy-theory-evil-overlordy anymore if you write it out in simple, reasonable terms, does it?
You make it sound like someone could decide to deny online access to someone permanently. But that is not what I ever said. "sober up and then you'll get your car keys back" is a perfectly acceptable approach to the issue of drunk driving. And "clean up your machine and then you'll get your online connection back" is a perfectly good approach to the issue of malware and bot nets.
For some people, the UN could announce a cure for cancer, free unlimited food for everyone, a low-cost solution to global warming and a Mars colony project on the same date, and they would comment with NWO paranoia, evil overlord nonsense and "don't mess with my rights" bullshit.
A huge majority of those comments come from americans. Are you so unconfident that you can't accept someone else besides the "land of the free and the home of the brave" (which has long since turned into a joke to everyone outside the US) as someone setting international agendas?
We have a similar phenomenon over here in Europe, btw. - it is directed against the European Union, which is always blamed for everything that goes wrong, even though at least lately they have made a ton of excellent decisions (rejecting ACTA being the most prominent one). That is in part caused by our coward, corrupt, evil politicians, who abuse the EU to push through laws they want but know would never get popular support for. It goes roughly like that: Come up with law, test it with a few controlled "leaks", notice popular outrage. Publicly call the scapegoat you prepared for a crazy idea and ascertain public that the party line is different. Quietly move law to the EU level and get it passed as an EU directive. A year or two later, dig up old law again and complain how you really don't want to do it, but the EU forces you to...
So I wonder where the anti-UN sentiment in the US comes from?
No, I don't. And I've given speeches about this very subject.
The problem is a user interface design problem. The computer lies to the user, a user untrained in computers and thus unable to spot the lie. I'm not talking about the "hot lesbians inside" lie, I am talking about the lie where the user intends to do one thing, instructs the computer to do it, and the machine does something entirely different without telling the user.
The computer displays an icon indicating that something is a video. User clicks on it, intending to watch a video. Instead, a program is executed and installs malware on the machine. There are so many design failures here, it is painful: * false information about the nature of the object * bad interface design not allowing the user to express his action clearly (clicking on an action has context-specific meanings) * bad ACL allowing an unintended action to have even more unintended consequences * bad feedback to the user as to what is actually happening
To abuse a car analogy - malware is like a CD that you put into your CD player in your car and it makes a copy of your car keys and when you're driving past the next post office, mails it to someone in Poland. And you are blaming the driver. Seriously?
The real solutions are a little less convenient than simply blaming the user. They require thoughts, intelligence, lots of testing inside and outside the lab, to find better user interface paradigms. One that, for example, allows the user to make a difference between "show me this document" and "run this program". And a change in mindset that moves away from the "users are stupid, let's not bother them with the difference between documents and programs" to "actually, it turns out that with a bit of training, people do understand the difference between the switch that controls the lights and the one that controls the windshield wipers". It also requires smarter technology that can really undo actions. When software installs follow the change set concept, then we are getting somewhere. There's a lot more, and I don't claim to have even the majority of the answers, much less all of them. But I do know that we've been asking the wrong questions for way too long. I have about a dozen pieces of the puzzle that I've researched in depth, and in all cases it turns out that stupid users is not the root cause.
In fact, IT security would be a lot better off if it were to simply accept stupid users as a fact, just like limited memory and damaged network packages and find ways to work with them without falling over. You know, the Ping of Death was really, really embarassing. Most of IT Security is much like it.
And yes, I know what I'm talking about, I do this for a living, I give speeches about it, I've been doing research on this for over a decade. If you're in Europe, you can hire me on this.
So what do you do when I add a picture to my files that makes it seem like they glow?
If something is possible on an icon it's possible on every icon.
Nonsense. I can easily add some kind of effect to icons OS-side that is disallowed or technically impossible within the icon itself. For example, something that extends beyond the visual space of the icon itself, or a marker that is displayed next to it.
Technically any file is executable in the sense that when you double-click it, the OS may launch an associated app.
You may have noticed in my posting that this is what I consider the root cause issue - the one action (a double-click) can cause different things based on intransparent dependencies.
