<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_03_16_1931214</id>
	<title>Users Rejecting Security Advice Considered Rational</title>
	<author>kdawson</author>
	<datestamp>1268731920000</datestamp>
	<htmltext>WeeBit writes <i>"Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is <a href="http://blogs.techrepublic.com.com/security/?p=3275&amp;tag=nl.e036">based entirely on the economics of the process</a>."</i> Here is Dr. Herley's paper, <a href="http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf">So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users</a> (PDF).</htmltext>
<tokenext>WeeBit writes " Researchers have different ideas as to why people fail to use security measures .
Some feel that regardless of what happens , users will only do the minimum required .
Others believe security tasks are rejected because users consider them to be a pain .
A third group maintains user education is not working .
[ Microsoft Research 's Cormac ] Herley offers a different viewpoint .
He contends that user rejection of security advice is based entirely on the economics of the process .
" Here is Dr. Herley 's paper , So Long , And No Thanks for the Externalities : The Rational Rejection of Security Advice by Users ( PDF ) .</tokentext>
<sentencetext>WeeBit writes "Researchers have different ideas as to why people fail to use security measures.
Some feel that regardless of what happens, users will only do the minimum required.
Others believe security tasks are rejected because users consider them to be a pain.
A third group maintains user education is not working.
[Microsoft Research's Cormac] Herley offers a different viewpoint.
He contends that user rejection of security advice is based entirely on the economics of the process.
" Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>Anonymous</author>
	<datestamp>1268741940000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><blockquote><div><p>some of those hosts have passwords which expire every 30 days</p></div></blockquote><p>This is slightly off-topic, but I have to question how useful it is to require people to change their passwords often. Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password. Anyone have any thoughts on that?</p></div>
	</htmltext>
<tokenext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic , but I have to question how useful it is to require people to change their passwords often .
Chances are , when someone breaks into your computer , they 're going to leave a back door , so they can get in , regardless of the actual password .
Anyone have any thoughts on that ?</tokentext>
<sentencetext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic, but I have to question how useful it is to require people to change their passwords often.
Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password.
Anyone have any thoughts on that?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502806</id>
	<title>Re:the real reason</title>
	<author>Anonymous</author>
	<datestamp>1268741400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It is sad because it's true. After fixing My Dad's computer for the second time this year, I gave the same angry lecture I did last time on internet security. His reply was "Fuck you, I will do what I want and you will fix it next time as well!"</p><p>Incidentally, every time he screws up his computer, I always get the blame. Even though I don't even live in the same town, It always seems to be <i>my</i> fault. I say to stop downloading every random screensaver and crappy program that he comes across and to stop opening and clicking the links on every single email he gets (He seems to not comprehend what a Junk Mail folder if for). He just tells me that I should have "fixed it right to begin with". Such gratitude!</p></htmltext>
<tokenext>It is sad because it 's true .
After fixing My Dad 's computer for the second time this year , I gave the same angry lecture I did last time on internet security .
His reply was " Fuck you , I will do what I want and you will fix it next time as well !
" Incidentally , every time he screws up his computer , I always get the blame .
Even though I do n't even live in the same town , It always seems to be my fault .
I say to stop downloading every random screensaver and crappy program that he comes across and to stop opening and clicking the links on every single email he gets ( He seems to not comprehend what a Junk Mail folder if for ) .
He just tells me that I should have " fixed it right to begin with " .
Such gratitude !</tokentext>
<sentencetext>It is sad because it's true.
After fixing My Dad's computer for the second time this year, I gave the same angry lecture I did last time on internet security.
His reply was "Fuck you, I will do what I want and you will fix it next time as well!
"Incidentally, every time he screws up his computer, I always get the blame.
Even though I don't even live in the same town, It always seems to be my fault.
I say to stop downloading every random screensaver and crappy program that he comes across and to stop opening and clicking the links on every single email he gets (He seems to not comprehend what a Junk Mail folder if for).
He just tells me that I should have "fixed it right to begin with".
Such gratitude!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501906</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502828</id>
	<title>Re:It's a fundamental human value calculation:</title>
	<author>RobinEggs</author>
	<datestamp>1268741520000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.</p></div><p>
I'm pretty sure TFA's entire <i>point</i> is that sometimes the guaranteed cost of preventative measures <i>does</i> exceed the statistical risk times the economic risk of actual damage. Skating by on luck totally works if luck, even including the cost of failures at or somewhat above statistical norms, costs less over the long run than the preventative measure.<br> <br>
I actually have a car analogy here: I don't insure my vehicle for theft or comprehensive damage, because it would cost $400 a year with a $500 deductible on a vehicle only worth $2000. I'm refusing the preventative measure, but only because the likely cost of relying on the preventative measure far exceeds the cost of just buying another car, provided my car gets stolen or totaled less than every two years. <br> <br>
Information security, like insurance, becomes a transaction on many levels, and many products or preventions in both arenas aren't really worth the cost.</p></div>
	</htmltext>
<tokenext>people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures .
I 'm pretty sure TFA 's entire point is that sometimes the guaranteed cost of preventative measures does exceed the statistical risk times the economic risk of actual damage .
Skating by on luck totally works if luck , even including the cost of failures at or somewhat above statistical norms , costs less over the long run than the preventative measure .
I actually have a car analogy here : I do n't insure my vehicle for theft or comprehensive damage , because it would cost $ 400 a year with a $ 500 deductible on a vehicle only worth $ 2000 .
I 'm refusing the preventative measure , but only because the likely cost of relying on the preventative measure far exceeds the cost of just buying another car , provided my car gets stolen or totaled less than every two years .
Information security , like insurance , becomes a transaction on many levels , and many products or preventions in both arenas are n't really worth the cost .</tokentext>
<sentencetext>people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.
I'm pretty sure TFA's entire point is that sometimes the guaranteed cost of preventative measures does exceed the statistical risk times the economic risk of actual damage.
Skating by on luck totally works if luck, even including the cost of failures at or somewhat above statistical norms, costs less over the long run than the preventative measure.
I actually have a car analogy here: I don't insure my vehicle for theft or comprehensive damage, because it would cost $400 a year with a $500 deductible on a vehicle only worth $2000.
I'm refusing the preventative measure, but only because the likely cost of relying on the preventative measure far exceeds the cost of just buying another car, provided my car gets stolen or totaled less than every two years.
Information security, like insurance, becomes a transaction on many levels, and many products or preventions in both arenas aren't really worth the cost.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503178</id>
	<title>Re:It's obvious</title>
	<author>Anonymous</author>
	<datestamp>1268743800000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?</p></div><p>I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.</p><p>Once they've installed the malware on your machine, it doesn't <i>matter</i> that you changed the locks.</p><p>However, frequent mandatory password changes, along with a requirement for impossible-to-remember passwords, will pretty much insure that users will write their passwords down.  If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.</p></div>
	</htmltext>
<tokenext>And when management replies with the inevitable , " Password aging provides a fail-safe against compromised accounts , " then what is your reply ? I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.Once they 've installed the malware on your machine , it does n't matter that you changed the locks.However , frequent mandatory password changes , along with a requirement for impossible-to-remember passwords , will pretty much insure that users will write their passwords down .
If " users should write passwords down and keep the written-down password in a convenient , easy to access location " is part of your security plan , frequent resets and complicated password rules should do it .</tokentext>
<sentencetext>And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.Once they've installed the malware on your machine, it doesn't matter that you changed the locks.However, frequent mandatory password changes, along with a requirement for impossible-to-remember passwords, will pretty much insure that users will write their passwords down.
If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502788</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502750</id>
	<title>Re:good advice versus bad advice; costs to others</title>
	<author>isoloisti</author>
	<datestamp>1268741100000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.

But isn't that the point? Isn't it rational of users to shirk individual effort that reduces collective harm? For sure, Wellsfargo passes the cost to its customers. But that happens whether an individual user makes security effort or not. So might as well not.</htmltext>
<tokenext>That does n't mean * nobody * pays the cost of the fraud .
We all pay those costs , indirectly .
But is n't that the point ?
Is n't it rational of users to shirk individual effort that reduces collective harm ?
For sure , Wellsfargo passes the cost to its customers .
But that happens whether an individual user makes security effort or not .
So might as well not .</tokentext>
<sentencetext>That doesn't mean *nobody* pays the cost of the fraud.
We all pay those costs, indirectly.
But isn't that the point?
Isn't it rational of users to shirk individual effort that reduces collective harm?
For sure, Wellsfargo passes the cost to its customers.
But that happens whether an individual user makes security effort or not.
So might as well not.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502466</id>
	<title>Re:good advice versus bad advice; costs to others</title>
	<author>Anonymous</author>
	<datestamp>1268739480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?)"</p><p>Ah hah, clearly you don't understand that 2 significant figures are obviously more accurate than 1!</p><p>Writing this took me approximately 10.7741 seconds.</p></htmltext>
<tokenext>" because he says that a user should n't spend more than " 0.98 seconds " ( does n't he understand significant figures ?
) " Ah hah , clearly you do n't understand that 2 significant figures are obviously more accurate than 1 ! Writing this took me approximately 10.7741 seconds .</tokentext>
<sentencetext>"because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?
)"Ah hah, clearly you don't understand that 2 significant figures are obviously more accurate than 1!Writing this took me approximately 10.7741 seconds.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504022</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>Anonymous</author>
	<datestamp>1268751660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>headlines are rarely grammatically correct. they have to say a message and have shorter limits than twitter.</p></htmltext>
<tokenext>headlines are rarely grammatically correct .
they have to say a message and have shorter limits than twitter .</tokentext>
<sentencetext>headlines are rarely grammatically correct.
they have to say a message and have shorter limits than twitter.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505698</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>house5150</author>
	<datestamp>1268817540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>well i can tell you the reason i do it, is because users share passwords, well i was vacation so i gave my my password to my assistant to do payroll... i trust them forever with my password even if they get fired or angry with me....</htmltext>
<tokenext>well i can tell you the reason i do it , is because users share passwords , well i was vacation so i gave my my password to my assistant to do payroll... i trust them forever with my password even if they get fired or angry with me... .</tokentext>
<sentencetext>well i can tell you the reason i do it, is because users share passwords, well i was vacation so i gave my my password to my assistant to do payroll... i trust them forever with my password even if they get fired or angry with me....</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503712</id>
	<title>Re:Windows Joke</title>
	<author>Anonymous</author>
	<datestamp>1268748660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>Linux even does generation changes without aid from IT, can you imagine what that would mean to your job? Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working</p></div><p>And please remind me again, which Linux desktop is able to deliver on that promise?</p></div>
	</htmltext>
<tokenext>Linux even does generation changes without aid from IT , can you imagine what that would mean to your job ?
Imagine Linux being used in office , with the new versions quietly installing themselves while all the software keeps workingAnd please remind me again , which Linux desktop is able to deliver on that promise ?</tokentext>
<sentencetext>Linux even does generation changes without aid from IT, can you imagine what that would mean to your job?
Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps workingAnd please remind me again, which Linux desktop is able to deliver on that promise?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502662</id>
	<title>Re:And it's often NOT worth it.</title>
	<author>koiransuklaa</author>
	<datestamp>1268740620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I would care because I'm not an asshole. Don't know about you.</p></htmltext>
<tokenext>I would care because I 'm not an asshole .
Do n't know about you .</tokentext>
<sentencetext>I would care because I'm not an asshole.
Don't know about you.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503584</id>
	<title>Ignorance</title>
	<author>Anonymous</author>
	<datestamp>1268747160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Slashdot, where anything outside of computing is "new" or "novel" or "creative".</p><p>The conclusion (that rejecting computer security advice is rational) is not unusual from the POV of economics.</p><p>Imagine a mainstream paper shouting "Computers can print on both A4 and US Legal paper".</p></htmltext>
<tokenext>Slashdot , where anything outside of computing is " new " or " novel " or " creative " .The conclusion ( that rejecting computer security advice is rational ) is not unusual from the POV of economics.Imagine a mainstream paper shouting " Computers can print on both A4 and US Legal paper " .</tokentext>
<sentencetext>Slashdot, where anything outside of computing is "new" or "novel" or "creative".The conclusion (that rejecting computer security advice is rational) is not unusual from the POV of economics.Imagine a mainstream paper shouting "Computers can print on both A4 and US Legal paper".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503516</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>grcumb</author>
	<datestamp>1268746560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><blockquote><div><p>Users Rejecting Security Advice Considered Rational</p></div></blockquote><p>
noun gerund noun noun gerund adjective - WTF!?</p><blockquote><div><p>Users reject security advice, that are considered rational</p></div></blockquote></div><p>Or, more accurately (and appropriately alliterative), with BBC syntax:</p><p> <strong>Rejecting Security Advice is 'Rational': Researcher</strong></p></div>
	</htmltext>
<tokenext>Users Rejecting Security Advice Considered Rational noun gerund noun noun gerund adjective - WTF !
? Users reject security advice , that are considered rationalOr , more accurately ( and appropriately alliterative ) , with BBC syntax : Rejecting Security Advice is 'Rational ' : Researcher</tokentext>
<sentencetext>Users Rejecting Security Advice Considered Rational
noun gerund noun noun gerund adjective - WTF!
?Users reject security advice, that are considered rationalOr, more accurately (and appropriately alliterative), with BBC syntax: Rejecting Security Advice is 'Rational': Researcher
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505496</id>
	<title>Re:It's obvious</title>
	<author>gordguide</author>
	<datestamp>1268857200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Good point. I would like to add that most computer security practices may be valid, and even useful, but those in charge of establishing security with computing act like their pet app/website/bank/hardware is the most important thing on Earth, period. Oh, and it's also implicitly trusted, so the user should grant it access to<nobr> <wbr></nobr>... well<nobr> <wbr></nobr>... everything.</p><p>Problem one results in the situation where five minutes of your time invested in security for this pet app or service is not that significant, but having 30 groups of security requirements needing five minutes<nobr> <wbr></nobr>.... whoa, there, son! You want me to do what??</p><p>Problem two results in the user being nagged into defeating the very security the other 29 services are simultaneously building.</p><p>It's little wonder that giving up and going commando is so attractive to users.</p></htmltext>
<tokenext>Good point .
I would like to add that most computer security practices may be valid , and even useful , but those in charge of establishing security with computing act like their pet app/website/bank/hardware is the most important thing on Earth , period .
Oh , and it 's also implicitly trusted , so the user should grant it access to ... well ... everything.Problem one results in the situation where five minutes of your time invested in security for this pet app or service is not that significant , but having 30 groups of security requirements needing five minutes .... whoa , there , son !
You want me to do what ?
? Problem two results in the user being nagged into defeating the very security the other 29 services are simultaneously building.It 's little wonder that giving up and going commando is so attractive to users .</tokentext>
<sentencetext>Good point.
I would like to add that most computer security practices may be valid, and even useful, but those in charge of establishing security with computing act like their pet app/website/bank/hardware is the most important thing on Earth, period.
Oh, and it's also implicitly trusted, so the user should grant it access to ... well ... everything.Problem one results in the situation where five minutes of your time invested in security for this pet app or service is not that significant, but having 30 groups of security requirements needing five minutes .... whoa, there, son!
You want me to do what?
?Problem two results in the user being nagged into defeating the very security the other 29 services are simultaneously building.It's little wonder that giving up and going commando is so attractive to users.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502180</id>
	<title>Re:Interesting</title>
	<author>mikael\_j</author>
	<datestamp>1268737800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I think you're wrong, most of them don't fully understand the issues, they just think "me not big rich company with lots of sooper secrit datas, me no waste money on intarwebs man" (yeah, I'm an ass) even though they may very well have good reason to avoid getting themselves hijacked by some random bot or kid (Just because you don't have millions in the bank doesn't mean you're not interesting to a criminal or that it wont hurt for you if all your money disappears, or how about "oh, and what's this $200k loan? I don't remember taking out another OH SHIT!"?)</p><p>It's the same kind of reasoning that people use when they choose not to wear a seatbelt when driving, but while most drivers don't know the odds of getting in a crash most computer users don't even know what the risks are (it would be like a driver being only vaguely aware of "bad things" possibly happening if he doesn't drive safely and doesn't wear a seatbelt), I've seen way too many machines that had bots known for stealing banking info on them where the owner of the machine just handwaved away my concerns with some "oh well, nothing bad has happened so far and it's not like anyone would bother stealing from me..." spiel. My response in those cases is to point out that as a friend I will help them fix their problem <b>now</b> but if they decline I will hang up if they call me in the future with any kind of computer problem.</p></htmltext>
<tokenext>I think you 're wrong , most of them do n't fully understand the issues , they just think " me not big rich company with lots of sooper secrit datas , me no waste money on intarwebs man " ( yeah , I 'm an ass ) even though they may very well have good reason to avoid getting themselves hijacked by some random bot or kid ( Just because you do n't have millions in the bank does n't mean you 're not interesting to a criminal or that it wont hurt for you if all your money disappears , or how about " oh , and what 's this $ 200k loan ?
I do n't remember taking out another OH SHIT ! " ?
) It 's the same kind of reasoning that people use when they choose not to wear a seatbelt when driving , but while most drivers do n't know the odds of getting in a crash most computer users do n't even know what the risks are ( it would be like a driver being only vaguely aware of " bad things " possibly happening if he does n't drive safely and does n't wear a seatbelt ) , I 've seen way too many machines that had bots known for stealing banking info on them where the owner of the machine just handwaved away my concerns with some " oh well , nothing bad has happened so far and it 's not like anyone would bother stealing from me... " spiel .
My response in those cases is to point out that as a friend I will help them fix their problem now but if they decline I will hang up if they call me in the future with any kind of computer problem .</tokentext>
<sentencetext>I think you're wrong, most of them don't fully understand the issues, they just think "me not big rich company with lots of sooper secrit datas, me no waste money on intarwebs man" (yeah, I'm an ass) even though they may very well have good reason to avoid getting themselves hijacked by some random bot or kid (Just because you don't have millions in the bank doesn't mean you're not interesting to a criminal or that it wont hurt for you if all your money disappears, or how about "oh, and what's this $200k loan?
I don't remember taking out another OH SHIT!"?
)It's the same kind of reasoning that people use when they choose not to wear a seatbelt when driving, but while most drivers don't know the odds of getting in a crash most computer users don't even know what the risks are (it would be like a driver being only vaguely aware of "bad things" possibly happening if he doesn't drive safely and doesn't wear a seatbelt), I've seen way too many machines that had bots known for stealing banking info on them where the owner of the machine just handwaved away my concerns with some "oh well, nothing bad has happened so far and it's not like anyone would bother stealing from me..." spiel.
My response in those cases is to point out that as a friend I will help them fix their problem now but if they decline I will hang up if they call me in the future with any kind of computer problem.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503560</id>
	<title>Re:6. Change often</title>
	<author>Haeleth</author>
	<datestamp>1268746920000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><blockquote><div><p>In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.</p></div></blockquote><p>Yes -- in theory.  But people are good at subverting policies like that.</p><p>Suppose it takes about four months for an attacker to brute-force your password hash, and you change your password every month.  If they get lucky today and discover that as of December your password was "foobar@Dec09", I think they might be able to make a plausible guess as to its current value.</p></div>
	</htmltext>
<tokenext>In theory , if you change your password often enough before the brute-force being complete , the attacker would have to start all over again.Yes -- in theory .
But people are good at subverting policies like that.Suppose it takes about four months for an attacker to brute-force your password hash , and you change your password every month .
If they get lucky today and discover that as of December your password was " foobar @ Dec09 " , I think they might be able to make a plausible guess as to its current value .</tokentext>
<sentencetext>In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.Yes -- in theory.
But people are good at subverting policies like that.Suppose it takes about four months for an attacker to brute-force your password hash, and you change your password every month.
If they get lucky today and discover that as of December your password was "foobar@Dec09", I think they might be able to make a plausible guess as to its current value.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502788</id>
	<title>Re:It's obvious</title>
	<author>Anonymous</author>
	<datestamp>1268741280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?

