[conspire] Defaults and inert users

Rick Moen rick at linuxmafia.com
Tue Jul 9 12:48:08 PDT 2013 

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 9 Jul 2013 12:41:47 -0700
From: Rick Moen <rick at linuxmafia.com>
To: luv-talk at lists.luv.asn.au
Subject: Re: [luv-talk] Facebook.. Privacy? What privacy?
Organization: If you lived here, you'd be $HOME already.

I just had a reminder of how huge a percentage of people simply fail to
engage, at a fundamental level, with the basics of Internet security.
My acquaintance James Redekop, who works as a veteran coder at an
Internet firm in Ontario, said on a mailing list that he was unable to 
follow a link to an article on cincinnati.com because the site told him
he'd reached his quota for gratis articles for the month.

I thought, wait, what?  That means....

  Quoting James H.G. Redekop (james.hg.redekop at gmail.com):

  > On Tue, Jul 9, 2013 at 8:40 AM, Garrison Hilliard
  > <garrison.hilliard at gmail.com> wrote:
  > > Not too rainy in Cin. city, but...
  > >
  > > http://nky.cincinnati.com/proart/ab/20130708/news0103/307080034/a-month-s-worth-rain-fell-one-week?odyssey=mod|newswell|img|frontpage|p&pagerestricted=1
  > 
  >  Apparently, my free trial to this website I've never visited before
  > has expired, so I can't read the article.

  d00d, as always, it's a Javascript function.  You're not using
  NoScript yet?

I was stunned because James of all people should have long ago figured
out _why_ something like NoScript is necessary.  But then I was stunned
a second time by his explanation of why he was doing without it:

  Quoting James H.G. Redekop (james.hg.redekop at gmail.com):

  > I'm at work, where I work on a cloud-based application which uses
  > JavaScript, so I haven't bothered to install it here.

  You've possibly made the error of assuming the name 'NoScript' means
  that it disables Javascript?  I continue to be amazed how many people
  make that erroneous assumption.[1]

  I use it at work, and $FIRM has dozens of sites on which I need to be
  able to automatically run the served Javascript.  So, that's what I have
  NoScript do for all such sites.

  [1] Put simply, NoScript _inverts_ Web browsers' default behaviour of
  being willing to run any JavaScript snippet on any page from any FQDN,
  by making that become default-no.  On a per-site basis, you choose which
  FQDNs' snippets to enable either temporarily or permanently from then
  on.  You also can (and should) tweak permitted Javascript behaviour in
  NoScript's preferences, which is a key advantage because the Javascript
  language is dangerously and horrifically overfeatured.

  You are warned that there is a learning curve in getting used to
  NoScript, and it's important to know how to use its overrides for
  difficult cases.  The payoff is much better security and browser
  performance, there are far fewer instances of bombing out of memory,
  there is far lower RAM usage, there is much less junk on pages, video
  clips become optionally playable objects rather than autorunning
  irritations, and many paywalls like NY Times's and cincinnati.com's
  simply go away completely.  (AdBlock Plus is a highly recommended
  companion measure.)

In other words, James had failed to even investigate NoScript, never 
looking beyond its _name_, and assuming (in error) based solely on that
name that it simply disables Javascript in some blanket fashion --
without taking even a few seconds to check.  (Aside:  Why would anyone
write a Firefox extension merely to disable Javascript, anyway?  That
doesn't even make a tiny bit of sense.)

The larger picture:  Installing and tweaking add-on moficiations to
basic software requires taking initiative, and I notice that hardly
anyone ever does.

In Feb. 2011, I gave a talk at Silicon Valley Linux User group called
'The Wild, Wild Web: Web Browser Security, Performance, and Privacy'
(for which notes and slides are online), and made the point that
Javascript is _the_ keystone technology one must wrestle back under user
control if one hopes to enjoy reasonable security, performance,
stability, and privacy.  Thus the extreme need for NoScript or something
like it.  Even though, yes, using it does require you to get off your
ass and do something on your own initiative rather than being a passive
consumer.

Near the end of my talk, I asked for an honest show of hands:
'Seriously now, and I would appreciate an honest answer and will take no
offence at same, how many of you will serious consider any significant
portion of the recommendations I'm making here today?'

Out of a room of about 50-60 members of the audience, I think one hand
went up.  I thanked them for their refreshing honesty -- but was a bit
appalled at the near-total disconnect between people understanding the
problem and being willing to lift a finger to take corrective (but
non-default) measures to deal with it.


The even larger picture:  I've notice that the rot has set in pretty
deeply of people 'trying Linux' but never even considering doing
anything non-default.  We've now had about a decade's worth of
participants for whom 'installing Linux' is just booting a distro
installer and hitting the spacebar repeatedly with their foreheads until
completion, who are utterly helpless to deal intelligently with driver
and configuration issues, and who don't even really understand anything
about their chosen distros, either.

I started to realise the magnitude of the problem when I encountered
people installing DamnSmallLinux on P4 boxes with 512 MB or 1GB RAM
because they seriously thought nothing more complex _could_ work.  And
why did they think this?  They attempted to boot the live-CD image of
(say) Ubuntu to run the graphical installer on top of that, it choked on
the extreme RAM shortage, and they concluded that installation was
impossible.  Or the installer completed but then was 'slow' and they
couldn't even start to figure out how to decide what to run and not run,
because the very concept of doing so was alien.

I saw this problem when I asked such people about the process list.
Blank expression.  'Process list.  You know, the process list.  ps and
all that.'  Complete and total non-comprehension.

'Wait, this is an open-source OS.  The very basic idea, the raison
d'etre, is to enable _you_ to decide for _yourself_ what to run and not
to run.  Are you telling me you have never even considered figuring out
what is running and deciding for yourself what you want?'  Yes, that's 
overwhelmingly the case.

And these people actually _argue_ with me.  DamnSmallLinux is The Right
Thing because they can boot into the installer and hit the spacebar with
their foreheads repeatedly and arrive at a (feeble, limited) Linux
installation.  Therefore, it's the right choice, say they.  

Wow.  Just wow.


_______________________________________________
luv-talk mailing list
luv-talk at lists.luv.asn.au
http://lists.luv.asn.au/listinfo/luv-talk

----- End forwarded message -----

More information about the conspire mailing list