I'm not trying to solve all security issues with one stroke, that's impossible. I am showing an idea for one specific problem to demonstrate that solutions exist, we don't have to take some stupid idea some idiot once had up the arse for all eternity.
The dancing bunnies was an interesting blog idea with a good punchline and made a really good summary for a well-known problem. It is always worth to stop and think about it.
It is not, however, absolute truth from on high. It's a simplified aphorism on a real problem. Don't judge actual research against aphorisms. The funny thing about researching humans is that more often than you think, the truth is counter-intuitive, more complicated than everyone thought, or just outright strange.
For example, Miller and Wu ("Fighting Phishing at the User Interface", 2005) made a study where the change of a dialog element from buttons to a short drop-down list dropped the error rate of users from 30% to zero.
They certainly shouldn't be owning computers.
Welcome the the 21st century, I hope you had a restful cryo sleep. They should have told you in debriefing that this sentiment went out of business 10 years ago.
in Vista and Win 7 there is UAC WARNINGS
UAC has one and only one actual effect that has been verified by independent researchers: It trains people to ignore warning dialogs. I'm not joking, that is literally the result of studies done on the subject.
So, you were saying?
Now you tell ME friend, [...] can you stop that in ANY way by changing any part of a UI?
Yes, you can. Chameleon was a university prototyp designed specifically to deal with the malware download issue not by technological, but by UI means. That's just one example I can cite right away. If you research the topic a bit, you will find many ideas that have, at least in the lab, been shown to at least improve the situation, sometimes considerably.
If you're looking for a magic bullet, then I'm sorry, all I can offer you is the harsh truth of IT security: There are no magic bullets.
because its NOT a UI problem,
Says who, based on what studies?
HAISA (Human Aspects in Information Security Assurance) is a relatively new field, and as far as sciences go, quite immature (Stanton, "Empirical vs. Non-Empirical Work in Information Systems Security", 2007 - if I ask for studies, I should provide some for my points). As such, there is still a lot where we don't know, are partially or totally guessing, or have incomplete data. One thing we do know, however, is that in a THS triangle, only a small subset of security issues rest strongly in the "technology" corner. Many security issues are partially or strongly influenced by human and/or social factors. It stands to reason - and many studies, experiments and prototypes support the theory, e.g. the one outlined above or a couple of those listed in my keynote "Security & Usability" (DFN-CERT Workshopband, ISBN 9-783844-806885), that user interface improvements do have a measurable impact on those.
I'm sorry, but you can't fix a user problem with a tech solution
It's not a tech solution. It's a user (interface) solution. Just above you complained that it's not a UI problem, now it suddenly is a user problem. I'm sure you know what the "U" in "UI" stands for, so please make up your mind.
Comparing Win8 to ME or Vista is unfair to Win8.
Not necessarily. Every other windows release sucks so badly, it could be sold as a vacuum cleaner. Since Win7 was fairly ok, Win8 is destined to be the one that sucks. Like Vista was after XP and ME was after 98.
The difference is that the last times, the total failures were a kick in the nuts for MS to shape up and produce something at least somewhat useable next time. This one might be the end of the OS division for MS. If Win8 fails really hard, the next Office could be running on Android and OS X.
China is famous for copying everything - to their advantage, often driving out the original competitors from whom they copied through lower prices.
Now they've started copying the US patent system. Kiss your ass goodbye.
Yes, it does.
What a stupid question. Of course grammar matters, but the comparison is stupid. Tweets or chat messages are todays equivalent of verbal speech and the rules are relaxed there. In spoken conversations, people of a certain standing still look out for proper grammar and more, but for most people, spoken and written language are slightly different. That some written language now uses spoken language form does not change that. Business letters won't contain Twitter language for a while to come, and I wouldn't suggest trying to apply for a good job with SMS language.
Doesn't work because you have quite a few programs that do not work with documents. Screensavers, utility programs (say, Quicksilver, Dropbox, etc.) and others.
Also, you have programs where documents are secondary at best. Most network tools (browser, e-mail, etc.)
How do you decide what is "executable" and what isn't?
Good point, yes. I don't have an answer for that. The reverse would be easier: The system knows what kinds of file types it can handle that are not executables.