Your comment is highly rated, so there must be lots of slashdotters who can shed some light on this for me.</htmltext>
<tokenext>And when management replies with the inevitable , " Password aging provides a fail-safe against compromised accounts , " then what is your reply ?
Your comment is highly rated , so there must be lots of slashdotters who can shed some light on this for me .</tokentext>
<sentencetext>And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?
Your comment is highly rated, so there must be lots of slashdotters who can shed some light on this for me.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514568</id>
	<title>Any prevention effort costs more?  No.</title>
	<author>jwhitener</author>
	<datestamp>1268817720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"prevention is more expensive than repair/recovery/treatment"</p><p>I don't think you can proclaim that as universally true.  Especially if you start talking about medicine/social services.  And I'm pretty sure there are many computer related situations where that statement would not be true. For instance, military computer networks.</p><p>From http://swpc.ou.edu/doucments/publications/ResearchSummary10.04.pdf :</p><p>"Primary Findings<br>
&nbsp; Return on investment of prevention programs range from $2-$20. That is for every<br>dollar spent on prevention programs, from $2 to $20 is returned in benefits. Benefits are<br>estimates of savings over a period of time resulting from reduced demand for health and<br>social services.<br>"</p></htmltext>
<tokenext>" prevention is more expensive than repair/recovery/treatment " I do n't think you can proclaim that as universally true .
Especially if you start talking about medicine/social services .
And I 'm pretty sure there are many computer related situations where that statement would not be true .
For instance , military computer networks.From http : //swpc.ou.edu/doucments/publications/ResearchSummary10.04.pdf : " Primary Findings   Return on investment of prevention programs range from $ 2- $ 20 .
That is for everydollar spent on prevention programs , from $ 2 to $ 20 is returned in benefits .
Benefits areestimates of savings over a period of time resulting from reduced demand for health andsocial services .
"</tokentext>
<sentencetext>"prevention is more expensive than repair/recovery/treatment"I don't think you can proclaim that as universally true.
Especially if you start talking about medicine/social services.
And I'm pretty sure there are many computer related situations where that statement would not be true.
For instance, military computer networks.From http://swpc.ou.edu/doucments/publications/ResearchSummary10.04.pdf :"Primary Findings
  Return on investment of prevention programs range from $2-$20.
That is for everydollar spent on prevention programs, from $2 to $20 is returned in benefits.
Benefits areestimates of savings over a period of time resulting from reduced demand for health andsocial services.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502406</id>
	<title>Re:And it's often NOT worth it.</title>
	<author>PitaBred</author>
	<datestamp>1268739060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Because his compromised computer's bandwidth usage and infection compromises the security of the rest of the computers on the network as well as affecting their quality of service?</p></htmltext>
<tokenext>Because his compromised computer 's bandwidth usage and infection compromises the security of the rest of the computers on the network as well as affecting their quality of service ?</tokentext>
<sentencetext>Because his compromised computer's bandwidth usage and infection compromises the security of the rest of the computers on the network as well as affecting their quality of service?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503646</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>Anonymous</author>
	<datestamp>1268747880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><blockquote><div><p>Users Rejecting Security Advice Considered Rational</p></div></blockquote><p>noun gerund noun noun gerund adjective - WTF!?</p><p>is sentence structure really that hard? how about</p><blockquote><div><p>Users reject security advice, that are considered rational</p></div></blockquote></div><p>Your solution changes the intended meaning. The title implies the user is rational. Your solution implies the advice is rational.</p><p>how about<br>Users who reject security advice are considered rational by security expert.</p></div>
	</htmltext>
<tokenext>Users Rejecting Security Advice Considered Rationalnoun gerund noun noun gerund adjective - WTF !
? is sentence structure really that hard ?
how aboutUsers reject security advice , that are considered rationalYour solution changes the intended meaning .
The title implies the user is rational .
Your solution implies the advice is rational.how aboutUsers who reject security advice are considered rational by security expert .</tokentext>
<sentencetext>Users Rejecting Security Advice Considered Rationalnoun gerund noun noun gerund adjective - WTF!
?is sentence structure really that hard?
how aboutUsers reject security advice, that are considered rationalYour solution changes the intended meaning.
The title implies the user is rational.
Your solution implies the advice is rational.how aboutUsers who reject security advice are considered rational by security expert.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503258</id>
	<title>Re:Interesting</title>
	<author>Attila Dimedici</author>
	<datestamp>1268744400000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.</p></div><p>That would only do that kid any good if the salon keeps the customer credit card numbers in their database. What competitive advantage does the salon gain from storing their customers' credit card numbers? I bet it would cost them a lot less than $50 to <strong>not</strong> store their customers' credit card numbers</p></div>
	</htmltext>
<tokenext>All it takes is one malicious kid , who likes credit card numbers , waiting for a haircut and firing up nmap and pull down the customer DB , or fire up Metasploit.That would only do that kid any good if the salon keeps the customer credit card numbers in their database .
What competitive advantage does the salon gain from storing their customers ' credit card numbers ?
I bet it would cost them a lot less than $ 50 to not store their customers ' credit card numbers</tokentext>
<sentencetext>All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.That would only do that kid any good if the salon keeps the customer credit card numbers in their database.
What competitive advantage does the salon gain from storing their customers' credit card numbers?
I bet it would cost them a lot less than $50 to not store their customers' credit card numbers
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31510892</id>
	<title>"Some feel..."??</title>
	<author>Hurricane78</author>
	<datestamp>1268849220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Some feel that regardless of what happens, users will only do the minimum required.</p></div><p>It is a known fact that all life that survives, is that which used the most efficient way. Even on other planets. And in fact in the whole universe. Because the laws of physics demand it.</p><p>And if you look at it, it does not look as if it would hurt them enough for it to be worth to do something about it. Even with a botnet client on their system.</p><p>Believe me, when they hear that their neighbor got to jail for hosting child porn, because of a trojan running on his system, they WILL try to prevent it. Or just die out. (Unless protected by false but politically correct &ldquo;being social&rdquo; saving those failures.)</p></div>
	</htmltext>
<tokenext>Some feel that regardless of what happens , users will only do the minimum required.It is a known fact that all life that survives , is that which used the most efficient way .
Even on other planets .
And in fact in the whole universe .
Because the laws of physics demand it.And if you look at it , it does not look as if it would hurt them enough for it to be worth to do something about it .
Even with a botnet client on their system.Believe me , when they hear that their neighbor got to jail for hosting child porn , because of a trojan running on his system , they WILL try to prevent it .
Or just die out .
( Unless protected by false but politically correct    being social    saving those failures .
)</tokentext>
<sentencetext>Some feel that regardless of what happens, users will only do the minimum required.It is a known fact that all life that survives, is that which used the most efficient way.
Even on other planets.
And in fact in the whole universe.
Because the laws of physics demand it.And if you look at it, it does not look as if it would hurt them enough for it to be worth to do something about it.
Even with a botnet client on their system.Believe me, when they hear that their neighbor got to jail for hosting child porn, because of a trojan running on his system, they WILL try to prevent it.
Or just die out.
(Unless protected by false but politically correct “being social” saving those failures.
)
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507030</id>
	<title>Re:It's obvious</title>
	<author>echnaton192</author>
	<datestamp>1268832720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If someone "lends" his password to another person, you have bigger security problems. And 60 days are enough time to do really bad stuff.</p><p>Changing passwords every 60 days leads to weak passwords. Period.</p></htmltext>
<tokenext>If someone " lends " his password to another person , you have bigger security problems .
And 60 days are enough time to do really bad stuff.Changing passwords every 60 days leads to weak passwords .
Period .</tokentext>
<sentencetext>If someone "lends" his password to another person, you have bigger security problems.
And 60 days are enough time to do really bad stuff.Changing passwords every 60 days leads to weak passwords.
Period.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502700</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503130</id>
	<title>Re:It's obvious</title>
	<author>knarfling</author>
	<datestamp>1268743560000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext>A tough question, especially since "best practice" dictates that the password be changed often. I did a little research into this and found that UNIX is actually the culprit for needing to change passwords often. <p>It seems that several year ago, the<nobr> <wbr></nobr>/etc/passwd file was world readable (since it had to be read in order to log in), and  that both the username and password was stored there. (Now the passwords are stored in<nobr> <wbr></nobr>/etc/shadow which is not world readable.) It was fairly simple for someone to download a passwd file and then run it through a dictionary cracker to find the passwords. In the early 80's it was found that a dedicated mainframe could crack any dictionary word in the passwd file in about eight weeks. If the hacker only had access for a couple hours a day, it could take up to four months. (If a complex password was used, it would take much longer or possibly never be cracked.) Therefore, if a person changed his password every 30 days, he could be sure that by the time the hacker cracked his password, it had been changed. </p><p> However, as computers became more powerful, the time to crack passwords from a passwd file became less and less, a better solution needed to be found. One method was to separate the password from the username into a shadow file, and make sure that the shadow file was not world readable. A cracker would need to break into the computer with root privileges in order to read the password file so that they could break into the computer. </p><p> Unfortunately, the above explanation is long, complicated, and goes against "best practices." I have tried pointing that out to several "Security experts" without any success. Pointing out that passwords will be written down if they have to be changed often will not help much either. </p></htmltext>
<tokenext>A tough question , especially since " best practice " dictates that the password be changed often .
I did a little research into this and found that UNIX is actually the culprit for needing to change passwords often .
It seems that several year ago , the /etc/passwd file was world readable ( since it had to be read in order to log in ) , and that both the username and password was stored there .
( Now the passwords are stored in /etc/shadow which is not world readable .
) It was fairly simple for someone to download a passwd file and then run it through a dictionary cracker to find the passwords .
In the early 80 's it was found that a dedicated mainframe could crack any dictionary word in the passwd file in about eight weeks .
If the hacker only had access for a couple hours a day , it could take up to four months .
( If a complex password was used , it would take much longer or possibly never be cracked .
) Therefore , if a person changed his password every 30 days , he could be sure that by the time the hacker cracked his password , it had been changed .
However , as computers became more powerful , the time to crack passwords from a passwd file became less and less , a better solution needed to be found .
One method was to separate the password from the username into a shadow file , and make sure that the shadow file was not world readable .
A cracker would need to break into the computer with root privileges in order to read the password file so that they could break into the computer .
Unfortunately , the above explanation is long , complicated , and goes against " best practices .
" I have tried pointing that out to several " Security experts " without any success .
Pointing out that passwords will be written down if they have to be changed often will not help much either .</tokentext>
<sentencetext>A tough question, especially since "best practice" dictates that the password be changed often.
I did a little research into this and found that UNIX is actually the culprit for needing to change passwords often.
It seems that several year ago, the /etc/passwd file was world readable (since it had to be read in order to log in), and  that both the username and password was stored there.
(Now the passwords are stored in /etc/shadow which is not world readable.
) It was fairly simple for someone to download a passwd file and then run it through a dictionary cracker to find the passwords.
In the early 80's it was found that a dedicated mainframe could crack any dictionary word in the passwd file in about eight weeks.
If the hacker only had access for a couple hours a day, it could take up to four months.
(If a complex password was used, it would take much longer or possibly never be cracked.
) Therefore, if a person changed his password every 30 days, he could be sure that by the time the hacker cracked his password, it had been changed.
However, as computers became more powerful, the time to crack passwords from a passwd file became less and less, a better solution needed to be found.
One method was to separate the password from the username into a shadow file, and make sure that the shadow file was not world readable.
A cracker would need to break into the computer with root privileges in order to read the password file so that they could break into the computer.
Unfortunately, the above explanation is long, complicated, and goes against "best practices.
" I have tried pointing that out to several "Security experts" without any success.
Pointing out that passwords will be written down if they have to be changed often will not help much either. </sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502788</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505378</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>Anonymous</author>
	<datestamp>1268768280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>The main reason people don't sync their data is that it's not trivial. Finding software that will do it well is a pain. Dealing with problems properly means keeping checksums on the files.</p></div><p>The free software on the WD externals is a single-button to cloning. Yep, totally painful to find that software which asks to autorun whenever you plug in the drive.</p></div>
	</htmltext>
<tokenext>The main reason people do n't sync their data is that it 's not trivial .
Finding software that will do it well is a pain .
Dealing with problems properly means keeping checksums on the files.The free software on the WD externals is a single-button to cloning .
Yep , totally painful to find that software which asks to autorun whenever you plug in the drive .</tokentext>
<sentencetext>The main reason people don't sync their data is that it's not trivial.
Finding software that will do it well is a pain.
Dealing with problems properly means keeping checksums on the files.The free software on the WD externals is a single-button to cloning.
Yep, totally painful to find that software which asks to autorun whenever you plug in the drive.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502478</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>Anonymous</author>
	<datestamp>1268739600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><blockquote><div><p>At some point, you reach a point of diminishing returns and it is wasteful to spend more on security</p></div></blockquote><p>And by "spend more", you mean install fewer screensavers.  99\% of the time, security is something that you go to extra trouble to <em>take away</em> from a system, it's not something you spend money to add.</p></div>
	</htmltext>
<tokenext>At some point , you reach a point of diminishing returns and it is wasteful to spend more on securityAnd by " spend more " , you mean install fewer screensavers .
99 \ % of the time , security is something that you go to extra trouble to take away from a system , it 's not something you spend money to add .</tokentext>
<sentencetext>At some point, you reach a point of diminishing returns and it is wasteful to spend more on securityAnd by "spend more", you mean install fewer screensavers.
99\% of the time, security is something that you go to extra trouble to take away from a system, it's not something you spend money to add.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505466</id>
	<title>Excellent article</title>
	<author>golodh</author>
	<datestamp>1268856600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I believe the underlying article by Michael Kassner is spot on.
<p>
What computer enthousiasts like to call "an end-user being lazy, stupid, and ignorant" is simply an end-user refusing to sink a lot of time into non-revenue activity that isn't even guaranteed to protect them. There really is no call to regard users as stupid because they're not interested in knowing a lot about their computer and only want to use it as a tool to do their (office) work and to surf or to connect to social networks.

</p><p>
For example the note that strong passwords don't help if someone is able to install a trojan (let alone a keylogger) on your machine (or network) is spot on. In order to rationally evaluate the benefit of having strong passwords a user would need to know the probabilities of his account or machine being attacked, and conditional on that, of the strength and sophistication of his attacker. Conditional on the sophistication of the attacker you get  a different set of probabilities of a his password being brute-forced or dictionary-guessed, or his machine being hijacked through vulnerabilities(whether zero-day, or simply unpatched).
</p><p>
In addition the recommendations for password length, composition, non-dictionary and non-sharing are one thing. However, together with this the recommendations to change it often, not to write it down, and not to re-use it across sites is very burdensome to users. And frankly unrealistic. Such rules are percieved more as a cheap cop-out on part of IT experts than helpful advice.
</p><p>
Being interested in, knowledgeable of, and spending time understanding and monitoring the workings of, your computer is a discretionary choice, not a compulsory one. Which is why e.g. Microsoft Windows still holds such overwhelming market share: they address the need for a computer in the role of a simple utility.
</p><p>
That piece about certificate errors and how to spot fake URLs is also spot on.
</p><p>
I'm afraid that the article hits the nail on the head: only computer enthousiasts, computer burglars, and IT professionals can rationally be expected to expend that much time and effort on being knowledgeable about and avoiding security pitfalls. Ordinary users really do make a rational decision in rejecting elaborate security measures, and asking for a simple and easy-to-follow set of rules in order to stay safe.
</p><p>
Unfortunately computer burglars adapt too. So any set of fixed rules will be met by an attack that's optimized to defeat it. Adherence to security rules may make life much harder for an attacker, and may even thwart 99\% of all existing "dumbo attacks". However it takes only 1 attacker with a higher level of sophistication (or simply a bought zero-day exploit) to target you or your machine and you've lost anyway. In this light it's pretty reasonable to take a critical view of security advice and to reject it if it becomes too much of a hassle.
</p><p>
Something like that may be difficult to swallow for the average Slashhdot reader though.</p></htmltext>
<tokenext>I believe the underlying article by Michael Kassner is spot on .
What computer enthousiasts like to call " an end-user being lazy , stupid , and ignorant " is simply an end-user refusing to sink a lot of time into non-revenue activity that is n't even guaranteed to protect them .
There really is no call to regard users as stupid because they 're not interested in knowing a lot about their computer and only want to use it as a tool to do their ( office ) work and to surf or to connect to social networks .
For example the note that strong passwords do n't help if someone is able to install a trojan ( let alone a keylogger ) on your machine ( or network ) is spot on .
In order to rationally evaluate the benefit of having strong passwords a user would need to know the probabilities of his account or machine being attacked , and conditional on that , of the strength and sophistication of his attacker .
Conditional on the sophistication of the attacker you get a different set of probabilities of a his password being brute-forced or dictionary-guessed , or his machine being hijacked through vulnerabilities ( whether zero-day , or simply unpatched ) .
In addition the recommendations for password length , composition , non-dictionary and non-sharing are one thing .
However , together with this the recommendations to change it often , not to write it down , and not to re-use it across sites is very burdensome to users .
And frankly unrealistic .
Such rules are percieved more as a cheap cop-out on part of IT experts than helpful advice .
Being interested in , knowledgeable of , and spending time understanding and monitoring the workings of , your computer is a discretionary choice , not a compulsory one .
Which is why e.g .
Microsoft Windows still holds such overwhelming market share : they address the need for a computer in the role of a simple utility .
That piece about certificate errors and how to spot fake URLs is also spot on .
I 'm afraid that the article hits the nail on the head : only computer enthousiasts , computer burglars , and IT professionals can rationally be expected to expend that much time and effort on being knowledgeable about and avoiding security pitfalls .
Ordinary users really do make a rational decision in rejecting elaborate security measures , and asking for a simple and easy-to-follow set of rules in order to stay safe .
Unfortunately computer burglars adapt too .
So any set of fixed rules will be met by an attack that 's optimized to defeat it .
Adherence to security rules may make life much harder for an attacker , and may even thwart 99 \ % of all existing " dumbo attacks " .
However it takes only 1 attacker with a higher level of sophistication ( or simply a bought zero-day exploit ) to target you or your machine and you 've lost anyway .
In this light it 's pretty reasonable to take a critical view of security advice and to reject it if it becomes too much of a hassle .
Something like that may be difficult to swallow for the average Slashhdot reader though .</tokentext>
<sentencetext>I believe the underlying article by Michael Kassner is spot on.
What computer enthousiasts like to call "an end-user being lazy, stupid, and ignorant" is simply an end-user refusing to sink a lot of time into non-revenue activity that isn't even guaranteed to protect them.
There really is no call to regard users as stupid because they're not interested in knowing a lot about their computer and only want to use it as a tool to do their (office) work and to surf or to connect to social networks.
For example the note that strong passwords don't help if someone is able to install a trojan (let alone a keylogger) on your machine (or network) is spot on.
In order to rationally evaluate the benefit of having strong passwords a user would need to know the probabilities of his account or machine being attacked, and conditional on that, of the strength and sophistication of his attacker.
Conditional on the sophistication of the attacker you get  a different set of probabilities of a his password being brute-forced or dictionary-guessed, or his machine being hijacked through vulnerabilities(whether zero-day, or simply unpatched).
In addition the recommendations for password length, composition, non-dictionary and non-sharing are one thing.
However, together with this the recommendations to change it often, not to write it down, and not to re-use it across sites is very burdensome to users.
And frankly unrealistic.
Such rules are percieved more as a cheap cop-out on part of IT experts than helpful advice.
Being interested in, knowledgeable of, and spending time understanding and monitoring the workings of, your computer is a discretionary choice, not a compulsory one.
Which is why e.g.
Microsoft Windows still holds such overwhelming market share: they address the need for a computer in the role of a simple utility.
That piece about certificate errors and how to spot fake URLs is also spot on.
I'm afraid that the article hits the nail on the head: only computer enthousiasts, computer burglars, and IT professionals can rationally be expected to expend that much time and effort on being knowledgeable about and avoiding security pitfalls.
Ordinary users really do make a rational decision in rejecting elaborate security measures, and asking for a simple and easy-to-follow set of rules in order to stay safe.
Unfortunately computer burglars adapt too.
So any set of fixed rules will be met by an attack that's optimized to defeat it.
Adherence to security rules may make life much harder for an attacker, and may even thwart 99\% of all existing "dumbo attacks".
However it takes only 1 attacker with a higher level of sophistication (or simply a bought zero-day exploit) to target you or your machine and you've lost anyway.
In this light it's pretty reasonable to take a critical view of security advice and to reject it if it becomes too much of a hassle.
Something like that may be difficult to swallow for the average Slashhdot reader though.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726</id>
	<title>Wasted time</title>
	<author>Ethanol-fueled</author>
	<datestamp>1268735580000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext>Average Joe User is cheap and lazy, that's a given. TFA:<blockquote><div><p>Users understand, there is no assurance that heeding advice will protect them from attacks.</p></div></blockquote><p>

