[conspire] About conditioned helplessness

[Edward Cherlin]

On Wed, Aug 31, 2011 at 23:06, Rick Moen <rick at linuxmafia.com> wrote:
> I wrote:
>
>> You know what really offends me as an open-source person?  Conditioned
>> helplessness.

Unfortunately, conditioned helplessness is the most offensive part of
human cultures generally, whether in the technical realm, politics,
religion, finance, economics (two different subjects that are
constantly conflated), law, consumer culture, or anything else.
Fortunately, there is a cure, and people once cured apparently cannot
be infected with the disease again, according to Seligman's research.
Unfortunately, the cure is difficult. You have to push people to help
themselves over and over again until the light comes on. Fortunately,
we have ways of getting a computer to do that. Unfortunately, those
methods are not widely deployed. Fortunately, now that computers cost
less than printed textbooks, the revolution is unstoppable, and we
will within a few decades be able to teach a billion children at a
time to take over the world. (Bwahahahaha!)

As things stand today, I am constantly fighting conditioned
helplessness in getting Open Source to millions of children. Cambodia
and Haiti are two of the worst, due to extensively documented
histories which are, no matter how much you have read or heard, worse
than you or I know. (These are, in the Rumsfeld epistemology, to be
classified as Known Unknowns.) I have direct experience in recruiting
localizers and developers for Free/Open Source Software and
translators and authors for content, It is extremely difficult from
this distance to get Cambodians and Haitians to believe, in a
practical and effective way, that they are entitled to their own
opinions and permitted to volunteer for the public good, no matter
what anybody else may say. The worst of all will be North Korea after
reunification.

The pervasiveness of conditioned helplessness is seen to a greater or
not quite as great (but not actually lesser), extent in any former
imperial colony and any former tyranny, and to an actually lesser but
still significant extent in what passes for republics in the US and
Europe. In colonial regimes and tyrannies both, education systems and
as much as possible of the rest of government were constructed with
the explicit aim of teaching the subject population to be helpless as
much as possible, for as long as possible. Plato was the worst
offender in early times, in The Republic and The Laws. One of the most
 egregious early modern examples was Prussia.

Johann Gottlieb Fichte (1762–1814), writing of the newly-minted
Prussian education system, designed on factory automation principles:

    You must fashion [the person], and fashion him in such a way that
he simply cannot will otherwise than what you wish him to will.

    Addresses to the German Nation

In many cases successor governments in nominally liberated colonies,
and ruling elites everywhere, have found it quite convenient to
maintain such systems.

Shorter tyrant, mob boss, religious zealot, Microsoft: "When I want to
hear _your_ opinion, I'll *tell* it to you."

One of the simplest and most devastating forms of such helplessness is
continued large-scale software "piracy" in developing nations, where
it is hardly known that our alternatives exist, and where Microsoft
FUD has been moderately effective in preventing their widespread
adoption. Microsoft apparently _wants_ its malware to be pirated, on
the theory that everybody can then be extorted into buying legal
copies as soon as there is enough money in the countries concerned,
not being siphoned off by the other kleptocrats, to do so.

To come back to our starting point, then, Free/Open Source Software is
currently one of the best educational resources for teaching people
not to be helpless, even if only by using it. Of far more value than
that, of course, is the process by which anybody can contribute to
both software freedom and Creative Commons content freedom, and
thereby to their own personal freedom.

I have in mind a curriculum on freedom of various kinds, integrated
into Sugar software, including in the limit how whole populations can
fix broken and corrupt governments. In a segment of this plan for an
earlier level of child development, students would do homework by, for
example, collaboratively improving Wikipedia articles on their
countries and so on, or writing new ones, or translating articles to
or from their local languages. (Feel free to suggest better targets
than Wikipedia.) When we get our curriculum together on teaching
programming in third grade or possibly even earlier, we can invite our
many millions of students at all levels to hunt and then fix bugs,
suggest and then implement features, and so on.

I should go turn this into a blog post with links to further information.

Thanks for prodding me to write this, Rick.

> I've been trying to help a friend of mine in Nashville who's now
> become basically afraid of computers, period, on account of malware.

We in CAUCE encountered similar fears of spam on a rather large scale
about 15 years ago. People who would not use e-mail for fear of porn
and other deeply offensive materials that they could not block. Do you
have any indication how widespread this level of malware-phobia is?

> She is (of course) a Windows user, and I normally cannot be bothered to
> to help Windows people deal with their security problems, but she's a
> longtime friend, and thus an exception.
>
> I had just gotten through sending her this summary of
> http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/ :
>
>  A major security company (RSA Data Security) had some of its crown-jewel
>  corporate secrets stolen recently.  How?  One of its engineers was
>  reading e-mail, and had Adobe Flash _including_ the ActiveX Flash
>  plugin for MSIE installed.  He encountered a mail with an Excel
>  spreadsheet attached.  He clicked the spreadsheet, which opened Excel,
>  which decided to open the ActiveX-enabled Flash interpreter to run a
>  Flash animation inside the spreadsheet.  Because ActiveX is horribly
>  overpowered and dangerous, _and_ because he was logged in with local
>  Administrator privilege, malware and a backdoor got installed and run by
>  Flash, which then stole corporate information and sent it to criminals.

It is almost impossible to protect a system from authorized users.