Users simply ignore this
Of course they do. We've trained them for a decade that warning dialogs are a nuissance, nothing important is ever in them, they're filled with techno-babble, and interrupt their work at the worst possible moments and the default option is almost always the one they want.
The reason is simplicity: We simply want the computer to "open" whatever it is we're interested.
I believe we've been trained to think that way. I remember times when that wasn't true. Early computers didn't have this metaphors. You did not "open" a document from the command line. You ran a program and then opened the file from that program's open dialog. I still remember that opening a document directly was confusing to me at first.
Download a good program and left-click it by habit
But that's today's habit. My thought experiment was assuming that what we have today never happened, so this habit has never formed.
Fundamentally it comes down to understanding the separation of the two kinds of files and why it's important to treat them differently. This requires technically informed users -- the very same flaw as simply displaying file extensions.
I do believe that users aren't that stupid - you just have to speak their language. File extensions and binary code isn't their language.
What we need are better metaphors. The ones we have suck. Humans are fantastic at applying metaphors. I'm not a linguist except by interest, so I don't think I can come up with the solution. But I've done enough research to believe that the solution lies somewhere in that direction.
It'll be a jump, one we can hardly imagine. Like multitouch - it seems to natural and obvious now that we've had it for a while, but 20 years back it wasn't obvious in the least. Gestures? Please. Go back 30 years and try to explain gestures to the C64 home computer crowd. A mouse was revolutionary in those days.
I believe we will solve this on the user interface design front, and then we'll look back and wonder how we could ever be so stupid.
You can't survey and demark an idea like you can a piece of land.
You can not copyright ideas. Only works. So that's not an argument against copyright.
Once upon a time, you couldn't patent an idea, either. You could only patent an implementation of an idea. You could patent the light bulb (the specific one), but not the general idea of creating light by heating something up.
Business and software patents are what is really insane. Most other patents have been dragged down with them. A simple and extremely effective reform would be back towards requiring a working model or prototype with a patent, and a much narrower reading on what exactly the patent covers.
So, basically, I find it quite ok that when you spend years of your life and maybe lots of money on making some invention work, your competitor can't simply go and copy it. But I don't like that your competitor can't come up with something similar, working in a different way, as an alternative solution. Basically, patenting the light bulb is good, but it shouldn't stop other people from coming up with alternatives.
Do you mean that the GPL needs copyright law?
Yes, it does. The FSF has probably an FAQ with the details.
Maybe, but free software doesn't.
Depends. BSD-style free software doesn't. But GPL-style free software does. The GPL guarantees that people can't make what is public property into private property. I like it. I am a big fan of the GPL and less so of the more permissive licenses.
Here's a clue
You think that I could study computer science without realizing that? What you don't realize is that there is an important difference in running a known application and having it open a file and running an unknown application. Secondly, that there is a difference between running an application when you want to and know that you are doing so and running an application without realizing that you are doing so.
The bad guys will use whatever they can
That, exactly, is the point. Why do we give them so many ways to use?
You're stupid suggestions do nothing to make this better.
Sorry to burst your babble, but some of "my" suggestions aren't my own inventions but are from peer-reviewed articles that show they do have the desired effect. Unfortunately, much of this has never gone beyond prototype stage, because the major OS vendors aren't accepting the responsibility, either don't give a fuck (MS), are too focused on not breaking the consistency of their design (Apple) or are run by geeks who don't understand user interface design (Linux).
Making the user aware that they run a program to view a document will change nothing.
I see you are one of the people who believe that user awareness is the problem. It isn't. The futility of user awareness trainings, which we in the IT security industry have been running for decades to little effect, should've made clear that this isn't true.
There will always be stupid users and they will always outnumber smart ones
There is no such thing as a stupid user. Every time an IT security person uses the word "stupid user", he is trying to draw attention away from his own failures. I have done root cause analysis on "stupid user" topics, and I can show you a deeper cause for every issue commonly attributed to "stupid users".
Your attitude towards users is one of the reasons that things are as ugly as they are. If car makers would think the same about drivers, our highways would be slaughter houses and people would dread driving, not enjoy it.
Actually, I disagree strongly with you. A part of how I make my living relies on copyright, and even the GPL does what it does through copyright law.