What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.<br> <br>

Windows <i>can</i> be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer. <br> <br>

Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.</p></div>
	</htmltext>
<tokenext>Average Joe User is cheap and lazy , that 's a given .
TFA : Users understand , there is no assurance that heeding advice will protect them from attacks .
What dose n't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out , while they waste hours and hours of their time and money cleaning out their Windows installs , setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles , and even reinstalling their O.S .
; if not bothering or paying somebody else to do it .
I 'd been toying aroung with Linux and Unix for years for business and personal use , but I finally switched for good when I realized that I was wasting more time with Windows than I would with a * NIX O.S .
Windows can be used safely and quickly without protection , but only by savvy users who do n't do any " real-world " stuff like torrent or allow the occasional ingorant user to use their computer .
Would Linux be more safe if it had greater than or equal to the market share of Windows ?
Is any home O.S .
really safe as long as the user keeps clicking " yes " or " ok " ?
That 's a whole other debate .
The fact is that Linux , now , is much less of a hassle than Windows .</tokentext>
<sentencetext>Average Joe User is cheap and lazy, that's a given.
TFA:Users understand, there is no assurance that heeding advice will protect them from attacks.
What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.
; if not bothering or paying somebody else to do it.
I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.
Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.
Would Linux be more safe if it had greater than or equal to the market share of Windows?
Is any home O.S.
really safe as long as the user keeps clicking "yes" or "ok"?
That's a whole other debate.
The fact is that Linux, now, is much less of a hassle than Windows.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502856</id>
	<title>Re:Interesting</title>
	<author>peragrin</author>
	<datestamp>1268741580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>$50 one time cost my ass.  I can't get that setup at work because Cisco has screwed up the settings three times and they charge Every time it goes back even if they were the ones who fscked up the settings.  So I can't get wireless as it has cost our company some $300 more than what it should have the first time around.  because you know who pays for shipping both ways?</p><p>Security that costs time and money once to implement is tough to get through, when you have to do it three more times because cisco is staffed by morons things get a lot more complicated.</p></htmltext>
<tokenext>$ 50 one time cost my ass .
I ca n't get that setup at work because Cisco has screwed up the settings three times and they charge Every time it goes back even if they were the ones who fscked up the settings .
So I ca n't get wireless as it has cost our company some $ 300 more than what it should have the first time around .
because you know who pays for shipping both ways ? Security that costs time and money once to implement is tough to get through , when you have to do it three more times because cisco is staffed by morons things get a lot more complicated .</tokentext>
<sentencetext>$50 one time cost my ass.
I can't get that setup at work because Cisco has screwed up the settings three times and they charge Every time it goes back even if they were the ones who fscked up the settings.
So I can't get wireless as it has cost our company some $300 more than what it should have the first time around.
because you know who pays for shipping both ways?Security that costs time and money once to implement is tough to get through, when you have to do it three more times because cisco is staffed by morons things get a lot more complicated.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514006</id>
	<title>Re:I used to agree with you ...</title>
	<author>Matt Perry</author>
	<datestamp>1268858820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it <b>a week later</b></p></div> </blockquote><p>Are the users required to change their passwords every week? If not, just to play devil's advocate, if she had logged data for a month, or waited a week or two, it's likely that she would have been successful.</p></div>
	</htmltext>
<tokenext>It turned out that an inside person had put a physical keylogger ( USB pass-through device between computer and keyboard , ordered straight from China ) on the Comptroller 's computer one night and collected it a week later Are the users required to change their passwords every week ?
If not , just to play devil 's advocate , if she had logged data for a month , or waited a week or two , it 's likely that she would have been successful .</tokentext>
<sentencetext>It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later Are the users required to change their passwords every week?
If not, just to play devil's advocate, if she had logged data for a month, or waited a week or two, it's likely that she would have been successful.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503238</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506924</id>
	<title>Re:Wasted time</title>
	<author>epine</author>
	<datestamp>1268832000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Welcome to the school of tail wagging the dog.  What would the ROI calculation have looked like *before* you acquired that sound card when you effectively married yourself to the Windows culture and all that comes with it?  Five minutes well invested against the throes of consumption lust?</p><p>For that matter, why bother learning about birth control until *after* you discover you're not shooting blanks?</p><p>I was looking forward to reading this paper, because there are good arguments to be made about the externality burden.  This paper is not that paper.  Author seems to have a tin ear concerning second order effects.  Maybe SSL certificates are rarely faked because the mechanism grants the adversary a dominating response.  In game theory, one can't neglect the influence of moves never played.  That tends to correlate with the move being super kick ass when confronting an opponent with rational self-preservation.</p><p>I found the paper extremely self-serving to the Microsoft camp.  From a larger perspective, we should have engineered these systems in such a way that it was never a rational proposition for the black hats to invest so much in gaining expertise over its manipulation.  Not that this could have been forestalled indefinitely considering the value held within the network walls, but we certainly didn't have to make it so darn easy for the agents of darkness to self-finance their learning curve.</p><p>Now that it's a done deal, Microsoft finds all kinds of time for shirt-rending accounts of the TCO of learned-helplessness.</p><p>One more note.  I have to slap my forehead over all the effort invested in training people to use strong passwords.  Password strength needs to grow by about six bits per decade, just to track Moore's law while the number of passwords a typical person requires seems to double every decade or so.</p><p>It's socially embarrassing to forget an important password because you were conscientious and didn't write it down.</p><p>The human brain doesn't scale to the demands of this security practice, and this has been obvious for thirty years.</p><p>The risk of key loggers forces one into making each password unique and significantly detracts from the notion of aggregating a huge basket of passwords onto OpenID.</p><p>If every human had 2kB of glucose backed NVRAM with thirty years guaranteed retention, life would be different.  We don't, and you can't educate this into existence.</p></htmltext>
<tokenext>Welcome to the school of tail wagging the dog .
What would the ROI calculation have looked like * before * you acquired that sound card when you effectively married yourself to the Windows culture and all that comes with it ?
Five minutes well invested against the throes of consumption lust ? For that matter , why bother learning about birth control until * after * you discover you 're not shooting blanks ? I was looking forward to reading this paper , because there are good arguments to be made about the externality burden .
This paper is not that paper .
Author seems to have a tin ear concerning second order effects .
Maybe SSL certificates are rarely faked because the mechanism grants the adversary a dominating response .
In game theory , one ca n't neglect the influence of moves never played .
That tends to correlate with the move being super kick ass when confronting an opponent with rational self-preservation.I found the paper extremely self-serving to the Microsoft camp .
From a larger perspective , we should have engineered these systems in such a way that it was never a rational proposition for the black hats to invest so much in gaining expertise over its manipulation .
Not that this could have been forestalled indefinitely considering the value held within the network walls , but we certainly did n't have to make it so darn easy for the agents of darkness to self-finance their learning curve.Now that it 's a done deal , Microsoft finds all kinds of time for shirt-rending accounts of the TCO of learned-helplessness.One more note .
I have to slap my forehead over all the effort invested in training people to use strong passwords .
Password strength needs to grow by about six bits per decade , just to track Moore 's law while the number of passwords a typical person requires seems to double every decade or so.It 's socially embarrassing to forget an important password because you were conscientious and did n't write it down.The human brain does n't scale to the demands of this security practice , and this has been obvious for thirty years.The risk of key loggers forces one into making each password unique and significantly detracts from the notion of aggregating a huge basket of passwords onto OpenID.If every human had 2kB of glucose backed NVRAM with thirty years guaranteed retention , life would be different .
We do n't , and you ca n't educate this into existence .</tokentext>
<sentencetext>Welcome to the school of tail wagging the dog.
What would the ROI calculation have looked like *before* you acquired that sound card when you effectively married yourself to the Windows culture and all that comes with it?
Five minutes well invested against the throes of consumption lust?For that matter, why bother learning about birth control until *after* you discover you're not shooting blanks?I was looking forward to reading this paper, because there are good arguments to be made about the externality burden.
This paper is not that paper.
Author seems to have a tin ear concerning second order effects.
Maybe SSL certificates are rarely faked because the mechanism grants the adversary a dominating response.
In game theory, one can't neglect the influence of moves never played.
That tends to correlate with the move being super kick ass when confronting an opponent with rational self-preservation.I found the paper extremely self-serving to the Microsoft camp.
From a larger perspective, we should have engineered these systems in such a way that it was never a rational proposition for the black hats to invest so much in gaining expertise over its manipulation.
Not that this could have been forestalled indefinitely considering the value held within the network walls, but we certainly didn't have to make it so darn easy for the agents of darkness to self-finance their learning curve.Now that it's a done deal, Microsoft finds all kinds of time for shirt-rending accounts of the TCO of learned-helplessness.One more note.
I have to slap my forehead over all the effort invested in training people to use strong passwords.
Password strength needs to grow by about six bits per decade, just to track Moore's law while the number of passwords a typical person requires seems to double every decade or so.It's socially embarrassing to forget an important password because you were conscientious and didn't write it down.The human brain doesn't scale to the demands of this security practice, and this has been obvious for thirty years.The risk of key loggers forces one into making each password unique and significantly detracts from the notion of aggregating a huge basket of passwords onto OpenID.If every human had 2kB of glucose backed NVRAM with thirty years guaranteed retention, life would be different.
We don't, and you can't educate this into existence.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501896</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502034</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>Anonymous</author>
	<datestamp>1268737080000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><p>They're dumber.</p></htmltext>
<tokenext>They 're dumber .</tokentext>
<sentencetext>They're dumber.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838</id>
	<title>This is not a "new" interpretation</title>
	<author>frinkster</author>
	<datestamp>1268736180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics.  How much does it cost to implement?  How much do you stand to lose if your security is broken and your "stuff" stolen?  At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.</p><p>And in this context, time, effort, and inconvenience all have a significant cost that must be counted.</p><p>The average idiot computer user is not always as dumb as you think they are.</p></htmltext>
<tokenext>I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics .
How much does it cost to implement ?
How much do you stand to lose if your security is broken and your " stuff " stolen ?
At some point , you reach a point of diminishing returns and it is wasteful to spend more on security.And in this context , time , effort , and inconvenience all have a significant cost that must be counted.The average idiot computer user is not always as dumb as you think they are .</tokentext>
<sentencetext>I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics.
How much does it cost to implement?
How much do you stand to lose if your security is broken and your "stuff" stolen?
At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.And in this context, time, effort, and inconvenience all have a significant cost that must be counted.The average idiot computer user is not always as dumb as you think they are.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31508934</id>
	<title>Re:Windows Joke</title>
	<author>DarthVain</author>
	<datestamp>1268842620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Not really. It is the other way around. Which is way MANAGERS like it. Replaceable staff.</p><p>Everyone and his dog has a MS certificate of some kind. You can also go and get one on a long weekend. Besides, most of the IT corporate world you deal with offers support in that. Be in your various software vendors, or your hardware lease.</p><p>Now try and go out and find a good Linux staff. You actually usually have to find a CS graduate for god sakes! Not only that, replacing them is a bitch as you can't just hire any damn flunky out there. Because of all that, they actually wish to get paid also!</p><p>Seriously if you think IT folks make these decisions your on crack. It is an easy choice for a Manager.</p></htmltext>
<tokenext>Not really .
It is the other way around .
Which is way MANAGERS like it .
Replaceable staff.Everyone and his dog has a MS certificate of some kind .
You can also go and get one on a long weekend .
Besides , most of the IT corporate world you deal with offers support in that .
Be in your various software vendors , or your hardware lease.Now try and go out and find a good Linux staff .
You actually usually have to find a CS graduate for god sakes !
Not only that , replacing them is a bitch as you ca n't just hire any damn flunky out there .
Because of all that , they actually wish to get paid also ! Seriously if you think IT folks make these decisions your on crack .
It is an easy choice for a Manager .</tokentext>
<sentencetext>Not really.
It is the other way around.
Which is way MANAGERS like it.
Replaceable staff.Everyone and his dog has a MS certificate of some kind.
You can also go and get one on a long weekend.
Besides, most of the IT corporate world you deal with offers support in that.
Be in your various software vendors, or your hardware lease.Now try and go out and find a good Linux staff.
You actually usually have to find a CS graduate for god sakes!
Not only that, replacing them is a bitch as you can't just hire any damn flunky out there.
Because of all that, they actually wish to get paid also!Seriously if you think IT folks make these decisions your on crack.
It is an easy choice for a Manager.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505470</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>rdnetto</author>
	<datestamp>1268856660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><blockquote><div><p>some of those hosts have passwords which expire every 30 days</p></div></blockquote><p>This is slightly off-topic, but I have to question how useful it is to require people to change their passwords often. Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password. Anyone have any thoughts on that?</p></div><p>Is there even a need to leave a back door? After all, they can already break in...</p></div>
	</htmltext>
<tokenext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic , but I have to question how useful it is to require people to change their passwords often .
Chances are , when someone breaks into your computer , they 're going to leave a back door , so they can get in , regardless of the actual password .
Anyone have any thoughts on that ? Is there even a need to leave a back door ?
After all , they can already break in.. .</tokentext>
<sentencetext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic, but I have to question how useful it is to require people to change their passwords often.
Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password.
Anyone have any thoughts on that?Is there even a need to leave a back door?
After all, they can already break in...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502346</id>
	<title>Re:Interesting</title>
	<author>thegrassyknowl</author>
	<datestamp>1268738700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>"who would want to go to the trouble of accessing our data? we have nothing sensitive"</p></div><p>Every computer has something sensitive on it or passing through it. The user probably accesses his Internet banking accounts from it, or his webmail. What really pissed me off when trying to convince users to do things more securely was that even after telling them that the bad guy doesn't care who they are because in many cases the bad guy is just a computer program that goes looking for low hanging fruit, they still used that same argument.</p><p>There is no helping some people. Security warnings are a pain for these people. They don't even read SSL certificate errors on their banking sites. They just keep clicking let me in let me in and submit their login details.</p><p>I've argued until I was blue in the face with people (with a title) more senior than me who simply refused to take 20 minutes per server they deployed to do basic tasks like ensure nothing was exposed to the Internet that didn't need to be and installing basic intrusion detection and having the logs sent to a remote secure log server. These same "senior IT experts" used the same argument as the poor clueless user. I've actually watched one of these 'experts' expose database ports to the greater Internet with no protection and not even change the default admin password that the distro set. Then the moron spends days wondering why his database was constantly being emptied out. When I pointed to the logs which clearly showed all the delete commands coming from an IP address with no place accessing our database he had the gall to tell me I was a liar and that nobody would want to do that to us because we were too small to care about.</p><p>If the so-called senior experts are spouting this argument to the users then how will the user ever learn?</p><p>The problem in the industry: there's a lot of people with little or no clue who installed Windows once or twice and are now out there providing "IT support and services". It's the blind leading the blind. The user doesn't want to go to the effort of being secure because it takes time and requires thinking. When some dickhead comes in and tells them that they aren't an important target and needn't to worry the user takes the easy path out. User education would work better if the message was clear and consistent.</p><p>As you can tell I hate these fly by night morons who think they are experts. I've worked with my fair share in the past and nothing shits me more than having to go in and clean up their mess; because it's usually something that was easily prevented and I shouldn't have to be wasting my time on.</p><p>I've also completely ignored the social aspect of the user which is that they assume that most everyone else is good and there are very few people out to get them. That's a hard one to get around, but usually explaining that one bad person with a computer can easily attack hundreds of people soon sorts that out. A bit of good old fashioned paranoia is useful in computer security.</p></div>
	</htmltext>
<tokenext>" who would want to go to the trouble of accessing our data ?
we have nothing sensitive " Every computer has something sensitive on it or passing through it .
The user probably accesses his Internet banking accounts from it , or his webmail .
What really pissed me off when trying to convince users to do things more securely was that even after telling them that the bad guy does n't care who they are because in many cases the bad guy is just a computer program that goes looking for low hanging fruit , they still used that same argument.There is no helping some people .
Security warnings are a pain for these people .
They do n't even read SSL certificate errors on their banking sites .
They just keep clicking let me in let me in and submit their login details.I 've argued until I was blue in the face with people ( with a title ) more senior than me who simply refused to take 20 minutes per server they deployed to do basic tasks like ensure nothing was exposed to the Internet that did n't need to be and installing basic intrusion detection and having the logs sent to a remote secure log server .
These same " senior IT experts " used the same argument as the poor clueless user .
I 've actually watched one of these 'experts ' expose database ports to the greater Internet with no protection and not even change the default admin password that the distro set .
Then the moron spends days wondering why his database was constantly being emptied out .
When I pointed to the logs which clearly showed all the delete commands coming from an IP address with no place accessing our database he had the gall to tell me I was a liar and that nobody would want to do that to us because we were too small to care about.If the so-called senior experts are spouting this argument to the users then how will the user ever learn ? The problem in the industry : there 's a lot of people with little or no clue who installed Windows once or twice and are now out there providing " IT support and services " .
It 's the blind leading the blind .
The user does n't want to go to the effort of being secure because it takes time and requires thinking .
When some dickhead comes in and tells them that they are n't an important target and need n't to worry the user takes the easy path out .
User education would work better if the message was clear and consistent.As you can tell I hate these fly by night morons who think they are experts .
I 've worked with my fair share in the past and nothing shits me more than having to go in and clean up their mess ; because it 's usually something that was easily prevented and I should n't have to be wasting my time on.I 've also completely ignored the social aspect of the user which is that they assume that most everyone else is good and there are very few people out to get them .
That 's a hard one to get around , but usually explaining that one bad person with a computer can easily attack hundreds of people soon sorts that out .
A bit of good old fashioned paranoia is useful in computer security .</tokentext>
<sentencetext>"who would want to go to the trouble of accessing our data?
we have nothing sensitive"Every computer has something sensitive on it or passing through it.
The user probably accesses his Internet banking accounts from it, or his webmail.
What really pissed me off when trying to convince users to do things more securely was that even after telling them that the bad guy doesn't care who they are because in many cases the bad guy is just a computer program that goes looking for low hanging fruit, they still used that same argument.There is no helping some people.
Security warnings are a pain for these people.
They don't even read SSL certificate errors on their banking sites.
They just keep clicking let me in let me in and submit their login details.I've argued until I was blue in the face with people (with a title) more senior than me who simply refused to take 20 minutes per server they deployed to do basic tasks like ensure nothing was exposed to the Internet that didn't need to be and installing basic intrusion detection and having the logs sent to a remote secure log server.
These same "senior IT experts" used the same argument as the poor clueless user.
I've actually watched one of these 'experts' expose database ports to the greater Internet with no protection and not even change the default admin password that the distro set.
Then the moron spends days wondering why his database was constantly being emptied out.
When I pointed to the logs which clearly showed all the delete commands coming from an IP address with no place accessing our database he had the gall to tell me I was a liar and that nobody would want to do that to us because we were too small to care about.If the so-called senior experts are spouting this argument to the users then how will the user ever learn?The problem in the industry: there's a lot of people with little or no clue who installed Windows once or twice and are now out there providing "IT support and services".
It's the blind leading the blind.
The user doesn't want to go to the effort of being secure because it takes time and requires thinking.
When some dickhead comes in and tells them that they aren't an important target and needn't to worry the user takes the easy path out.
User education would work better if the message was clear and consistent.As you can tell I hate these fly by night morons who think they are experts.
I've worked with my fair share in the past and nothing shits me more than having to go in and clean up their mess; because it's usually something that was easily prevented and I shouldn't have to be wasting my time on.I've also completely ignored the social aspect of the user which is that they assume that most everyone else is good and there are very few people out to get them.
That's a hard one to get around, but usually explaining that one bad person with a computer can easily attack hundreds of people soon sorts that out.
A bit of good old fashioned paranoia is useful in computer security.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503116</id>
	<title>Re:It's a fundamental human value calculation:</title>
	<author>Hatta</author>
	<datestamp>1268743500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>And since it only happens to other people</i></p><p>That right there is the fundamental problem.  What is it that keeps people from recognizing that other people are just like them?  If it happens to other people it can happen to you too.</p></htmltext>
<tokenext>And since it only happens to other peopleThat right there is the fundamental problem .
What is it that keeps people from recognizing that other people are just like them ?
If it happens to other people it can happen to you too .</tokentext>
<sentencetext>And since it only happens to other peopleThat right there is the fundamental problem.
What is it that keeps people from recognizing that other people are just like them?
If it happens to other people it can happen to you too.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504828</id>
	<title>Super locked down systems just lead to high tech w</title>
	<author>Joe The Dragon</author>
	<datestamp>1268759460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Super locked down systems just lead to high tech work time and people bypassing the system just to get work done with out having to sit on hold / wait for paper work to there job done.<br>and if your help desk spends all day just unlocking and re lock stuff for uses you may be a little to much locked down.</p></htmltext>
<tokenext>Super locked down systems just lead to high tech work time and people bypassing the system just to get work done with out having to sit on hold / wait for paper work to there job done.and if your help desk spends all day just unlocking and re lock stuff for uses you may be a little to much locked down .</tokentext>
<sentencetext>Super locked down systems just lead to high tech work time and people bypassing the system just to get work done with out having to sit on hold / wait for paper work to there job done.and if your help desk spends all day just unlocking and re lock stuff for uses you may be a little to much locked down.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502086</id>
	<title>The Boss speaks</title>
	<author>Anonymous</author>
	<datestamp>1268737380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>We know you work on the basis of economics Tom, so, because of this breech you've caused we'll be docking your pay for the next, ahhhh, 376,042 pay cycles. thanks, you may go.</p></htmltext>
<tokenext>We know you work on the basis of economics Tom , so , because of this breech you 've caused we 'll be docking your pay for the next , ahhhh , 376,042 pay cycles .
thanks , you may go .</tokentext>
<sentencetext>We know you work on the basis of economics Tom, so, because of this breech you've caused we'll be docking your pay for the next, ahhhh, 376,042 pay cycles.
thanks, you may go.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503838</id>
	<title>so long and thanks...</title>
	<author>Anonymous</author>
	<datestamp>1268749800000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><i>The article doesn't talk about costs to others.</i>
<br>
