Should MS take responsibility for a user's decisions?

Discussion in 'polls' started by wat0114, Nov 29, 2011.

?

Should MS take Full responsibility for a user's decisions?

Poll closed Jan 28, 2012.
  1. Yes, full resposibility: explain what MS should do.

    2 vote(s)
    7.7%
  2. No, only partial responsibility: explain what MS could do better.

    8 vote(s)
    30.8%
  3. No, not at all: explain why.

    16 vote(s)
    61.5%
  1. guest

    guest Guest

    "As a core corporate value, we are committed to continually improving in four key areas: Security, Privacy, Reliability, and Business Practices." Microsoft
     
  2. wat0114

    wat0114 Guest

    HM, so it seems to me, only wants to see an O/S developed that's 100% "idiot proof" against user decisions, an incredible acheivment it could be if possible, but I can't see it ever happening. The closest this could happen, without sacrificing usability, is probably in an enterprise environment, with IT-administered policies in place to restrict and govern what users can and can't do, but then this is not MS' area of concern, really, except that they provide some tools such as Group Policy, SRP, AppLocker and Standard user accounts, amongst others, that administrators can utilize to "lock down" the computer environment.

    The car analogy is one example, but there are many others that can be used. A table saw manufacturer provides safety instructions, warning labels and a blade guard on the machine to help prevent injuries to the operator, but by no means is the manufacturer responsible for someone who operates the machine carelessly and runs their hand into the blade when cutting material with it. As long as the machine is built according to government safety requirements, it's up to the operator to follow the maintenance routines and all the safety pre-cautions when using it.
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Let's not make Microsoft responsible. It would have serious downsides I think, as guest noted.
    It will boil down to having safe practices advised in a totalitarian UAC style/total behaviour whitelist, where every malware infestation automagically is thus the result of a user's neglect.
    Don't download this...or else, don't visit this site....or else, don't watch this....or else.
    Or worse; You can't download this..., you can't visit this..., you can't watch/listen to this...
    Brrr, not a future OS I'd like to use.
    Making Microsoft responsible automatically will ensure that the company will do everything in order to absolve responsibility/accountability when something does go wrong.
    Such a business model would mean that MS would be accountable for all banking trojans that do succeed.
    Not even a viable option from a business perspective I'd say.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Responsible is the wrong word. It is not their obligation to provide you with anything - you bought it and it's yours. But in terms of security it will always be the OS that should deal with the security model. Whether the user is held responsible for what happens to their computer or not is a separate issue but the OS should handle security.

    And no you don't need whitelists/ to restrict what the user can do.
     
  5. guest

    guest Guest

    And the OS is supposed to handle a lot of other things as well. Security is just one aspect, flexibility is other and so on.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think I personally see a line between accountability and responsibility. Maybe I'm just using the wrong words. I don't think microsoft should be held accountable for a users actions but I do think they should handle security in its entirety. I think that no half decent security model can rely on user decisions.

    So, if we're calling responsibility "You break it, MS pays for it" no I don't think they are responsible - it's your purchase. But security does have to start from the OS.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yes. And?
     
  8. guest

    guest Guest

    Such "No user decision" models have trade-offs that Microsoft might not want to infect their business with.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Not really.
     
  10. guest

    guest Guest

    Prove it.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    A manufacturer of cars is responsible for making the car reliable (of proper value) and safe (according to standards).

    A manufacturer develops a positive reputation by going beyond the required, and developing appealing characteristics like air bags and better bumpers and restraint systems.

    A good manufacturer does the best job possible within the confines of still making a profit.

    Once the car leaves the plant, the manufacturer hopes he has put in place all the features that millions of customers want (like a stereo) and also hopes the "above and beyond" features (like side air bags) will both entice sales and also provide a VERY useful feature.

    The inclusion of anti-lock brakes is a feature that is designed to help drivers avoid accidents.

    The manufacturer does all of these things based on the assumption that most people will drive in a "normal" fashion. Screeching stops and break-neck speeds are not the norm. Therefore, the cars are designed, to a degree, even for those who drive abnormally. They attempt to provide for worse case scenario.

    With many millions of consumers buying a product, and each consumer being unique, complete with different driving habits, there is no possible way the manufacturer can meet each and every unique need.

    At some point, they must say "we have included all we can that is reasonable and affordable, now it is up to the drivers to use what we have made in a way that is within the confines of what we have made - if they drive off a cliff, we did not meet that need - nor did we anticipate they would drive 80mph on icy roads - we just cannot foresee such use - the drivers will just have to drive responsibly"

    They have made thier product the best they can, hopefully going beyond what is needed and supplying the extra "safety features". If they make a model that is flawed, they issue a recall to repair/replace. That is thier responsibility.