I'll agree that the current versions are insanity incarnate. That doesn't mean the concept is flawed. There are many aspects in this that people overlook in their zeal. For example, the arguments against extending copyright past the author's death overlooks that in prior times and in many cultures today, giving your children something to inherit is a big motivator. For people building physical things, that's easy. For people building with their minds, copyright law is what makes it possible.
Does that mean I agree with "life + 70 years" ? No, I don't. I think that's insane. I think it should be a fixed number of years from publication, and the number should vary by what it is - no computer game from 20 years ago is providing measurable amounts of income for anyone today, but books that age regularily do.
Which country is mine? I have a number of citizenships and residencies, none of them are US.
My mistake.
UN is a toothless nothing,
I disagree. It certainly isn't a military or economy or other power. That doesn't mean it is a nothing.
I agree, in parts.
But the EU does have a parliament, and it has been made more powerful with the latest reforms.
The UN doesn't have a parliament. Would that help your fears? Considering that more than half of the representatives (if selected by population sizes) would be from Asia? And only about 5% from the USA?
That's a solution requiring technically informed users.
I propose something different: Icon markings. Executable files should have some kind of visual clue that can not be faked and is added by the OS and only to executable files. A designer will have to work out the best option there. For this example, assume that it is a glow - executables glow, nothing else can ever glow, there is no way to make other symbols glow.
Users could be trained to look for that cue, that something that glows is a program, no matter what it otherwise seems to be, and that if an alleged image glows then it isn't an image.
Of course, that's a workaround. The real fix would be to realize that the metaphor is wrong that opening a program and opening a document are the same thing, because they aren't.
Imagine that nobody had ever thought of making a click do two different things. Imagine that from day one, we would have agreed that left click opens a document file, while right-click runs a program. All of those stupid e-mail attached trojans would fail, because the users would left-click them, expecting a picture or word document, and they would get their picture viewer open or word, showing them that the file is corrupted. They'd be none the wiser that it is a trojan, but a) they would not have been infected and b) it is highly unlikely that they would try to right-click it.
You're not from Europe and it shows.
Over here in Europe, the Polish are famous for stealing cars. There's a bit of truth to it - quite a few stolen cars end up in Poland. In fact, I once had a polish girl friend, and she told me that she and her parents didn't leave anything of value inside the car when they were going back home to visit relatives, and were quite concerned with having their car stolen there.
UN along with the prior failed League of Nations was a Rothschild invention.
Sources and evidence or it's a lie.
A lot of people would comment on that because where do you think most of the money for those programs, or the free food would come from? That's right, the US. We already have enough problems ourselves that we have to fix first.
I can relate to that argument better than you think, because I'm german and we germans are the ones largely paying for the whole EU thing.
However, we are also profiting from the EU a lot more than the mainstream media or the politicians care to admit.
I wouldn't be surprised if the same would be true for the US. Of course, the facts won't be easily available, because politically, the UN is the perfect scapegoat.
You know, we here in the US do kind of have cause to be uncomfortable with being controlled by a higher body. I mean, the country itself exists only because Americans got tired of being ruled over by a government that they saw as foreign and insensitive to their needs and only wanted to exploit them to fund it's wasteful wars and other expensive programs.
That's pretty ironic because the end result of it all has been that you've created your own government that is insensitive to your needs and only wants to explout you to fun its wasteful wars and other expensive programs.
And give you an illusion of control. When's the last time elections in the US really changed anything?
That is because people don't like to give up sovereignty.
Strawman. They already have. The question is not giving it up or not, the question is solely to whom.
What exactly are you saying, that I am pro-patent wars or something like that?
No, I'm saying that you (plural you, as in your country) apparently can't get this shit sorted out on its own, so everyone else (as in the UN) needs to give you a push.
Just like invading Taliban Afghanistan or Nazi Germany was justified because those people couldn't get their shit together without outside help and were hurting others. No, that's not on the same level, which is why the proper answer isn't a war, but a UN directive.
Yes, I am.
Now when you've whiped the foam from your mouth, you will realize that it already works that way in many other areas. We don't let people who haven't studied medicine performe liver transplants. We don't let people drive a car if they haven't demonstrated that they know at least the basics of it. And we have further rules saying that if you are so intoxicated that you can't drive safely anymore, then you are not allowed to drive.