Indeed, Herley's paper would probably be better titled "So long, and thanks for the externalities" -- for most end users (read: end users not in the IT dept), security countermeasures are not taken precisely because the majority of the cost is externalized, either to the business they work for, to the bank that will reimburse them for lost $$$, or to the world in general in the form of yet another botnet node.  The $120 they pay geek squad to clean their computer every now and again is a small portion of the overall cost of their lack of security.  Because they don't feel the full blow, they are less likely to modify their behavior. And that is the essence of what an externality is, AFAIK.
<br> <br>
Ultimately, I think the biggest problem with Herley's paper is the same problem a lot of economists have with "free agents" -- they make an argument that observed behavior is rational, and then assume that the actors are therefore behaving rationally.  In actuality, it's merely coincidence that the observed behavior is rational and there is therefore no reason to suspect that, in the future, choices will continue to be rational.
<br> <br>
This is most true for end users (businesses = econ/business people = trained to make decisions as economists... so big surprise they follow "rational models").  This is because even if observed behavior in consistent with rational choices, the choice is not made because it's rational. People get their information on computer security from hearsay and anti-virus advertisements, and often make emotional choices ("ZOMG EVIL HACKERZ, MEH IDENTITY!!!") that provide the path of least resistance ("look, norton seems to claim it's a golden bullet, and I don't have to learn hard new stuff.")</htmltext>
<tokenext>The article does n't talk about costs to others .
Indeed , Herley 's paper would probably be better titled " So long , and thanks for the externalities " -- for most end users ( read : end users not in the IT dept ) , security countermeasures are not taken precisely because the majority of the cost is externalized , either to the business they work for , to the bank that will reimburse them for lost $ $ $ , or to the world in general in the form of yet another botnet node .
The $ 120 they pay geek squad to clean their computer every now and again is a small portion of the overall cost of their lack of security .
Because they do n't feel the full blow , they are less likely to modify their behavior .
And that is the essence of what an externality is , AFAIK .
Ultimately , I think the biggest problem with Herley 's paper is the same problem a lot of economists have with " free agents " -- they make an argument that observed behavior is rational , and then assume that the actors are therefore behaving rationally .
In actuality , it 's merely coincidence that the observed behavior is rational and there is therefore no reason to suspect that , in the future , choices will continue to be rational .
This is most true for end users ( businesses = econ/business people = trained to make decisions as economists... so big surprise they follow " rational models " ) .
This is because even if observed behavior in consistent with rational choices , the choice is not made because it 's rational .
People get their information on computer security from hearsay and anti-virus advertisements , and often make emotional choices ( " ZOMG EVIL HACKERZ , MEH IDENTITY ! ! !
" ) that provide the path of least resistance ( " look , norton seems to claim it 's a golden bullet , and I do n't have to learn hard new stuff .
" )</tokentext>
<sentencetext>The article doesn't talk about costs to others.
Indeed, Herley's paper would probably be better titled "So long, and thanks for the externalities" -- for most end users (read: end users not in the IT dept), security countermeasures are not taken precisely because the majority of the cost is externalized, either to the business they work for, to the bank that will reimburse them for lost $$$, or to the world in general in the form of yet another botnet node.
The $120 they pay geek squad to clean their computer every now and again is a small portion of the overall cost of their lack of security.
Because they don't feel the full blow, they are less likely to modify their behavior.
And that is the essence of what an externality is, AFAIK.
Ultimately, I think the biggest problem with Herley's paper is the same problem a lot of economists have with "free agents" -- they make an argument that observed behavior is rational, and then assume that the actors are therefore behaving rationally.
In actuality, it's merely coincidence that the observed behavior is rational and there is therefore no reason to suspect that, in the future, choices will continue to be rational.
This is most true for end users (businesses = econ/business people = trained to make decisions as economists... so big surprise they follow "rational models").
This is because even if observed behavior in consistent with rational choices, the choice is not made because it's rational.
People get their information on computer security from hearsay and anti-virus advertisements, and often make emotional choices ("ZOMG EVIL HACKERZ, MEH IDENTITY!!!
") that provide the path of least resistance ("look, norton seems to claim it's a golden bullet, and I don't have to learn hard new stuff.
")</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804</id>
	<title>Windows Joke</title>
	<author>Anonymous</author>
	<datestamp>1268736060000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p>Why do Employees like Microsoft Windows?<br>Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.</p><p>Why do Managers like Windows?<br>Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware.  With all this no Employee could remote login to their system and slow down the Screen Saver.  Because the Manager  wanted to find out if the Cast-away escaped from the island.</p></htmltext>
<tokenext>Why do Employees like Microsoft Windows ? Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.Why do Managers like Windows ? Windows allowed them to have the latest and greatest in computer hardware , largest hard drive , most memory , fastest CPU , and other new hardware .
With all this no Employee could remote login to their system and slow down the Screen Saver .
Because the Manager wanted to find out if the Cast-away escaped from the island .</tokentext>
<sentencetext>Why do Employees like Microsoft Windows?Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.Why do Managers like Windows?Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware.
With all this no Employee could remote login to their system and slow down the Screen Saver.
Because the Manager  wanted to find out if the Cast-away escaped from the island.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31526414</id>
	<title>Re:Another possibility...</title>
	<author>NeoSkandranon</author>
	<datestamp>1268942640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>the mentality comes from too many drama-documentaries on TV</p></htmltext>
<tokenext>the mentality comes from too many drama-documentaries on TV</tokentext>
<sentencetext>the mentality comes from too many drama-documentaries on TV</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503518</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513198</id>
	<title>Common sense?</title>
	<author>Anonymous</author>
	<datestamp>1268855880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Is it just me or does this article simply sound like common sense? Users only follow procedures that benefit them. Theoretical attacks are theoretical while security policies are real and immediate. How is this news?</p></htmltext>
<tokenext>Is it just me or does this article simply sound like common sense ?
Users only follow procedures that benefit them .
Theoretical attacks are theoretical while security policies are real and immediate .
How is this news ?</tokentext>
<sentencetext>Is it just me or does this article simply sound like common sense?
Users only follow procedures that benefit them.
Theoretical attacks are theoretical while security policies are real and immediate.
How is this news?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505718</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>Anonymous</author>
	<datestamp>1268817840000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Errrr....</p><p>1) considered - passive past participle, NOT gerund.<br>2) advice - collective noun, with SINGULAR inflection (in English - though many other European languages do indeed go plural here)</p><p>oh, and</p><p>3) the Law of Headlines Anywhere: compress maximum ideas into fewest words. Grammar and style are the two little kids in the corner with a black eye and fat lip.</p></htmltext>
<tokenext>Errrr....1 ) considered - passive past participle , NOT gerund.2 ) advice - collective noun , with SINGULAR inflection ( in English - though many other European languages do indeed go plural here ) oh , and3 ) the Law of Headlines Anywhere : compress maximum ideas into fewest words .
Grammar and style are the two little kids in the corner with a black eye and fat lip .</tokentext>
<sentencetext>Errrr....1) considered - passive past participle, NOT gerund.2) advice - collective noun, with SINGULAR inflection (in English - though many other European languages do indeed go plural here)oh, and3) the Law of Headlines Anywhere: compress maximum ideas into fewest words.
Grammar and style are the two little kids in the corner with a black eye and fat lip.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502700</id>
	<title>Re:It's obvious</title>
	<author>Anonymous</author>
	<datestamp>1268740860000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Password aging is very useful for gradually and automatically removing passwords that has been "lent" to others and disabling accounts that should have been disabled (consultants, former employees etc).</p><p>I wish someone implemented a firewall with the same functionality. If a rule is not activated within NN days, it's automatically disabled.</p></htmltext>
<tokenext>Password aging is very useful for gradually and automatically removing passwords that has been " lent " to others and disabling accounts that should have been disabled ( consultants , former employees etc ) .I wish someone implemented a firewall with the same functionality .
If a rule is not activated within NN days , it 's automatically disabled .</tokentext>
<sentencetext>Password aging is very useful for gradually and automatically removing passwords that has been "lent" to others and disabling accounts that should have been disabled (consultants, former employees etc).I wish someone implemented a firewall with the same functionality.
If a rule is not activated within NN days, it's automatically disabled.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502066</id>
	<title>Simple Risk Matrix</title>
	<author>stewbacca</author>
	<datestamp>1268737260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What is the probability my password will be hacked (low/medium/high)</p><p>What is the impact if my password is hacked (none/moderate/severe)</p><p>If I have low probability of being compromised, and the outcome is moderate, than that is a low risk. If I have a high chance of being compromised and the impact is severe, that is a high risk.</p><p>The problem with these sort of articles is not determining why people don't care about security, it's failing to take into account that a "low" risk rating on this matrix isn't worth the costs associated with protecting a system set up to prevent the "high" risk scenario I described.</p></htmltext>
<tokenext>What is the probability my password will be hacked ( low/medium/high ) What is the impact if my password is hacked ( none/moderate/severe ) If I have low probability of being compromised , and the outcome is moderate , than that is a low risk .
If I have a high chance of being compromised and the impact is severe , that is a high risk.The problem with these sort of articles is not determining why people do n't care about security , it 's failing to take into account that a " low " risk rating on this matrix is n't worth the costs associated with protecting a system set up to prevent the " high " risk scenario I described .</tokentext>
<sentencetext>What is the probability my password will be hacked (low/medium/high)What is the impact if my password is hacked (none/moderate/severe)If I have low probability of being compromised, and the outcome is moderate, than that is a low risk.
If I have a high chance of being compromised and the impact is severe, that is a high risk.The problem with these sort of articles is not determining why people don't care about security, it's failing to take into account that a "low" risk rating on this matrix isn't worth the costs associated with protecting a system set up to prevent the "high" risk scenario I described.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834</id>
	<title>It's a fundamental human value calculation:</title>
	<author>idontgno</author>
	<datestamp>1268736180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>prevention is more expensive than repair/recovery/treatment</p><p>How? Any prevention effort requires some kind of cost, very often a continual and on-going cost.</p><p>Whereas the cost of recovery is only necessary once the negative effect occurs. And since it only happens to other people, that means that the cost of not preventing is 0. Clear win.</p><p>Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.); economics (victims of fraud, high-risk investors, etc.); software development practices ("Release NOW" rather than quality).</p><p>Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.</p><p>Or, as others in this thread have put it, people are idiots.</p></htmltext>
<tokenext>prevention is more expensive than repair/recovery/treatmentHow ?
Any prevention effort requires some kind of cost , very often a continual and on-going cost.Whereas the cost of recovery is only necessary once the negative effect occurs .
And since it only happens to other people , that means that the cost of not preventing is 0 .
Clear win.Which explains a lot of epidemiology ( low vaccination rates , high-risk behaviors spreading unstoppable diseases , etc .
) ; economics ( victims of fraud , high-risk investors , etc .
) ; software development practices ( " Release NOW " rather than quality ) .Unless you can prove that the bad thing WILL happen without prevention , people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.Or , as others in this thread have put it , people are idiots .</tokentext>
<sentencetext>prevention is more expensive than repair/recovery/treatmentHow?
Any prevention effort requires some kind of cost, very often a continual and on-going cost.Whereas the cost of recovery is only necessary once the negative effect occurs.
And since it only happens to other people, that means that the cost of not preventing is 0.
Clear win.Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.
); economics (victims of fraud, high-risk investors, etc.
); software development practices ("Release NOW" rather than quality).Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.Or, as others in this thread have put it, people are idiots.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505352</id>
	<title>Re:6. Change often</title>
	<author>Anonymous</author>
	<datestamp>1268767800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>the section mentions that systems have lockout policies for repeated failures.</p><p>the idea is that if your account will get locked for entering the wrong password, e.g. 5 times in a row, then you don't have to worry about someone brute forcing your password (or even intelligently using only dictionary words). as long as they can't guess it within the limit of the lockout policy, you're fine.</p><p>consider the following algorithm for server authentication:</p><p>0. if a client makes logs in with a username + password on the first attempt: remember the ip for 1 month and give the user when logging off "forget about this computer" and "log off"<br>1. if a client makes only one attempt to enter a single username + password and it's wrong: ban the ip after 1 hour. The failure notice should explain that they must correctly login within an hour or they will not be able to log in from this computer.<br>2. if a client makes one attempt to enter each of three usernames and none work: ban the ip after the third failure<br>3. if an account has 10 failed attempts in a row, fail all future attempts not from whitelisted (0) addresses with a notice indicating all of the ip's + dates that have tried to attempt since the last successful login. The user will have to contact you out of band.</p><p>How would this work?<br>the average case for the user is #0, that makes the user happy.</p><p>If the user has a password sniffer or root kit on the computer from #0, it doesn't matter, the user is already screwed, so no protection for logins will be useful. As such adding any "security requirements" for this threat is just cost for the user without benefit.</p><p>case #1, an attacker is trying to be clever and tries to defeat your typical defense mechanisms by using a botnet. A botnet can have 4 million computers, and as long as we're willing to ban them all, that's ok. You will need to be able to store bans for 100 million computers (25 large botnets), and that's unfortunate, but maybe you can share this cost somehow.</p><p>Without case #1, each client can attack as many accounts as it likes for as long as it likes.</p><p>Harm to user because of case #1: normally the user will get his username and password correct: cost 0.<br>If the user doesn't get his username and password correct the first time, the user will try again, after all the user needs to log in: cost about the same as if the rule wasn't present.</p><p>case #2, an attacker decides to distribute attacks against different accounts, after three different accounts the client is blocked, this gives your average botnet 12 million attacks (annoying, but oh well), note that as you probably have fewer than 12 million accounts, and clients are going to spend a lot of time guessing accounts that don't exist, most clients will be locked out before they guess a single valid account (let alone password) and therefore their harm to your user's is 0 (minus storage cost which you have if you have any logging anyway, and connection cost which you have with or without this policy).</p><p>Without case #2, each client could attack as many accounts as it likes as long as it likes.</p><p>Harm to user because of case #2: if the user doesn't typo his username correctly, there are two chances to get it right with the correct password, the user will hopefully get it right the first time, cost minimal, and it's a cost the user was going to pay anyway. If the user gets it wrong too many times, your average defense system was going to lock the user out anyway, and the user was going to contact support, so you haven't changed anything.</p><p>case #3, an attacker starts a targeted attack against a single user. the attacker gets 10 chances (distributed over 4-10 clients). As long as the password is strong enough to withstand 10 guesses, the account is protected and when the user does try to log in, you're able to tell the user that someone has been attacking the user's account.</p><p>Without case #3, an attacker can try to attack an account for as long as it likes. In reality you almost certainly have a lock o</p></htmltext>
<tokenext>the section mentions that systems have lockout policies for repeated failures.the idea is that if your account will get locked for entering the wrong password , e.g .
5 times in a row , then you do n't have to worry about someone brute forcing your password ( or even intelligently using only dictionary words ) .
as long as they ca n't guess it within the limit of the lockout policy , you 're fine.consider the following algorithm for server authentication : 0. if a client makes logs in with a username + password on the first attempt : remember the ip for 1 month and give the user when logging off " forget about this computer " and " log off " 1. if a client makes only one attempt to enter a single username + password and it 's wrong : ban the ip after 1 hour .
The failure notice should explain that they must correctly login within an hour or they will not be able to log in from this computer.2 .
if a client makes one attempt to enter each of three usernames and none work : ban the ip after the third failure3 .
if an account has 10 failed attempts in a row , fail all future attempts not from whitelisted ( 0 ) addresses with a notice indicating all of the ip 's + dates that have tried to attempt since the last successful login .
The user will have to contact you out of band.How would this work ? the average case for the user is # 0 , that makes the user happy.If the user has a password sniffer or root kit on the computer from # 0 , it does n't matter , the user is already screwed , so no protection for logins will be useful .
As such adding any " security requirements " for this threat is just cost for the user without benefit.case # 1 , an attacker is trying to be clever and tries to defeat your typical defense mechanisms by using a botnet .
A botnet can have 4 million computers , and as long as we 're willing to ban them all , that 's ok. You will need to be able to store bans for 100 million computers ( 25 large botnets ) , and that 's unfortunate , but maybe you can share this cost somehow.Without case # 1 , each client can attack as many accounts as it likes for as long as it likes.Harm to user because of case # 1 : normally the user will get his username and password correct : cost 0.If the user does n't get his username and password correct the first time , the user will try again , after all the user needs to log in : cost about the same as if the rule was n't present.case # 2 , an attacker decides to distribute attacks against different accounts , after three different accounts the client is blocked , this gives your average botnet 12 million attacks ( annoying , but oh well ) , note that as you probably have fewer than 12 million accounts , and clients are going to spend a lot of time guessing accounts that do n't exist , most clients will be locked out before they guess a single valid account ( let alone password ) and therefore their harm to your user 's is 0 ( minus storage cost which you have if you have any logging anyway , and connection cost which you have with or without this policy ) .Without case # 2 , each client could attack as many accounts as it likes as long as it likes.Harm to user because of case # 2 : if the user does n't typo his username correctly , there are two chances to get it right with the correct password , the user will hopefully get it right the first time , cost minimal , and it 's a cost the user was going to pay anyway .
If the user gets it wrong too many times , your average defense system was going to lock the user out anyway , and the user was going to contact support , so you have n't changed anything.case # 3 , an attacker starts a targeted attack against a single user .
the attacker gets 10 chances ( distributed over 4-10 clients ) .
As long as the password is strong enough to withstand 10 guesses , the account is protected and when the user does try to log in , you 're able to tell the user that someone has been attacking the user 's account.Without case # 3 , an attacker can try to attack an account for as long as it likes .
In reality you almost certainly have a lock o</tokentext>
<sentencetext>the section mentions that systems have lockout policies for repeated failures.the idea is that if your account will get locked for entering the wrong password, e.g.
5 times in a row, then you don't have to worry about someone brute forcing your password (or even intelligently using only dictionary words).
as long as they can't guess it within the limit of the lockout policy, you're fine.consider the following algorithm for server authentication:0. if a client makes logs in with a username + password on the first attempt: remember the ip for 1 month and give the user when logging off "forget about this computer" and "log off"1. if a client makes only one attempt to enter a single username + password and it's wrong: ban the ip after 1 hour.
The failure notice should explain that they must correctly login within an hour or they will not be able to log in from this computer.2.
if a client makes one attempt to enter each of three usernames and none work: ban the ip after the third failure3.
if an account has 10 failed attempts in a row, fail all future attempts not from whitelisted (0) addresses with a notice indicating all of the ip's + dates that have tried to attempt since the last successful login.
The user will have to contact you out of band.How would this work?the average case for the user is #0, that makes the user happy.If the user has a password sniffer or root kit on the computer from #0, it doesn't matter, the user is already screwed, so no protection for logins will be useful.
As such adding any "security requirements" for this threat is just cost for the user without benefit.case #1, an attacker is trying to be clever and tries to defeat your typical defense mechanisms by using a botnet.
A botnet can have 4 million computers, and as long as we're willing to ban them all, that's ok. You will need to be able to store bans for 100 million computers (25 large botnets), and that's unfortunate, but maybe you can share this cost somehow.Without case #1, each client can attack as many accounts as it likes for as long as it likes.Harm to user because of case #1: normally the user will get his username and password correct: cost 0.If the user doesn't get his username and password correct the first time, the user will try again, after all the user needs to log in: cost about the same as if the rule wasn't present.case #2, an attacker decides to distribute attacks against different accounts, after three different accounts the client is blocked, this gives your average botnet 12 million attacks (annoying, but oh well), note that as you probably have fewer than 12 million accounts, and clients are going to spend a lot of time guessing accounts that don't exist, most clients will be locked out before they guess a single valid account (let alone password) and therefore their harm to your user's is 0 (minus storage cost which you have if you have any logging anyway, and connection cost which you have with or without this policy).Without case #2, each client could attack as many accounts as it likes as long as it likes.Harm to user because of case #2: if the user doesn't typo his username correctly, there are two chances to get it right with the correct password, the user will hopefully get it right the first time, cost minimal, and it's a cost the user was going to pay anyway.
If the user gets it wrong too many times, your average defense system was going to lock the user out anyway, and the user was going to contact support, so you haven't changed anything.case #3, an attacker starts a targeted attack against a single user.
the attacker gets 10 chances (distributed over 4-10 clients).
As long as the password is strong enough to withstand 10 guesses, the account is protected and when the user does try to log in, you're able to tell the user that someone has been attacking the user's account.Without case #3, an attacker can try to attack an account for as long as it likes.
In reality you almost certainly have a lock o</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501810</id>
	<title>Re:Wasted time</title>
	<author>Goldberg's Pants</author>
	<datestamp>1268736060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Torrenting has nothing to do with it that's for damn sure unless you start downloading random EXE files and running them, and not doing that is just common sense. I think you need to draw a distinction between intelligent torrent users and fuckwits.</p><p>It's about intelligence. I don't run any anti-malware software beyond a small program that tells me when something is added to startup, services etc... (Even the hidden stuff we're not supposed to know about.) And that's it. In the last seven years I've had one incidence of something getting through and it was relatively painless to fix.</p><p>I used Linux for years and would routinely have to fight with the graphics driver, stuff would randomly stop working... Also I'm a gamer, WINE just doesn't cut it, and the fact is Linux just doesn't do what I need a lot of the time so I stopped using it.</p></htmltext>
<tokenext>Torrenting has nothing to do with it that 's for damn sure unless you start downloading random EXE files and running them , and not doing that is just common sense .
I think you need to draw a distinction between intelligent torrent users and fuckwits.It 's about intelligence .
I do n't run any anti-malware software beyond a small program that tells me when something is added to startup , services etc... ( Even the hidden stuff we 're not supposed to know about .
) And that 's it .
In the last seven years I 've had one incidence of something getting through and it was relatively painless to fix.I used Linux for years and would routinely have to fight with the graphics driver , stuff would randomly stop working... Also I 'm a gamer , WINE just does n't cut it , and the fact is Linux just does n't do what I need a lot of the time so I stopped using it .</tokentext>
<sentencetext>Torrenting has nothing to do with it that's for damn sure unless you start downloading random EXE files and running them, and not doing that is just common sense.
I think you need to draw a distinction between intelligent torrent users and fuckwits.It's about intelligence.
I don't run any anti-malware software beyond a small program that tells me when something is added to startup, services etc... (Even the hidden stuff we're not supposed to know about.
) And that's it.
In the last seven years I've had one incidence of something getting through and it was relatively painless to fix.I used Linux for years and would routinely have to fight with the graphics driver, stuff would randomly stop working... Also I'm a gamer, WINE just doesn't cut it, and the fact is Linux just doesn't do what I need a lot of the time so I stopped using it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503212</id>
	<title>However much you may try to 'rationalise' it...</title>
	<author>myowntrueself</author>
	<datestamp>1268744100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Human beings are NOT 'rational animals'</p><p>Any theory that depends on humans being rational agents is inevitably flawed.</p></htmltext>
<tokenext>Human beings are NOT 'rational animals'Any theory that depends on humans being rational agents is inevitably flawed .</tokentext>
<sentencetext>Human beings are NOT 'rational animals'Any theory that depends on humans being rational agents is inevitably flawed.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503984</id>
	<title>Re:Windows Joke</title>
	<author>mjwx</author>
	<datestamp>1268751360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>Why does IT like Windows?<br> <br>