> Not quite getting my point about fatal and elementary security errors on
> the RSA-employee user end, my friend asked me if I'd download a PDF for
> her and make sure it doesn't have malware before she 'opened' it.
>
> So, I analysed that situation for her and helped her out, and _then_
> sent a wide-view post.  And I offer the principles for what they're
> worth, because they're applicable regardless of operating system.
> Post to my friend follows:
>
>
>
> Let's back up, and start at the beginning with the key principles.
> I've said these before, and I really did mean them.  (No offence
> intended or taken!)
>
>
> Files aren't dangerous.  Programs (by and large) don't run themselves.
> Malware you do not execute is harmless, so avoiding malware entails, in
> short, not running it.

You see how Rick did that? You have to get to the essential question
in order to have a hope of finding meaningful answers.

> Not running malware _mostly_ (exception noted below, separately)
> involves being careful about what applications and utilities you use to
> handle public data.  By 'public data', I mean stuff arriving at you off
> the Internet or other exposed networks, i.e., the ongoing datastream of
> data and files arriving at your Web browser and at your e-mail program.
> This includes external programs invoked by either your Web browser or
> e-mail program to handle particular types of files or data.  Such
> external programs include handling programs (viewers, readers) for PDF
> files, Flash animations, various types of image or video or sound files,
> doc/docx, xls/xlsx, and anything else your Web browser or e-mail program
> is configured to hand off to an external program.
>
> Some applications for MS-Windows relevant to public data have a
> miserable, dismal security history, usually because they are
> overfeatured and badly written.  Those include
>
> Microsoft Internet Explorer (partly on account of ActiveX)
> Microsoft Outlook
> Microsoft Outlook Express
> Adobe Acrobat Reader, though its worst feature, internal Javascript
>   support, can be disabled via a Preferences checkbox

This leads to a conundrum for Sugar education software. We need
educational documents that include software of various kinds. I don't
like making students copy and paste code in order to run an
educational model of some topic, be it tech (programming, math,
science) or artistic (art, music, other), geographic, or any other.
But I haven't seen anybody take up this issue of safety seriously
enough.

> Adobe Flash interpreter, and _expecially_ the MSIE variant of the
>   Adobe Flash interpreter (because of ActiveX)
> Apple QuickTime
> Yahoo Messenger
> Microsoft Window Live (MSN) Messenger

JavaScript on any Web site where you don't know whether the authors
are trustworthy or competent. Java (no relation) too, but incompetent
and malicious JavaScript are much more common.

> Don't run those.  Just don't.  They're bad code.  As to everything else
> that your Web browser uses to run as external programs to handle public
> data:  Go through them.  If you aren't sure they should handle a
> particular type of public data, disable or remove the handler.
>
> That's real work.  I'm sorry.  You're trying to have real security on
> Microsoft Windows, and that is simply made difficult by the oblivious
> user culture and widespread acceptance of bad code and bad
> configurations.

Even on Linux and BSD, security remains real work. Just nowhere near
as much, with better resources to help.

> Here's an old essay by an acquaintance of mine, but it's still true:
> http://www.dwheeler.com/essays/securing-windows.html
>
>
>
> So... there's an attack against Adobe Flash's ActiveX plugin for MSIE
> involving Excel spreadsheets with embedded Flash animations that do
> nothing but install malware and a backdoor?  Simple:  Don't have the
> Adobe Flash MSIE plugin on your system.  Done.
>
> The 'attack file' isn't dangerous.  It's the really incredibly bad Adobe
> software that creates that danger.
>
> Most people never grapple with the fundamental issue, the 'Don't run bad
> code' one.  So, they fall back on ridiculous, expense, and _ineffective_
> fallbacks like antimalware scanners and being members of the Cult of the
> Holy Firewall.

It is known that trying to determine whether a program contains
malware by inspecting it is an inherently undecidable problem. See "I
can be played on record player X" (You can't stop me) and "I cannot be
played on record player X" (I can destroy your system) in Hofstadter's
Gödel, Escher, Bach. All antimalware software can be defeated by
measures known to everyone who has had a competent undergraduate
Computer Science education (which Bill Gates did not).

> Exception to the 'avoid malware by just not running it' general rule:
> A small percentage of threats attack the core of your system directly if
> _it_ is vulnerable.  That's why you _download and store onto a CDR_ the
> latest critical fixes (Service Pack 3 for XP and whatever) recommended
> by Microsoft Corporation.  You do _not_ install the OS and let it fetch
> security updates across the Internet.  Why?  Because that means
> connecting a vulnerable machine to the Internet, which is an Obviously
> Very Bad Idea the likes of which only Microsoft could love.

It has been extensively documented that installing any form of Windows
and then going online to look for security updates means that your
computer will almost certainly be infected before you get a chance to
download the patches, much less install them. For clarity, then,
download the critical security updates and burn them to CDR on a
computer that has previously been secured, preferably one not running
Windows at all. Or take it to a shop that has done so.

> Also, never run any program with more security privilege than it
> absolutely needs.  This is why you do _not_ put Local Administrator
> rights onto your regular login.  If you ever need to run a particular
> application with Administrator privilege, use the right-click context
> menu to do Run As.

As usual, What He Said.

-- 
Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.
http://wiki.sugarlabs.org/go/Replacing_Textbooks