Same thing here. If your computer has become a danger to others, it does not belong online. Clean it up (aka, sober up) and then you can go online again.
Doesn't sound all that conspiracy-theory-evil-overlordy anymore if you write it out in simple, reasonable terms, does it?
You make it sound like someone could decide to deny online access to someone permanently. But that is not what I ever said. "sober up and then you'll get your car keys back" is a perfectly acceptable approach to the issue of drunk driving. And "clean up your machine and then you'll get your online connection back" is a perfectly good approach to the issue of malware and bot nets.
So you'd rather have the patent madness for reasons of pride?
If we shot everyone who's an idiot in the USA, would there be enough population remaining for a single city?
It's not like anyone else has been moving at any speed towards more sanity in that area.
For some people, the UN could announce a cure for cancer, free unlimited food for everyone, a low-cost solution to global warming and a Mars colony project on the same date, and they would comment with NWO paranoia, evil overlord nonsense and "don't mess with my rights" bullshit.
A huge majority of those comments come from americans. Are you so unconfident that you can't accept someone else besides the "land of the free and the home of the brave" (which has long since turned into a joke to everyone outside the US) as someone setting international agendas?
We have a similar phenomenon over here in Europe, btw. - it is directed against the European Union, which is always blamed for everything that goes wrong, even though at least lately they have made a ton of excellent decisions (rejecting ACTA being the most prominent one). That is in part caused by our coward, corrupt, evil politicians, who abuse the EU to push through laws they want but know would never get popular support for. It goes roughly like that: Come up with law, test it with a few controlled "leaks", notice popular outrage. Publicly call the scapegoat you prepared for a crazy idea and ascertain public that the party line is different. Quietly move law to the EU level and get it passed as an EU directive. A year or two later, dig up old law again and complain how you really don't want to do it, but the EU forces you to...
So I wonder where the anti-UN sentiment in the US comes from?
Notice how EVERY DAMNED ONE is a PEBKAC problem?
No, I don't. And I've given speeches about this very subject.
The problem is a user interface design problem. The computer lies to the user, a user untrained in computers and thus unable to spot the lie. I'm not talking about the "hot lesbians inside" lie, I am talking about the lie where the user intends to do one thing, instructs the computer to do it, and the machine does something entirely different without telling the user.
The computer displays an icon indicating that something is a video. User clicks on it, intending to watch a video. Instead, a program is executed and installs malware on the machine. There are so many design failures here, it is painful:
* false information about the nature of the object
* bad interface design not allowing the user to express his action clearly (clicking on an action has context-specific meanings)
* bad ACL allowing an unintended action to have even more unintended consequences
* bad feedback to the user as to what is actually happening
To abuse a car analogy - malware is like a CD that you put into your CD player in your car and it makes a copy of your car keys and when you're driving past the next post office, mails it to someone in Poland.
And you are blaming the driver. Seriously?
The real solutions are a little less convenient than simply blaming the user. They require thoughts, intelligence, lots of testing inside and outside the lab, to find better user interface paradigms. One that, for example, allows the user to make a difference between "show me this document" and "run this program". And a change in mindset that moves away from the "users are stupid, let's not bother them with the difference between documents and programs" to "actually, it turns out that with a bit of training, people do understand the difference between the switch that controls the lights and the one that controls the windshield wipers".
It also requires smarter technology that can really undo actions. When software installs follow the change set concept, then we are getting somewhere.
There's a lot more, and I don't claim to have even the majority of the answers, much less all of them. But I do know that we've been asking the wrong questions for way too long. I have about a dozen pieces of the puzzle that I've researched in depth, and in all cases it turns out that stupid users is not the root cause.
In fact, IT security would be a lot better off if it were to simply accept stupid users as a fact, just like limited memory and damaged network packages and find ways to work with them without falling over. You know, the Ping of Death was really, really embarassing. Most of IT Security is much like it.
And yes, I know what I'm talking about, I do this for a living, I give speeches about it, I've been doing research on this for over a decade. If you're in Europe, you can hire me on this.