Two words: Job security<br> <br>

Blunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space. Hey, at home I need to be productive! At work, I need to be certain I still have a job tomorrow. And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time. For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job? Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!<br> <br>

Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for<nobr> <wbr></nobr>... well, at least 'til the next generation of system needs to be installed.</p></div>
</blockquote><p>

I agree with your principal but it applies to more then just windows.<br> <br>

Put Linux onto everyone's computer and even if it works perfectly you will still have problems because you cant control users. Users will have problems no matter what, so tech support is always needed. Systems will need to be upgraded, logs need to be read so syadmins will still be needed. Linux will not stop the business from needing/wanting new functionality or new software from being developed. Yes the IT landscape would change radically (it does this on a regular basis anyway IMHO) if we all of a sudden switched to Linux but it would not kill job security for most IT workers.<br> <br>

Putting Linux onto most desktops would kill many current security headaches, but it will create some new ones and a few of the old ones will remain (social engineering attacks immediately spring to mind).</p></div>
	</htmltext>
<tokenext>Why does IT like Windows ?
Two words : Job security Blunt and brutal as it sounds , I 'm all for Windows in a work environment , even though I do n't want to be subjected to it in my private space .
Hey , at home I need to be productive !
At work , I need to be certain I still have a job tomorrow .
And , bluntly again , that 's more secure with a system that acts " weird " from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time .
For crying out loud , Linux even does generation changes without aid from IT , can you imagine what that would mean to your job ?
Imagine Linux being used in office , with the new versions quietly installing themselves while all the software keeps working !
Tell me you do n't prefer a system that needs YOU to go there and install it , then breaks every kind of compatibility and keeps you busy and employed for ... well , at least 'til the next generation of system needs to be installed .
I agree with your principal but it applies to more then just windows .
Put Linux onto everyone 's computer and even if it works perfectly you will still have problems because you cant control users .
Users will have problems no matter what , so tech support is always needed .
Systems will need to be upgraded , logs need to be read so syadmins will still be needed .
Linux will not stop the business from needing/wanting new functionality or new software from being developed .
Yes the IT landscape would change radically ( it does this on a regular basis anyway IMHO ) if we all of a sudden switched to Linux but it would not kill job security for most IT workers .
Putting Linux onto most desktops would kill many current security headaches , but it will create some new ones and a few of the old ones will remain ( social engineering attacks immediately spring to mind ) .</tokentext>
<sentencetext>Why does IT like Windows?
Two words: Job security 

Blunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space.
Hey, at home I need to be productive!
At work, I need to be certain I still have a job tomorrow.
And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time.
For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job?
Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!
Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for ... well, at least 'til the next generation of system needs to be installed.
I agree with your principal but it applies to more then just windows.
Put Linux onto everyone's computer and even if it works perfectly you will still have problems because you cant control users.
Users will have problems no matter what, so tech support is always needed.
Systems will need to be upgraded, logs need to be read so syadmins will still be needed.
Linux will not stop the business from needing/wanting new functionality or new software from being developed.
Yes the IT landscape would change radically (it does this on a regular basis anyway IMHO) if we all of a sudden switched to Linux but it would not kill job security for most IT workers.
Putting Linux onto most desktops would kill many current security headaches, but it will create some new ones and a few of the old ones will remain (social engineering attacks immediately spring to mind).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507094</id>
	<title>Re:Interesting</title>
	<author>Anonymous</author>
	<datestamp>1268833320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.</p></div><p>Well, that's not something they really have to worry about...<br>What they don't know is that I've actually been actively managing their security for years, from my apartment across the street. I run a Tor node off their wireless, you see, and it's in my interests to make sure their network doesn't go down... and by extension their work-critical systems also need to stay up. Otherwise some consultant will have to come in, might setup proper security or even discover what I'm using it for, and THEN how am I supposed to download all my child porn, send my terrorist communiques, command my botnets, or troll on slashdot?</p><p>Trust me, security is a real headache you DON'T need. The best way to prevent becoming a victim of the "mob" is to become an asset of the "mob".</p></div>
	</htmltext>
<tokenext>All it takes is one malicious kid , who likes credit card numbers , waiting for a haircut and firing up nmap and pull down the customer DB , or fire up Metasploit.Well , that 's not something they really have to worry about...What they do n't know is that I 've actually been actively managing their security for years , from my apartment across the street .
I run a Tor node off their wireless , you see , and it 's in my interests to make sure their network does n't go down... and by extension their work-critical systems also need to stay up .
Otherwise some consultant will have to come in , might setup proper security or even discover what I 'm using it for , and THEN how am I supposed to download all my child porn , send my terrorist communiques , command my botnets , or troll on slashdot ? Trust me , security is a real headache you DO N'T need .
The best way to prevent becoming a victim of the " mob " is to become an asset of the " mob " .</tokentext>
<sentencetext>All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.Well, that's not something they really have to worry about...What they don't know is that I've actually been actively managing their security for years, from my apartment across the street.
I run a Tor node off their wireless, you see, and it's in my interests to make sure their network doesn't go down... and by extension their work-critical systems also need to stay up.
Otherwise some consultant will have to come in, might setup proper security or even discover what I'm using it for, and THEN how am I supposed to download all my child porn, send my terrorist communiques, command my botnets, or troll on slashdot?Trust me, security is a real headache you DON'T need.
The best way to prevent becoming a victim of the "mob" is to become an asset of the "mob".
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503148</id>
	<title>Its not that, baby ...</title>
	<author>PPH</author>
	<datestamp>1268743620000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p>I just can't feel the 'Net if I'm using protection.</p></htmltext>
<tokenext>I just ca n't feel the 'Net if I 'm using protection .</tokentext>
<sentencetext>I just can't feel the 'Net if I'm using protection.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503580</id>
	<title>the typical user has no incentive</title>
	<author>Anonymous</author>
	<datestamp>1268747100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I used to work in a restaurant.  The manager always wondered why his employees wasted so much food and used equipment roughly.  At 16, I went through a prodigious amount of glassware.  Why weren't we careful?  Because it was a pain.  It took time.  The manager wanted us to get things done as fast as possible.  Many of us didn't like the company and felt a little better if something broke.  Occasionally something big would break, or we'd run out of an ingredient early, and that was ok too--we then had less work to do.</p><p>There's not a lot of incentive for someone to take the trouble to change their password each month and to use difficult characters and when such a thing becomes mandatory, they'll write it on a post-it not and stick it to their monitor.  When the boss yells at people with post-its on their monitor, the employee will email the password and account name to themselves.</p><p>People do good work when they love their work.  If you fire all your workers who don't love their work, you won't have many workers.  There's always going to be a gradient.</p></htmltext>
<tokenext>I used to work in a restaurant .
The manager always wondered why his employees wasted so much food and used equipment roughly .
At 16 , I went through a prodigious amount of glassware .
Why were n't we careful ?
Because it was a pain .
It took time .
The manager wanted us to get things done as fast as possible .
Many of us did n't like the company and felt a little better if something broke .
Occasionally something big would break , or we 'd run out of an ingredient early , and that was ok too--we then had less work to do.There 's not a lot of incentive for someone to take the trouble to change their password each month and to use difficult characters and when such a thing becomes mandatory , they 'll write it on a post-it not and stick it to their monitor .
When the boss yells at people with post-its on their monitor , the employee will email the password and account name to themselves.People do good work when they love their work .
If you fire all your workers who do n't love their work , you wo n't have many workers .
There 's always going to be a gradient .</tokentext>
<sentencetext>I used to work in a restaurant.
The manager always wondered why his employees wasted so much food and used equipment roughly.
At 16, I went through a prodigious amount of glassware.
Why weren't we careful?
Because it was a pain.
It took time.
The manager wanted us to get things done as fast as possible.
Many of us didn't like the company and felt a little better if something broke.
Occasionally something big would break, or we'd run out of an ingredient early, and that was ok too--we then had less work to do.There's not a lot of incentive for someone to take the trouble to change their password each month and to use difficult characters and when such a thing becomes mandatory, they'll write it on a post-it not and stick it to their monitor.
When the boss yells at people with post-its on their monitor, the employee will email the password and account name to themselves.People do good work when they love their work.
If you fire all your workers who don't love their work, you won't have many workers.
There's always going to be a gradient.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</id>
	<title>Re:Windows Joke</title>
	<author>Anonymous</author>
	<datestamp>1268740680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>Why does IT like Windows?</p><p>Two words: Job security</p><p>Blunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space. Hey, at home I need to be productive! At work, I need to be certain I still have a job tomorrow. And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time. For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job? Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!</p><p>Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for<nobr> <wbr></nobr>... well, at least 'til the next generation of system needs to be installed.</p></htmltext>
<tokenext>Why does IT like Windows ? Two words : Job securityBlunt and brutal as it sounds , I 'm all for Windows in a work environment , even though I do n't want to be subjected to it in my private space .
Hey , at home I need to be productive !
At work , I need to be certain I still have a job tomorrow .
And , bluntly again , that 's more secure with a system that acts " weird " from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time .
For crying out loud , Linux even does generation changes without aid from IT , can you imagine what that would mean to your job ?
Imagine Linux being used in office , with the new versions quietly installing themselves while all the software keeps working ! Tell me you do n't prefer a system that needs YOU to go there and install it , then breaks every kind of compatibility and keeps you busy and employed for ... well , at least 'til the next generation of system needs to be installed .</tokentext>
<sentencetext>Why does IT like Windows?Two words: Job securityBlunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space.
Hey, at home I need to be productive!
At work, I need to be certain I still have a job tomorrow.
And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time.
For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job?
Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for ... well, at least 'til the next generation of system needs to be installed.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506386</id>
	<title>Re:Windows Joke</title>
	<author>Caetel</author>
	<datestamp>1268825940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>At least for in house support, the majority of the calls I receive are PEBKAC rather than system issues. I can't imagine how introducing a OS which is foreign to most people is going to reduce that number.</htmltext>
<tokenext>At least for in house support , the majority of the calls I receive are PEBKAC rather than system issues .
I ca n't imagine how introducing a OS which is foreign to most people is going to reduce that number .</tokentext>
<sentencetext>At least for in house support, the majority of the calls I receive are PEBKAC rather than system issues.
I can't imagine how introducing a OS which is foreign to most people is going to reduce that number.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505078</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>Anonymous</author>
	<datestamp>1268762940000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>If there's a lockout-after-N-attempts function, frequent password rotation is largely redundant; the threat being brute-force attacks, either method will reduce the likelihood of that attack succeeding.  In addition, frequent rotation is more likely to make people use minimally-qualifying passwords (Rutab3ga, Carr0t, C3lery) and/or write down passwords on post-its under their keyboards.  Lockout functions generally come with logging, and long-term patterns of repeated lockouts (or even almost-lockouts) can be investigated: is it just someone who's a horrid typist getting stuck, or is someone trying to run a quiet, long-term brute-force attack?</p><p>I worked in a school district some years ago that was having a problem with break-in vandalism.  Turned out, someone had nicked a key at some point and was just going in through a service door in the evening to make a damn mess.  They changed the locks and reminded teachers to lock their classroom doors, but within a year, the master keys got stolen again.  It took them changing the locks three times before they finally installed a camera system (this was the late 80's, so cc cameras weren't standard institutional equipment).  Meanwhile, everyone was drowning in outdated keys, and with each additional cycle, the staff's willingness to duplicate and share keys against district policy increased.  Hiring a night guard would have worked as well as the cameras, but the thing that was needed was human attention -- someone to notice and identify offenders.  Locks just weren't going to stop creative malevolence indefinitely, and the same applies to network security.  The cameras mostly didn't get checked -- the tapes were usually overwritten monthly without having been played back, but the night break-ins stopped.</p></htmltext>
<tokenext>If there 's a lockout-after-N-attempts function , frequent password rotation is largely redundant ; the threat being brute-force attacks , either method will reduce the likelihood of that attack succeeding .
In addition , frequent rotation is more likely to make people use minimally-qualifying passwords ( Rutab3ga , Carr0t , C3lery ) and/or write down passwords on post-its under their keyboards .
Lockout functions generally come with logging , and long-term patterns of repeated lockouts ( or even almost-lockouts ) can be investigated : is it just someone who 's a horrid typist getting stuck , or is someone trying to run a quiet , long-term brute-force attack ? I worked in a school district some years ago that was having a problem with break-in vandalism .
Turned out , someone had nicked a key at some point and was just going in through a service door in the evening to make a damn mess .
They changed the locks and reminded teachers to lock their classroom doors , but within a year , the master keys got stolen again .
It took them changing the locks three times before they finally installed a camera system ( this was the late 80 's , so cc cameras were n't standard institutional equipment ) .
Meanwhile , everyone was drowning in outdated keys , and with each additional cycle , the staff 's willingness to duplicate and share keys against district policy increased .
Hiring a night guard would have worked as well as the cameras , but the thing that was needed was human attention -- someone to notice and identify offenders .
Locks just were n't going to stop creative malevolence indefinitely , and the same applies to network security .
The cameras mostly did n't get checked -- the tapes were usually overwritten monthly without having been played back , but the night break-ins stopped .</tokentext>
<sentencetext>If there's a lockout-after-N-attempts function, frequent password rotation is largely redundant; the threat being brute-force attacks, either method will reduce the likelihood of that attack succeeding.
In addition, frequent rotation is more likely to make people use minimally-qualifying passwords (Rutab3ga, Carr0t, C3lery) and/or write down passwords on post-its under their keyboards.
Lockout functions generally come with logging, and long-term patterns of repeated lockouts (or even almost-lockouts) can be investigated: is it just someone who's a horrid typist getting stuck, or is someone trying to run a quiet, long-term brute-force attack?I worked in a school district some years ago that was having a problem with break-in vandalism.
Turned out, someone had nicked a key at some point and was just going in through a service door in the evening to make a damn mess.
They changed the locks and reminded teachers to lock their classroom doors, but within a year, the master keys got stolen again.
It took them changing the locks three times before they finally installed a camera system (this was the late 80's, so cc cameras weren't standard institutional equipment).
Meanwhile, everyone was drowning in outdated keys, and with each additional cycle, the staff's willingness to duplicate and share keys against district policy increased.
Hiring a night guard would have worked as well as the cameras, but the thing that was needed was human attention -- someone to notice and identify offenders.
Locks just weren't going to stop creative malevolence indefinitely, and the same applies to network security.
The cameras mostly didn't get checked -- the tapes were usually overwritten monthly without having been played back, but the night break-ins stopped.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501836</id>
	<title>Bad summary</title>
	<author>guspasho</author>
	<datestamp>1268736180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>Of course it's economics.</i> That's what every cost/benefit analysis is. Economics is just another word for the other "researcher's ideas", not any kind of challenge or refutation of them.</p><p>Are there no remarkable findings in the linked article worth reporting? Sure sounds like it to me.</p></htmltext>
<tokenext>Of course it 's economics .
That 's what every cost/benefit analysis is .
Economics is just another word for the other " researcher 's ideas " , not any kind of challenge or refutation of them.Are there no remarkable findings in the linked article worth reporting ?
Sure sounds like it to me .</tokentext>
<sentencetext>Of course it's economics.
That's what every cost/benefit analysis is.
Economics is just another word for the other "researcher's ideas", not any kind of challenge or refutation of them.Are there no remarkable findings in the linked article worth reporting?
Sure sounds like it to me.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501914</id>
	<title>This exists in every facet of life</title>
	<author>Meshach</author>
	<datestamp>1268736480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The recent story from Canada about the <a href="http://www.theglobeandmail.com/news/national/what-happened-isnt-going-to-stop-me-sledder-says/article1501661/" title="theglobeandmail.com">group of snow mobile riders who triggered an avalanche that killed a few of them</a> [theglobeandmail.com].  The risk was obvious.  Environment Canada had issued an avalanche risk warning.  But the guys went out anyways.<br> <br>
Some people will always not do the right thing.  No matter how obvious it may be.</htmltext>
<tokenext>The recent story from Canada about the group of snow mobile riders who triggered an avalanche that killed a few of them [ theglobeandmail.com ] .
The risk was obvious .
Environment Canada had issued an avalanche risk warning .
But the guys went out anyways .
Some people will always not do the right thing .
No matter how obvious it may be .</tokentext>
<sentencetext>The recent story from Canada about the group of snow mobile riders who triggered an avalanche that killed a few of them [theglobeandmail.com].
The risk was obvious.
Environment Canada had issued an avalanche risk warning.
But the guys went out anyways.
Some people will always not do the right thing.
No matter how obvious it may be.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504882</id>
	<title>Re:good advice versus bad advice; costs to others</title>
	<author>williamhb</author>
	<datestamp>1268760180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The paper is not entirely unreasonable. However, there are at least some holes in it.