    If a mechanic modifies their product, making it unsafe, they have no obligation. If the consumer has a boulder fall on thier roof by some crazed madman rolling boulders off mountain tops, it is not the consumers fault, but neither is it the manufacturers fault.

    Every party bears a certain amount of responsibility. The manufacturer for making sure thier product meets standards. The consumer for making sure they drive in accordance with the standards upon which the car was made. As for the rock-rolling deviants, well, they are a completely different story all-together ;)

    The only way to make sure the manufacturer is always laible is to have them drive you, in thier car, where you want to go. Now that is a loss of freedom in my book. I would rather take the responsibility on myself and go where I like, when I like.

    Sul.
     
  12. guest

    guest Guest

    Sully... I think Hungry Man wants the cars to come with perfect pilots too. Or else, they should not be sold. :D
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I would really like to. Unfortunately I'm not going to.

    http://www.ee.sunysb.edu/~xwang/public/paper/asiaccs17-shan.pdf

    There's something vaguely similar in principal to what I'm working on. It's MAC, light on resources, requires very little from the user, and works very well.

    What I'm working on is actually very different in a lot of major ways but the principals are the same. I don't want to go further into that.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I want the dumbest drivers possible, actually.

    I still think securing a car is absolutely nothing like securing a computer nor are the dangers that face drivers anything like those that face a computer user.

    But again I've already said that there should be no manufacturer liability for something a user does. But the OS is where security belongs and if you want any decent security model you have to assume that your uneducated massive userbase will make bad decisions.
     
  15. wat0114

    wat0114 Guest

    The O/S, depending on the version, already can handle so much of the security if the user wants to utilize it, simply starting with operating as a Standard user. Of course with Pro, Ultimate or Enterprise, there's extras such as SRP, AppLocker and GPEDIT. Unfortunately, I don't see how it can guard against poorly implemented Administrative-level decisions by the end user. It's up to the user to obtain the application from as trustworthy a source as possible and check it for malicious code via antivirus or similar.

    My idea, which I hadn't realized is kind of in place already, sorry about that, was to make it easy for 3rd party developers to have it approved and digitally signed at no cost to them, with something implemented in Windows to make it clear to the user that this centalized and validated repository should be used primarily for software downloads. I find it incredible that more developers aren't taking this approach if it's available to them at no charge o_O
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Which they don't. And they'd have to learn how to utilize it, which they won't want to do.

    Me either.

    That's definitely one solid method.

    So do I.
     
  17. guest

    guest Guest

    Some make sure to be more reputable than Microsoft in some small minds, with lies and FUD, so they don't have to follow the lines.

    "UAC appeared? MICROSOFT FAULT!"
     
  18. guest

    guest Guest

    Want trade-offs? Where is the flexibility? What happens if I want to run an app that is incompatible with this "thing"? lol
     
  19. wat0114

    wat0114 Guest

    Yeah, MS had originally touted UAC as a security feature, but then MS Technical Fellow Mark Russinovich had to come along and write a sort of "back peddling" about it asserting that it's actually to encourage developers to write Standard user-friendly programs.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    What flexibility do you want?

    They had very few incompatibilities, otherwise known as FPs. The FP rate of their program compared to others was

    them: 5.6%
    everyone else: at least 30% or higher

    But like I said theirs is limited in a lot of ways but the principal is the same.
     
  21. guest

    guest Guest

    Wow, incredible.

    If my AV (I don't use, but let's pretend I used) flags a FP, I can always put it on an ignore list or just disable the AV - there is the flexibility I want and most people too.

    On that model, I'll have to wait for a fix "coming from the sky" - and be blocked until the moment comes.

    Very poor flexibility.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Not my model... at all. This is some research team in China that hasn't even released the program.

    Anyways, it's clear that there are solutions out there that require virtually no user interaction and provide fewer conflicts than traditional methods while also providing far greater protection.
     
  23. guest

    guest Guest

    How can you state that, without empirical confirmation? You would need dozens of millions of users to get a small initial idea of what traditional methods handle.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Nearly 2000 malicious files tested in this research paper and those are the results.

    Tracer is no end-all be-all program by any means. It's just what I have on hand to show you that user interaction isn't important to security.
     
  25. guest

    guest Guest

    I know that, but as I said earlier, security is just one aspect of an OS. People expect a lot more from MS Windows.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.