It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice.</p></div><p>I'm sorry but it does.  It's the "market for lemons" effect.  The user cannot tell good advice from bad until after they've invested attention and effort into it (thoroughly reading, understanding, and evaluating something is, economically, effort) -- so rationally when they first see it they have to treat it all as suspect advice.</p></div>
	</htmltext>
<tokenext>The paper is not entirely unreasonable .
However , there are at least some holes in it .
It lumps good and bad security advice together .
The economic benefit of following bad security advice ( e.g. , buying antivirus software ) is zero or negative , so of course anybody would be rational to ignore such advice .
That does n't mean it should be lumped together with * good * security advice.I 'm sorry but it does .
It 's the " market for lemons " effect .
The user can not tell good advice from bad until after they 've invested attention and effort into it ( thoroughly reading , understanding , and evaluating something is , economically , effort ) -- so rationally when they first see it they have to treat it all as suspect advice .</tokentext>
<sentencetext>The paper is not entirely unreasonable.
However, there are at least some holes in it.
It lumps good and bad security advice together.
The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice.
That doesn't mean it should be lumped together with *good* security advice.I'm sorry but it does.
It's the "market for lemons" effect.
The user cannot tell good advice from bad until after they've invested attention and effort into it (thoroughly reading, understanding, and evaluating something is, economically, effort) -- so rationally when they first see it they have to treat it all as suspect advice.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502330</id>
	<title>Re:And it's often NOT worth it.</title>
	<author>Anonymous</author>
	<datestamp>1268738640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>How about YOUR 7 year old's on YOUR home network?</p></htmltext>
<tokenext>How about YOUR 7 year old 's on YOUR home network ?</tokentext>
<sentencetext>How about YOUR 7 year old's on YOUR home network?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503534</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>syousef</author>
	<datestamp>1268746740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both. An $80 external HDD can substantially reduce your risk of losing files to disk failure. A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental. The risks just aren't in their face; but the price tag is, so they don't do it.</p></div><p>Bad example. The main reason people don't sync their data is that it's not trivial. Finding software that will do it well is a pain. Dealing with problems properly means keeping checksums on the files. Meanwhile software alters the working copy of your data (eg. music library updated from the net or photos where metadata is added). Keeping track of which copy is good is non-trivial. Doing it properly means a 3rd off site copy is a good idea.</p><p>I should know - I have over 250,000 photos in my library over around 10 years and I haven't lost one that made it to the computer yet.</p></div>
	</htmltext>
<tokenext>One big one , particularly for home users , is inaccurate discounting of costs that are either in the future , uncertain , or both .
An $ 80 external HDD can substantially reduce your risk of losing files to disk failure .
A shockingly small number of people , even people with actual money , who have data that are valuable or at least sentimental .
The risks just are n't in their face ; but the price tag is , so they do n't do it.Bad example .
The main reason people do n't sync their data is that it 's not trivial .
Finding software that will do it well is a pain .
Dealing with problems properly means keeping checksums on the files .
Meanwhile software alters the working copy of your data ( eg .
music library updated from the net or photos where metadata is added ) .
Keeping track of which copy is good is non-trivial .
Doing it properly means a 3rd off site copy is a good idea.I should know - I have over 250,000 photos in my library over around 10 years and I have n't lost one that made it to the computer yet .</tokentext>
<sentencetext>One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both.
An $80 external HDD can substantially reduce your risk of losing files to disk failure.
A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental.
The risks just aren't in their face; but the price tag is, so they don't do it.Bad example.
The main reason people don't sync their data is that it's not trivial.
Finding software that will do it well is a pain.
Dealing with problems properly means keeping checksums on the files.
Meanwhile software alters the working copy of your data (eg.
music library updated from the net or photos where metadata is added).
Keeping track of which copy is good is non-trivial.
Doing it properly means a 3rd off site copy is a good idea.I should know - I have over 250,000 photos in my library over around 10 years and I haven't lost one that made it to the computer yet.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502134</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503570</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>KingOfTheDustBunnies</author>
	<datestamp>1268747040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p><div class="quote"><p>Users Rejecting Security Advice Considered Rational</p></div><p>noun gerund noun noun gerund adjective - WTF!?</p></div><p>Nope.  Noun participle noun noun participle adjective.</p><p>Maybe I'm just getting old, but I think headlines everywhere have become significantly more opaque in the last decade.  This one is actually better than average, having (I think) only two plausible interpretations.</p><p><div class="quote"><p>Users reject security advice, that are considered rational</p></div><p>Now that reads like a headline from Xinhua.</p></div>
	</htmltext>
<tokenext>Users Rejecting Security Advice Considered Rationalnoun gerund noun noun gerund adjective - WTF ! ? Nope .
Noun participle noun noun participle adjective.Maybe I 'm just getting old , but I think headlines everywhere have become significantly more opaque in the last decade .
This one is actually better than average , having ( I think ) only two plausible interpretations.Users reject security advice , that are considered rationalNow that reads like a headline from Xinhua .</tokentext>
<sentencetext>Users Rejecting Security Advice Considered Rationalnoun gerund noun noun gerund adjective - WTF!?Nope.
Noun participle noun noun participle adjective.Maybe I'm just getting old, but I think headlines everywhere have become significantly more opaque in the last decade.
This one is actually better than average, having (I think) only two plausible interpretations.Users reject security advice, that are considered rationalNow that reads like a headline from Xinhua.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504496</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>Anonymous</author>
	<datestamp>1268756040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>um really, how about;</p><p>Users Reject Security Advice That <b>Is</b> Considered Rational</p><p>you could use <i>Advices</i>, but that's terrible English. And capitals for headlines, please.</p></htmltext>
<tokenext>um really , how about ; Users Reject Security Advice That Is Considered Rationalyou could use Advices , but that 's terrible English .
And capitals for headlines , please .</tokentext>
<sentencetext>um really, how about;Users Reject Security Advice That Is Considered Rationalyou could use Advices, but that's terrible English.
And capitals for headlines, please.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503314</id>
	<title>Re:Interesting</title>
	<author>Anonymous</author>
	<datestamp>1268744940000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>But in that instance they're just being dumb. All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.</p></div><p>Why risk angering the nice man who's about to be holding a razor to your throat?</p></div>
	</htmltext>
<tokenext>But in that instance they 're just being dumb .
All it takes is one malicious kid , who likes credit card numbers , waiting for a haircut and firing up nmap and pull down the customer DB , or fire up Metasploit.Why risk angering the nice man who 's about to be holding a razor to your throat ?</tokentext>
<sentencetext>But in that instance they're just being dumb.
All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.Why risk angering the nice man who's about to be holding a razor to your throat?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503478</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>Mr Thinly Sliced</author>
	<datestamp>1268746140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>but I have to question how useful it is to require people to change their passwords often.</p></div></blockquote><p>I think the idea is keep the attack window for brute forcing a password as slim as possible.</p><p>Assuming they can only make so many attempts with a specified time window - changing the password after 30 days or less means any attacker only has that window in which to work their way through their dictionary and character sequences. After that time they've got to start again.</p><p>In practice of course they might not know when that 30 day window starts or ends - which reduces the window even further.</p><p>Basically - not changing the password at all means I can spend 6 months brute forcing a password - probably at a rate that you might not see the network activity (presumably login failures would get noticed - but that depends on if the service in question correctly logs the failures).</p></div>
	</htmltext>
<tokenext>but I have to question how useful it is to require people to change their passwords often.I think the idea is keep the attack window for brute forcing a password as slim as possible.Assuming they can only make so many attempts with a specified time window - changing the password after 30 days or less means any attacker only has that window in which to work their way through their dictionary and character sequences .
After that time they 've got to start again.In practice of course they might not know when that 30 day window starts or ends - which reduces the window even further.Basically - not changing the password at all means I can spend 6 months brute forcing a password - probably at a rate that you might not see the network activity ( presumably login failures would get noticed - but that depends on if the service in question correctly logs the failures ) .</tokentext>
<sentencetext>but I have to question how useful it is to require people to change their passwords often.I think the idea is keep the attack window for brute forcing a password as slim as possible.Assuming they can only make so many attempts with a specified time window - changing the password after 30 days or less means any attacker only has that window in which to work their way through their dictionary and character sequences.
After that time they've got to start again.In practice of course they might not know when that 30 day window starts or ends - which reduces the window even further.Basically - not changing the password at all means I can spend 6 months brute forcing a password - probably at a rate that you might not see the network activity (presumably login failures would get noticed - but that depends on if the service in question correctly logs the failures).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502134</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>fuzzyfuzzyfungus</author>
	<datestamp>1268737620000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>There are complications, though. Humans are, by the standards of mostly bipedal hunter/gatherer savannah dwelling apes, actually pretty decent at playing "rational actor"; but that isn't the same as being one. Even simple things like the fact that "90\% chance of success" can elicit a different emotional response than "10\% chance of failure" come down to limited rationality, and the picture isn't all that much prettier elsewhere.<br> <br>

One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both. An $80 external HDD can substantially reduce your risk of losing files to disk failure. A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental. The risks just aren't in their face; but the price tag is, so they don't do it.<br> <br>

The other thing, again most likely an artefact of inherited historical limitations to human cognition, is the difficulty that people have understanding the implications of <i>automation</i> for their likelyhood of being attacked. To the degree that joe user has a threat model at all, it tends to be the classic man-is-a-social-animal naive theory that <i>a person</i> is attacking, or might be attacking him. He then shrugs, and says "I couldn't possibly be worth the effort." and does nothing. If cracking PCs was something done one-by-one, with manual labor, furiously typing to guess the passwords and break through the code walls just like in the movies, he'd be completely correct. However, since the vast majority of online attacks are largely automated, the naive threat model is bunk(for physical attacks, the naive model is probably mostly correct. Planting trojans on unattended laptops in public is almost as risky, and far less lucrative, than simply stealing them. Jealous spouses, asshole roomates, fucked-up middle school social dynamics and the like, though, provide ample motive for the sorts of attacks performed with physical access on home machines).</htmltext>
<tokenext>There are complications , though .
Humans are , by the standards of mostly bipedal hunter/gatherer savannah dwelling apes , actually pretty decent at playing " rational actor " ; but that is n't the same as being one .
Even simple things like the fact that " 90 \ % chance of success " can elicit a different emotional response than " 10 \ % chance of failure " come down to limited rationality , and the picture is n't all that much prettier elsewhere .
One big one , particularly for home users , is inaccurate discounting of costs that are either in the future , uncertain , or both .
An $ 80 external HDD can substantially reduce your risk of losing files to disk failure .
A shockingly small number of people , even people with actual money , who have data that are valuable or at least sentimental .
The risks just are n't in their face ; but the price tag is , so they do n't do it .
The other thing , again most likely an artefact of inherited historical limitations to human cognition , is the difficulty that people have understanding the implications of automation for their likelyhood of being attacked .
To the degree that joe user has a threat model at all , it tends to be the classic man-is-a-social-animal naive theory that a person is attacking , or might be attacking him .
He then shrugs , and says " I could n't possibly be worth the effort .
" and does nothing .
If cracking PCs was something done one-by-one , with manual labor , furiously typing to guess the passwords and break through the code walls just like in the movies , he 'd be completely correct .
However , since the vast majority of online attacks are largely automated , the naive threat model is bunk ( for physical attacks , the naive model is probably mostly correct .
Planting trojans on unattended laptops in public is almost as risky , and far less lucrative , than simply stealing them .
Jealous spouses , asshole roomates , fucked-up middle school social dynamics and the like , though , provide ample motive for the sorts of attacks performed with physical access on home machines ) .</tokentext>
<sentencetext>There are complications, though.
Humans are, by the standards of mostly bipedal hunter/gatherer savannah dwelling apes, actually pretty decent at playing "rational actor"; but that isn't the same as being one.
Even simple things like the fact that "90\% chance of success" can elicit a different emotional response than "10\% chance of failure" come down to limited rationality, and the picture isn't all that much prettier elsewhere.
One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both.
An $80 external HDD can substantially reduce your risk of losing files to disk failure.
A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental.
The risks just aren't in their face; but the price tag is, so they don't do it.
The other thing, again most likely an artefact of inherited historical limitations to human cognition, is the difficulty that people have understanding the implications of automation for their likelyhood of being attacked.
To the degree that joe user has a threat model at all, it tends to be the classic man-is-a-social-animal naive theory that a person is attacking, or might be attacking him.
He then shrugs, and says "I couldn't possibly be worth the effort.
" and does nothing.
If cracking PCs was something done one-by-one, with manual labor, furiously typing to guess the passwords and break through the code walls just like in the movies, he'd be completely correct.
However, since the vast majority of online attacks are largely automated, the naive threat model is bunk(for physical attacks, the naive model is probably mostly correct.
Planting trojans on unattended laptops in public is almost as risky, and far less lucrative, than simply stealing them.
Jealous spouses, asshole roomates, fucked-up middle school social dynamics and the like, though, provide ample motive for the sorts of attacks performed with physical access on home machines).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502588</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>nine-times</author>
	<datestamp>1268740080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Well people also misunderstand the whole idea of security; the point isn't really to make unauthorized access impossible.  The point is to make it difficult, annoying, problematic, likely that you'll get caught trying to gain access-- in other words, to make attaining unauthorized access "not worth it" to prospective attackers.

</p><p>So first you want to know who the prospective attackers are, what their skill set is, and how motivated they'll be to gain access.  If your possible attackers are very skilled and very motivated, then you need to making gaining unauthorized access harder, increase the chances that anyone who tries will be caught.  If your likely attackers are unmotivated amateurs, then you reach the level of diminishing returns much more quickly.

</p><p>But I guess that part of the point here might be, when your IT guy tells a user to tighten security and the user doesn't follow instructions, how stupid is the user?  the claim seems to be, "He's not stupid.  It's just that the IT guy has motivation to increase security and the user doesn't."  Fair enough.

</p><p>On the other hand, even if users are making rational decisions, I'm not sure they're making them for rational reasons.  You could convince me that it's often in a user's best interest to defy their company's IT guy, but you won't convince me that users never do these things simply out of defiance and even spite.</p></htmltext>
<tokenext>Well people also misunderstand the whole idea of security ; the point is n't really to make unauthorized access impossible .
The point is to make it difficult , annoying , problematic , likely that you 'll get caught trying to gain access-- in other words , to make attaining unauthorized access " not worth it " to prospective attackers .
So first you want to know who the prospective attackers are , what their skill set is , and how motivated they 'll be to gain access .
If your possible attackers are very skilled and very motivated , then you need to making gaining unauthorized access harder , increase the chances that anyone who tries will be caught .
If your likely attackers are unmotivated amateurs , then you reach the level of diminishing returns much more quickly .
But I guess that part of the point here might be , when your IT guy tells a user to tighten security and the user does n't follow instructions , how stupid is the user ?
the claim seems to be , " He 's not stupid .
It 's just that the IT guy has motivation to increase security and the user does n't .
" Fair enough .
On the other hand , even if users are making rational decisions , I 'm not sure they 're making them for rational reasons .
You could convince me that it 's often in a user 's best interest to defy their company 's IT guy , but you wo n't convince me that users never do these things simply out of defiance and even spite .</tokentext>
<sentencetext>Well people also misunderstand the whole idea of security; the point isn't really to make unauthorized access impossible.
The point is to make it difficult, annoying, problematic, likely that you'll get caught trying to gain access-- in other words, to make attaining unauthorized access "not worth it" to prospective attackers.
So first you want to know who the prospective attackers are, what their skill set is, and how motivated they'll be to gain access.
If your possible attackers are very skilled and very motivated, then you need to making gaining unauthorized access harder, increase the chances that anyone who tries will be caught.
If your likely attackers are unmotivated amateurs, then you reach the level of diminishing returns much more quickly.
But I guess that part of the point here might be, when your IT guy tells a user to tighten security and the user doesn't follow instructions, how stupid is the user?
the claim seems to be, "He's not stupid.
It's just that the IT guy has motivation to increase security and the user doesn't.
"  Fair enough.
On the other hand, even if users are making rational decisions, I'm not sure they're making them for rational reasons.
You could convince me that it's often in a user's best interest to defy their company's IT guy, but you won't convince me that users never do these things simply out of defiance and even spite.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504386</id>
	<title>HINT:</title>
	<author>Dorsai65</author>
	<datestamp>1268754900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It isn't just ONE thing, or even <em>mostly</em> one. It's varying permutations of varying degrees of all of the above, depending on the user, OS, risk(s), and solutions available.</htmltext>
<tokenext>It is n't just ONE thing , or even mostly one .
It 's varying permutations of varying degrees of all of the above , depending on the user , OS , risk ( s ) , and solutions available .</tokentext>
<sentencetext>It isn't just ONE thing, or even mostly one.
It's varying permutations of varying degrees of all of the above, depending on the user, OS, risk(s), and solutions available.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110</id>
	<title>And it's often NOT worth it.</title>
	<author>gestalt\_n\_pepper</author>
	<datestamp>1268737440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Am I going to spend a lot of time on a 7 year old's game PC protecting it from being added to the botnet army of darkness on its latest evil crusade for human souls? Frankly, why the hell would I care?</p></htmltext>
<tokenext>Am I going to spend a lot of time on a 7 year old 's game PC protecting it from being added to the botnet army of darkness on its latest evil crusade for human souls ?
Frankly , why the hell would I care ?</tokentext>
<sentencetext>Am I going to spend a lot of time on a 7 year old's game PC protecting it from being added to the botnet army of darkness on its latest evil crusade for human souls?
Frankly, why the hell would I care?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504368</id>
	<title>Taking a harder line on phishing-friendly sites</title>
	<author>Animats</author>
	<datestamp>1268754600000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>
On the phishing front, it's useful to stop blaming the end user, and blame the site that hosted the phishing page.
</p><p>
For some time, I've encouraged taking a harder line on phishing-friendly sites, sites that host phishing pages. I had a <a href="http://www.sitetruth.com/public/nagle\_blacklist\_metrics01.pdf" title="sitetruth.com">paper</a> [sitetruth.com] on this at the 2008 MIT Spam Conference.
At SiteTruth, we take the position that one phishing page blacklists the whole second-level domain.  Here's the current list of <a href="http://www.sitetruth.com/reports/phishes.html" title="sitetruth.com">major domains being exploited by active phishing scams</a> [sitetruth.com].
</p><p>
The free hosting sites and the "short URL" sites show up on the blacklist regularly.  After much nagging and some press coverage, most of them are now very aggressive about kicking off phishing pages, and they don't stay on for long.  The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up.  Currently, Google is in the doghouse, because they've recently entered the "free hosting business" without adequate phishing defenses.  See <a href="http://www.phishtank.com/phish\_detail.php?phish\_id=929343" title="phishtank.com">this abuse of Google Spreadsheets.</a> [phishtank.com]
</p><p>
At the moment, "t35.com", a free hosting service, is the site most abused in this way, by a large margin.  I've contacted their people.  The problem is that they're being attacked by a program, and they're cleaning up by hand.  Right now, they're hosting 545 known phishing pages.   Nobody else is even in double digits.  "piczo.com" (a social network/free hosting service for teenage girls) was the last big victim, but they're gradually getting the problem under control.
</p><p>
A Draconian blacklisting policy may seem harsh, but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem.   We're seeing more free hosting sites with a "click here if this is abuse" button on every page.  The number of people who have to be educated to deal with the problem in this way is in the hundreds, not the hundreds of millions.  So it's a solveable problem.
</p><p>
If you're going to blame the victim, this is the way to go at it.</p></htmltext>
<tokenext>On the phishing front , it 's useful to stop blaming the end user , and blame the site that hosted the phishing page .
For some time , I 've encouraged taking a harder line on phishing-friendly sites , sites that host phishing pages .
I had a paper [ sitetruth.com ] on this at the 2008 MIT Spam Conference .
At SiteTruth , we take the position that one phishing page blacklists the whole second-level domain .
Here 's the current list of major domains being exploited by active phishing scams [ sitetruth.com ] .
The free hosting sites and the " short URL " sites show up on the blacklist regularly .
After much nagging and some press coverage , most of them are now very aggressive about kicking off phishing pages , and they do n't stay on for long .
The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up .
Currently , Google is in the doghouse , because they 've recently entered the " free hosting business " without adequate phishing defenses .
See this abuse of Google Spreadsheets .
[ phishtank.com ] At the moment , " t35.com " , a free hosting service , is the site most abused in this way , by a large margin .
I 've contacted their people .
The problem is that they 're being attacked by a program , and they 're cleaning up by hand .
Right now , they 're hosting 545 known phishing pages .
Nobody else is even in double digits .
" piczo.com " ( a social network/free hosting service for teenage girls ) was the last big victim , but they 're gradually getting the problem under control .
A Draconian blacklisting policy may seem harsh , but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem .
We 're seeing more free hosting sites with a " click here if this is abuse " button on every page .
The number of people who have to be educated to deal with the problem in this way is in the hundreds , not the hundreds of millions .
So it 's a solveable problem .
If you 're going to blame the victim , this is the way to go at it .</tokentext>
<sentencetext>
On the phishing front, it's useful to stop blaming the end user, and blame the site that hosted the phishing page.
For some time, I've encouraged taking a harder line on phishing-friendly sites, sites that host phishing pages.
I had a paper [sitetruth.com] on this at the 2008 MIT Spam Conference.
At SiteTruth, we take the position that one phishing page blacklists the whole second-level domain.
Here's the current list of major domains being exploited by active phishing scams [sitetruth.com].
The free hosting sites and the "short URL" sites show up on the blacklist regularly.
After much nagging and some press coverage, most of them are now very aggressive about kicking off phishing pages, and they don't stay on for long.
The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up.
Currently, Google is in the doghouse, because they've recently entered the "free hosting business" without adequate phishing defenses.
See this abuse of Google Spreadsheets.
[phishtank.com]

At the moment, "t35.com", a free hosting service, is the site most abused in this way, by a large margin.
I've contacted their people.
The problem is that they're being attacked by a program, and they're cleaning up by hand.
Right now, they're hosting 545 known phishing pages.
Nobody else is even in double digits.
"piczo.com" (a social network/free hosting service for teenage girls) was the last big victim, but they're gradually getting the problem under control.
A Draconian blacklisting policy may seem harsh, but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem.
We're seeing more free hosting sites with a "click here if this is abuse" button on every page.
The number of people who have to be educated to deal with the problem in this way is in the hundreds, not the hundreds of millions.
So it's a solveable problem.
If you're going to blame the victim, this is the way to go at it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196</id>
	<title>6. Change often</title>
	<author>hrimhari</author>
	<datestamp>1268737980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>TFA:</p><p><div class="quote"><p>Rule 6 will help only if the attacker waits weeks before<br>exploiting the password. So this amplies the burden<br>for little gain. Only if it is changed between the time of<br>the compromise and the time of the attempted exploit<br>does Rule 6 help.</p></div><p>IANASE, but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it. It had nothing to do with the attacker discovering the password then waiting quietly until nobody's looking to profit from it.</p><p>In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.</p><p>That said, it's an extremelly difficult rule to enforce/comply, unless you have a wonderful "I forgot my password" system.</p></div>
	</htmltext>
<tokenext>TFA : Rule 6 will help only if the attacker waits weeks beforeexploiting the password .
So this amplies the burdenfor little gain .
Only if it is changed between the time ofthe compromise and the time of the attempted exploitdoes Rule 6 help.IANASE , but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it .
It had nothing to do with the attacker discovering the password then waiting quietly until nobody 's looking to profit from it.In theory , if you change your password often enough before the brute-force being complete , the attacker would have to start all over again.That said , it 's an extremelly difficult rule to enforce/comply , unless you have a wonderful " I forgot my password " system .</tokentext>
<sentencetext>TFA:Rule 6 will help only if the attacker waits weeks beforeexploiting the password.
So this amplies the burdenfor little gain.
Only if it is changed between the time ofthe compromise and the time of the attempted exploitdoes Rule 6 help.IANASE, but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it.
It had nothing to do with the attacker discovering the password then waiting quietly until nobody's looking to profit from it.In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.That said, it's an extremelly difficult rule to enforce/comply, unless you have a wonderful "I forgot my password" system.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503902</id>
	<title>Re:Windows Joke</title>
	<author>flappinbooger</author>
	<datestamp>1268750460000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext>The other day the sarcastic side of me was wishing I could send a thank-you card to russia and/or china and/or the koobface gang.  The rogue security tools are great for business.  <br> <br>Then, perhaps a fruit basket to the Symantec gang for producing completely useless and overpriced crap software that overly trusting people rely on.  <br> <br>carry on!<br> <br>No, really, I am all about helping people and fixing their computers as effectively and quickly as possible, but.... wow.... just wow.</htmltext>
<tokenext>The other day the sarcastic side of me was wishing I could send a thank-you card to russia and/or china and/or the koobface gang .
The rogue security tools are great for business .
Then , perhaps a fruit basket to the Symantec gang for producing completely useless and overpriced crap software that overly trusting people rely on .
carry on !
No , really , I am all about helping people and fixing their computers as effectively and quickly as possible , but.... wow.... just wow .</tokentext>
<sentencetext>The other day the sarcastic side of me was wishing I could send a thank-you card to russia and/or china and/or the koobface gang.
The rogue security tools are great for business.
Then, perhaps a fruit basket to the Symantec gang for producing completely useless and overpriced crap software that overly trusting people rely on.
carry on!
No, really, I am all about helping people and fixing their computers as effectively and quickly as possible, but.... wow.... just wow.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504008</id>
	<title>The Best Security is Worthlessness</title>
	<author>Anonymous</author>
	<datestamp>1268751600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I have always maintained that the best security system is to have nothing to protect. Sure if you are talking business systems or governement this method is simply not an option but on a personal computer it certainly is. My best example is my old car that I always left the doors unlocked on so no one would break a window to find out there was nothing worth stealing. I also removed the ignition so it could be started without a key. The only security I had was a kill switch hidden under the dash which killed the electrics. I even once profited when a potential thief left one of his tools in my car by mistake.</p><p>This principle is one od the ones that makes personal linux so secure, there is virtually no profit or satisfaction to be had designing viruses and trojans for linux when the same effort could compromise hundreds of windows pcs.</p><p>If you have nothing to steal you don't need locks and people that try to sell you locks never seem to understand this.</p></htmltext>
<tokenext>I have always maintained that the best security system is to have nothing to protect .
Sure if you are talking business systems or governement this method is simply not an option but on a personal computer it certainly is .
My best example is my old car that I always left the doors unlocked on so no one would break a window to find out there was nothing worth stealing .
I also removed the ignition so it could be started without a key .
The only security I had was a kill switch hidden under the dash which killed the electrics .
I even once profited when a potential thief left one of his tools in my car by mistake.This principle is one od the ones that makes personal linux so secure , there is virtually no profit or satisfaction to be had designing viruses and trojans for linux when the same effort could compromise hundreds of windows pcs.If you have nothing to steal you do n't need locks and people that try to sell you locks never seem to understand this .</tokentext>
<sentencetext>I have always maintained that the best security system is to have nothing to protect.
Sure if you are talking business systems or governement this method is simply not an option but on a personal computer it certainly is.
My best example is my old car that I always left the doors unlocked on so no one would break a window to find out there was nothing worth stealing.
I also removed the ignition so it could be started without a key.
The only security I had was a kill switch hidden under the dash which killed the electrics.
I even once profited when a potential thief left one of his tools in my car by mistake.This principle is one od the ones that makes personal linux so secure, there is virtually no profit or satisfaction to be had designing viruses and trojans for linux when the same effort could compromise hundreds of windows pcs.If you have nothing to steal you don't need locks and people that try to sell you locks never seem to understand this.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503244</id>
	<title>It's got to hurt before they'll act</title>
	<author>Trip6</author>
	<datestamp>1268744220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>You try and try to teach your child about how knives can cut them.  Keep them pointed away from you, cut carefully, blah blah blah.  But until it actually cuts them, they won't know for sure the threat.  if anything, they will hear your annoying voice and that's the only reason they won't act foolishly.</p><p>If you really want the general population to react, get them to feel the pain.  Perhaps simulate a security breach for each individual?</p><p>Alternatively, lecture them until they hear your annoying voice in their head 24 x 7.</p></htmltext>
<tokenext>You try and try to teach your child about how knives can cut them .
Keep them pointed away from you , cut carefully , blah blah blah .
But until it actually cuts them , they wo n't know for sure the threat .
if anything , they will hear your annoying voice and that 's the only reason they wo n't act foolishly.If you really want the general population to react , get them to feel the pain .
Perhaps simulate a security breach for each individual ? Alternatively , lecture them until they hear your annoying voice in their head 24 x 7 .</tokentext>
<sentencetext>You try and try to teach your child about how knives can cut them.
Keep them pointed away from you, cut carefully, blah blah blah.
But until it actually cuts them, they won't know for sure the threat.
if anything, they will hear your annoying voice and that's the only reason they won't act foolishly.If you really want the general population to react, get them to feel the pain.
Perhaps simulate a security breach for each individual?Alternatively, lecture them until they hear your annoying voice in their head 24 x 7.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502946</id>
	<title>Re:This is not a "new" interpretation</title>
	<author>sootman</author>
	<datestamp>1268742240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt;<nobr> <wbr></nobr>... computer security is a matter of economics. How much<br>&gt; does it cost to implement? How much do you stand to lose<br>&gt; if your security is broken and your "stuff" stolen?</p><p>Old saying: "You don't put a $500 diamond in a $5,000 safe."</p></htmltext>
<tokenext>&gt; ... computer security is a matter of economics .
How much &gt; does it cost to implement ?
How much do you stand to lose &gt; if your security is broken and your " stuff " stolen ? Old saying : " You do n't put a $ 500 diamond in a $ 5,000 safe .
"</tokentext>
<sentencetext>&gt; ... computer security is a matter of economics.
How much&gt; does it cost to implement?
How much do you stand to lose&gt; if your security is broken and your "stuff" stolen?Old saying: "You don't put a $500 diamond in a $5,000 safe.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502100</id>
	<title>Want security? Buy a Mac</title>
	<author>WillAffleckUW</author>
	<datestamp>1268737440000</datestamp>
	<modclass>Troll</modclass>
	<modscore>1</modscore>
	<htmltext><p>Want security? Buy a Mac.</p><p>Want s/w that breaks? Buy Windows.</p><p>Want to roll your own and get every ounce of power out - use a Linux distro.</p><p>At one point I was the acting security officer for Pacific Region. If people can subvert security they will.</p><p>Not much has changed in the security sphere for a long time, and difficult security just begs to be subverted.</p></htmltext>
<tokenext>Want security ?
Buy a Mac.Want s/w that breaks ?
Buy Windows.Want to roll your own and get every ounce of power out - use a Linux distro.At one point I was the acting security officer for Pacific Region .
If people can subvert security they will.Not much has changed in the security sphere for a long time , and difficult security just begs to be subverted .</tokentext>
<sentencetext>Want security?
Buy a Mac.Want s/w that breaks?
Buy Windows.Want to roll your own and get every ounce of power out - use a Linux distro.At one point I was the acting security officer for Pacific Region.
If people can subvert security they will.Not much has changed in the security sphere for a long time, and difficult security just begs to be subverted.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503894</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>mcsneedy</author>
	<datestamp>1268750400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>'Users reject security advice, that are considered rational' swaps an unclear referent for an extraneous comma AND a number-verb misalignment - ie one error for two, not to mention the meaning of your version appears to be the opposite of the actual point of the story.</p><p>Try this instead: Users' rejection of security advice is considered rational; or, Users who reject security advice are considered rational.</p><p>The problem is that while verbs are typically ommitted from headlines but in this case you need the verb (is or are in these versions), or you need to reword along these lines: Users considered rational for rejecting security advice.</p><p>As for the actual story, I don't see what's so groundbreaking about the conclusions - anybody who's had to change a password or use a token or certificate (not to mention apply security patches, set up LAN security, etc) knows what a pain it is.</p></htmltext>
<tokenext>'Users reject security advice , that are considered rational ' swaps an unclear referent for an extraneous comma AND a number-verb misalignment - ie one error for two , not to mention the meaning of your version appears to be the opposite of the actual point of the story.Try this instead : Users ' rejection of security advice is considered rational ; or , Users who reject security advice are considered rational.The problem is that while verbs are typically ommitted from headlines but in this case you need the verb ( is or are in these versions ) , or you need to reword along these lines : Users considered rational for rejecting security advice.As for the actual story , I do n't see what 's so groundbreaking about the conclusions - anybody who 's had to change a password or use a token or certificate ( not to mention apply security patches , set up LAN security , etc ) knows what a pain it is .</tokentext>
<sentencetext>'Users reject security advice, that are considered rational' swaps an unclear referent for an extraneous comma AND a number-verb misalignment - ie one error for two, not to mention the meaning of your version appears to be the opposite of the actual point of the story.Try this instead: Users' rejection of security advice is considered rational; or, Users who reject security advice are considered rational.The problem is that while verbs are typically ommitted from headlines but in this case you need the verb (is or are in these versions), or you need to reword along these lines: Users considered rational for rejecting security advice.As for the actual story, I don't see what's so groundbreaking about the conclusions - anybody who's had to change a password or use a token or certificate (not to mention apply security patches, set up LAN security, etc) knows what a pain it is.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511018</id>
	<title>Re:Windows Joke</title>
	<author>JumpDrive</author>
	<datestamp>1268849640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It seems to work for the accounting industry.  Do you know how many accountants/companies would be out of work if we just went to a flat tax?  Do you know how many people in healthcare administration would be out of work if we just went to single payer?  So if all of these industries can have a boondoggle why can't we?<br>
I get paid to do work, if that work involves fixing something that shouldn't be broke, well so be it.<br> <br>
And they usually pay me a lot more to tell them what they want to hear.</htmltext>
<tokenext>It seems to work for the accounting industry .
Do you know how many accountants/companies would be out of work if we just went to a flat tax ?
Do you know how many people in healthcare administration would be out of work if we just went to single payer ?
So if all of these industries can have a boondoggle why ca n't we ?
I get paid to do work , if that work involves fixing something that should n't be broke , well so be it .
And they usually pay me a lot more to tell them what they want to hear .</tokentext>
<sentencetext>It seems to work for the accounting industry.
Do you know how many accountants/companies would be out of work if we just went to a flat tax?
Do you know how many people in healthcare administration would be out of work if we just went to single payer?
So if all of these industries can have a boondoggle why can't we?
I get paid to do work, if that work involves fixing something that shouldn't be broke, well so be it.
And they usually pay me a lot more to tell them what they want to hear.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506394</id>
	<title>Re:Windows Joke</title>
	<author>Hanul</author>
	<datestamp>1268826000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I don't understand why people are doing jobs that are per se senseless.

It makes no sense to support an OS, which is so crappy (I don't suggest Windows is<nobr> <wbr></nobr>;-) it needs a support industry to get it "working". And all just to have a job. Life should offer more than that.</htmltext>
<tokenext>I do n't understand why people are doing jobs that are per se senseless .
It makes no sense to support an OS , which is so crappy ( I do n't suggest Windows is ; - ) it needs a support industry to get it " working " .
And all just to have a job .
Life should offer more than that .</tokentext>
<sentencetext>I don't understand why people are doing jobs that are per se senseless.
It makes no sense to support an OS, which is so crappy (I don't suggest Windows is ;-) it needs a support industry to get it "working".
And all just to have a job.
Life should offer more than that.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505920</id>
	<title>This is why users like iPhone's audited apps</title>
	<author>gig</author>
	<datestamp>1268820420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This is no surprise at all. If there weren't a cost benefit to pushing the responsibility for malware onto the user, platform vendors wouldn't do it. Microsoft wouldn't do it.</p><p>That is why iPhone users see it as an advantage that Apple audits the native apps to keep the platform 100\% malware-free. It's anti-virus that requires nothing from the user. This is what 90\% of users EXPECT TO GET FOR FREE. They do not expect to have to be an I-T person at all and platform vendors should not expect it either. They expect their system to do only the things they ask it to do, they expect apps not to be doing sneaky stuff behind their back. When you think about it, that's what they ought to expect.</p><p>When somebody with an iPhone tells me they like the App Store, they are installing hundreds of apps, I always ask them, "are you concerned about malware?" and the most common answer by far is "what's malware?" and occasionally somebody says "no, I know Apple is auditing the apps." So competing vendors who want to sell to iPhone users are going to have to provide 100\% malware-free platforms. The users are already spoiled for anything else. Android has a much smaller user base yet there has already been an incident of malware being downloaded from Android Market, and an incident where a consumer was sold a phone that had multiple malwares running on it. That has to be fixed. It's irresponsible to sell a malware-capable phone to an iPhone user. That responsibility has moved back onto the platform vendor and it's not going back to the users. There are 4 billion plus mobiles that are about to get smart and the users do not want to take computer science courses or play junior I-T man. But the benefit to vendors and developers is that once users can trust the apps, they buy and use many, many times more of them. If you ask people to tell you how many apps they installed on their iPhone and on their Mac/PC, the iPhone always wins. Mac/PC software developers should be so lucky as to sell apps like iPhone developers sell apps.</p><p>Consider if Windows XP had only been able to run audited apps from the start, we would have no botnets right now, we wouldn't have situations where consumers are having their bank accounts emptied by malware on their PC's. Don't you think that if iPhone can go 3 years with no malware, always-on, always-connected, that a full Windows PC should be able to do the same? A Windows PC can't go 3 months.</p><p>So the tech community is going to have to take more responsibility. The computer scientists and I-T people all already have PC's. If you want to sell more on top of that, you have to take more responsibility. If you want to put computers into 20 devices all around the typical human, you are going to have to make them much less fragile and exploitable than Windows and Android.</p></htmltext>
<tokenext>This is no surprise at all .
If there were n't a cost benefit to pushing the responsibility for malware onto the user , platform vendors would n't do it .
Microsoft would n't do it.That is why iPhone users see it as an advantage that Apple audits the native apps to keep the platform 100 \ % malware-free .
It 's anti-virus that requires nothing from the user .
This is what 90 \ % of users EXPECT TO GET FOR FREE .
They do not expect to have to be an I-T person at all and platform vendors should not expect it either .
They expect their system to do only the things they ask it to do , they expect apps not to be doing sneaky stuff behind their back .
When you think about it , that 's what they ought to expect.When somebody with an iPhone tells me they like the App Store , they are installing hundreds of apps , I always ask them , " are you concerned about malware ?
" and the most common answer by far is " what 's malware ?
" and occasionally somebody says " no , I know Apple is auditing the apps .
" So competing vendors who want to sell to iPhone users are going to have to provide 100 \ % malware-free platforms .
The users are already spoiled for anything else .
Android has a much smaller user base yet there has already been an incident of malware being downloaded from Android Market , and an incident where a consumer was sold a phone that had multiple malwares running on it .
That has to be fixed .
It 's irresponsible to sell a malware-capable phone to an iPhone user .
That responsibility has moved back onto the platform vendor and it 's not going back to the users .
There are 4 billion plus mobiles that are about to get smart and the users do not want to take computer science courses or play junior I-T man .
But the benefit to vendors and developers is that once users can trust the apps , they buy and use many , many times more of them .
If you ask people to tell you how many apps they installed on their iPhone and on their Mac/PC , the iPhone always wins .
Mac/PC software developers should be so lucky as to sell apps like iPhone developers sell apps.Consider if Windows XP had only been able to run audited apps from the start , we would have no botnets right now , we would n't have situations where consumers are having their bank accounts emptied by malware on their PC 's .
Do n't you think that if iPhone can go 3 years with no malware , always-on , always-connected , that a full Windows PC should be able to do the same ?
A Windows PC ca n't go 3 months.So the tech community is going to have to take more responsibility .
The computer scientists and I-T people all already have PC 's .
If you want to sell more on top of that , you have to take more responsibility .
If you want to put computers into 20 devices all around the typical human , you are going to have to make them much less fragile and exploitable than Windows and Android .</tokentext>
<sentencetext>This is no surprise at all.
If there weren't a cost benefit to pushing the responsibility for malware onto the user, platform vendors wouldn't do it.
Microsoft wouldn't do it.That is why iPhone users see it as an advantage that Apple audits the native apps to keep the platform 100\% malware-free.
It's anti-virus that requires nothing from the user.
This is what 90\% of users EXPECT TO GET FOR FREE.
They do not expect to have to be an I-T person at all and platform vendors should not expect it either.
They expect their system to do only the things they ask it to do, they expect apps not to be doing sneaky stuff behind their back.
When you think about it, that's what they ought to expect.When somebody with an iPhone tells me they like the App Store, they are installing hundreds of apps, I always ask them, "are you concerned about malware?
" and the most common answer by far is "what's malware?
" and occasionally somebody says "no, I know Apple is auditing the apps.
" So competing vendors who want to sell to iPhone users are going to have to provide 100\% malware-free platforms.
The users are already spoiled for anything else.
Android has a much smaller user base yet there has already been an incident of malware being downloaded from Android Market, and an incident where a consumer was sold a phone that had multiple malwares running on it.
That has to be fixed.
It's irresponsible to sell a malware-capable phone to an iPhone user.
That responsibility has moved back onto the platform vendor and it's not going back to the users.
There are 4 billion plus mobiles that are about to get smart and the users do not want to take computer science courses or play junior I-T man.
But the benefit to vendors and developers is that once users can trust the apps, they buy and use many, many times more of them.
If you ask people to tell you how many apps they installed on their iPhone and on their Mac/PC, the iPhone always wins.
Mac/PC software developers should be so lucky as to sell apps like iPhone developers sell apps.Consider if Windows XP had only been able to run audited apps from the start, we would have no botnets right now, we wouldn't have situations where consumers are having their bank accounts emptied by malware on their PC's.
Don't you think that if iPhone can go 3 years with no malware, always-on, always-connected, that a full Windows PC should be able to do the same?
A Windows PC can't go 3 months.So the tech community is going to have to take more responsibility.
The computer scientists and I-T people all already have PC's.
If you want to sell more on top of that, you have to take more responsibility.
If you want to put computers into 20 devices all around the typical human, you are going to have to make them much less fragile and exploitable than Windows and Android.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507706</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>Anonymous</author>
	<datestamp>1268837280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><blockquote><div><p>some of those hosts have passwords which expire every 30 days</p></div></blockquote><p>This is slightly off-topic, but I have to question how useful it is to require people to change their passwords often. Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password. Anyone have any thoughts on that?</p></div><p>Wow, what a +4 Interesting post, thanks for raising that question, let me quote the fucking article for you</p><p><div class="quote"><p>The typical user does not always see benefit from heeding security advice. I once again agree. Try to explain to someone who had a password stolen by a key logger, why a strong password is important.</p></div><p>And then they go on to talk about passwords at some length....</p><p><div class="quote"><p> Gibson simply asked, how often do you require passwords to be changed? I asked several system administrators what time frame they used, most responded once a month. Using Herley&rsquo;s logic, that means an attacker potentially has a whole month to use the password.</p><p>So, is the cost of having users struggle with new password every month beneficial? Before you answer, you may also want to think about bad practices users implement because of the frequent-change policy:</p><p>
&nbsp; &nbsp; &nbsp; &nbsp; * By the time a user is comfortable with a password, it&rsquo;s time to change. So, users opt to write passwords down. That&rsquo;s another whole debate; ask Bruce Schneier.</p><p>
&nbsp; &nbsp; &nbsp; &nbsp; * Users know how many passwords the system remembers and cycle through that amount, which allows them to keep using the same one.</p><p>Is anything truly gained by having passwords changed often? The only benefit I see is if the attacker does not use the password within the password-refresh time limit. What&rsquo;s your opinion? Is changing passwords monthly, a benefit or a cost?</p><p>Dr. Herley does an in-depth cost-benefit analysis in three specific areas, password rules, phishing URLs, and SSL certificate errors. I would like to spend some time with each.</p><p>Password rules</p><p>Password rules place the entire burden on the user. So, they understand the cost from having to abide by the following rules:</p><p>
&nbsp; &nbsp; &nbsp; &nbsp; * Length<br>
&nbsp; &nbsp; &nbsp; &nbsp; * Composition (e.g. digits, special characters)<br>
&nbsp; &nbsp; &nbsp; &nbsp; * Non-dictionary words (in any language).<br>
&nbsp; &nbsp; &nbsp; &nbsp; * Don&rsquo;t write it down<br>
&nbsp; &nbsp; &nbsp; &nbsp; * Don&rsquo;t share it with anyone<br>
&nbsp; &nbsp; &nbsp; &nbsp; * Change it often<br>
&nbsp; &nbsp; &nbsp; &nbsp; * Don&rsquo;t re-use passwords across sites</p><p>The report proceeds to explain how each rule is not really helpful. For example, the first three rules are not important, as most applications and Web sites have a lock out rule that restricts access after so many tries. I already touched on why &ldquo;Change it often&rdquo; is not considered helpful.</p><p>All said and done, users know that strictly observing the above rules is no guarantee of being safe from exploits. That makes it difficult for them to justify the additional effort and associated cost.</p><p>Phishing URLs</p><p>Trying to explain URL spoofing to users is complicated. Besides, by the time you get through half of all possible iterations, most users are not listening. For example, the following slide (courtesy of Cormac Herley) lists some spoofed URLs for PayPal:</p><p>To reduce cost to users, Herley wants to turn this around. He explains that users need to know when the URL is good, not bad:</p><p>&ldquo;The main difficulty in teaching users to read URLs is that in certain cases this allows users to know when something is bad, but it never gives a guarantee that something is good. Thus the advice cannot be exhaustive and is full of exceptions.&rdquo;</p><p><div class="quote"></div></div></div>
	</htmltext>
<tokenext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic , but I have to question how useful it is to require people to change their passwords often .
Chances are , when someone breaks into your computer , they 're going to leave a back door , so they can get in , regardless of the actual password .
Anyone have any thoughts on that ? Wow , what a + 4 Interesting post , thanks for raising that question , let me quote the fucking article for youThe typical user does not always see benefit from heeding security advice .
I once again agree .
Try to explain to someone who had a password stolen by a key logger , why a strong password is important.And then they go on to talk about passwords at some length.... Gibson simply asked , how often do you require passwords to be changed ?
I asked several system administrators what time frame they used , most responded once a month .
Using Herley    s logic , that means an attacker potentially has a whole month to use the password.So , is the cost of having users struggle with new password every month beneficial ?
Before you answer , you may also want to think about bad practices users implement because of the frequent-change policy :         * By the time a user is comfortable with a password , it    s time to change .
So , users opt to write passwords down .
That    s another whole debate ; ask Bruce Schneier .
        * Users know how many passwords the system remembers and cycle through that amount , which allows them to keep using the same one.Is anything truly gained by having passwords changed often ?
The only benefit I see is if the attacker does not use the password within the password-refresh time limit .
What    s your opinion ?
Is changing passwords monthly , a benefit or a cost ? Dr .
Herley does an in-depth cost-benefit analysis in three specific areas , password rules , phishing URLs , and SSL certificate errors .
I would like to spend some time with each.Password rulesPassword rules place the entire burden on the user .
So , they understand the cost from having to abide by the following rules :         * Length         * Composition ( e.g .
digits , special characters )         * Non-dictionary words ( in any language ) .
        * Don    t write it down         * Don    t share it with anyone         * Change it often         * Don    t re-use passwords across sitesThe report proceeds to explain how each rule is not really helpful .
For example , the first three rules are not important , as most applications and Web sites have a lock out rule that restricts access after so many tries .
I already touched on why    Change it often    is not considered helpful.All said and done , users know that strictly observing the above rules is no guarantee of being safe from exploits .
That makes it difficult for them to justify the additional effort and associated cost.Phishing URLsTrying to explain URL spoofing to users is complicated .
Besides , by the time you get through half of all possible iterations , most users are not listening .
For example , the following slide ( courtesy of Cormac Herley ) lists some spoofed URLs for PayPal : To reduce cost to users , Herley wants to turn this around .
He explains that users need to know when the URL is good , not bad :    The main difficulty in teaching users to read URLs is that in certain cases this allows users to know when something is bad , but it never gives a guarantee that something is good .
Thus the advice can not be exhaustive and is full of exceptions.   </tokentext>
<sentencetext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic, but I have to question how useful it is to require people to change their passwords often.
Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password.
Anyone have any thoughts on that?Wow, what a +4 Interesting post, thanks for raising that question, let me quote the fucking article for youThe typical user does not always see benefit from heeding security advice.
I once again agree.
Try to explain to someone who had a password stolen by a key logger, why a strong password is important.And then they go on to talk about passwords at some length.... Gibson simply asked, how often do you require passwords to be changed?
I asked several system administrators what time frame they used, most responded once a month.
Using Herley’s logic, that means an attacker potentially has a whole month to use the password.So, is the cost of having users struggle with new password every month beneficial?
Before you answer, you may also want to think about bad practices users implement because of the frequent-change policy:
        * By the time a user is comfortable with a password, it’s time to change.
So, users opt to write passwords down.
That’s another whole debate; ask Bruce Schneier.
        * Users know how many passwords the system remembers and cycle through that amount, which allows them to keep using the same one.Is anything truly gained by having passwords changed often?
The only benefit I see is if the attacker does not use the password within the password-refresh time limit.
What’s your opinion?
Is changing passwords monthly, a benefit or a cost?Dr.
Herley does an in-depth cost-benefit analysis in three specific areas, password rules, phishing URLs, and SSL certificate errors.
I would like to spend some time with each.Password rulesPassword rules place the entire burden on the user.
So, they understand the cost from having to abide by the following rules:
        * Length
        * Composition (e.g.
digits, special characters)
        * Non-dictionary words (in any language).
        * Don’t write it down
        * Don’t share it with anyone
        * Change it often
        * Don’t re-use passwords across sitesThe report proceeds to explain how each rule is not really helpful.
For example, the first three rules are not important, as most applications and Web sites have a lock out rule that restricts access after so many tries.
I already touched on why “Change it often” is not considered helpful.All said and done, users know that strictly observing the above rules is no guarantee of being safe from exploits.
That makes it difficult for them to justify the additional effort and associated cost.Phishing URLsTrying to explain URL spoofing to users is complicated.
Besides, by the time you get through half of all possible iterations, most users are not listening.
For example, the following slide (courtesy of Cormac Herley) lists some spoofed URLs for PayPal:To reduce cost to users, Herley wants to turn this around.
He explains that users need to know when the URL is good, not bad:“The main difficulty in teaching users to read URLs is that in certain cases this allows users to know when something is bad, but it never gives a guarantee that something is good.
Thus the advice cannot be exhaustive and is full of exceptions.”
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502254</id>
	<title>7. Don't re-use passwords across sites</title>
	<author>hrimhari</author>
	<datestamp>1268738220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>TFA:</p><p>This would appear to include only the cases where<br>the user is phished (rather than keylogged) or a rogue<br>employee steals the credentials from A. This appears<br>a minor reduction of risk for a 3.9x magnication of<br>password management effort.</p><p>Unless the user in question uses <a href="http://news.slashdot.org/story/10/03/07/234204/Facebook-Founder-Accused-of-Hacking-Into-Rivals-Email" title="slashdot.org">facebook.</a> [slashdot.org] Or rather is a rival of the site he's using.</p></htmltext>
<tokenext>TFA : This would appear to include only the cases wherethe user is phished ( rather than keylogged ) or a rogueemployee steals the credentials from A. This appearsa minor reduction of risk for a 3.9x magnication ofpassword management effort.Unless the user in question uses facebook .
[ slashdot.org ] Or rather is a rival of the site he 's using .</tokentext>
<sentencetext>TFA:This would appear to include only the cases wherethe user is phished (rather than keylogged) or a rogueemployee steals the credentials from A. This appearsa minor reduction of risk for a 3.9x magnication ofpassword management effort.Unless the user in question uses facebook.
[slashdot.org] Or rather is a rival of the site he's using.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503968</id>
	<title>Re:Interesting</title>
	<author>Anonymous</author>
	<datestamp>1268751180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.</p><p>That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.</p></div><p>That's far from a complete risk assessment, in fact it's a great example of how users can fail to understand the complete implications and thus the cost benefit of security measures.</p><p>The first customer who connects with their malware-infested laptop and is able to propogate a virus via a remote execution exploit is going to cost a lot more in cleanup than a $50 config. I'd assume at least one of their workstations has such a vulnerability - why bother installing security updates when you've got nothing worth securing, right?</p></div>
	</htmltext>
<tokenext>They realized their customer databases were password protected within that application , understood they had nothing on their workstations or shares to hide , and basically said fuck it when we were offering a low cost , non-invasive , transparent to their customers solution.That 's just one example .
Lots of these " dumb endusers " fully understand the security and the solution and the cost , but feel they are not a valuable enough target to worry about it.That 's far from a complete risk assessment , in fact it 's a great example of how users can fail to understand the complete implications and thus the cost benefit of security measures.The first customer who connects with their malware-infested laptop and is able to propogate a virus via a remote execution exploit is going to cost a lot more in cleanup than a $ 50 config .
I 'd assume at least one of their workstations has such a vulnerability - why bother installing security updates when you 've got nothing worth securing , right ?</tokentext>
<sentencetext>They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.That's just one example.
Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.That's far from a complete risk assessment, in fact it's a great example of how users can fail to understand the complete implications and thus the cost benefit of security measures.The first customer who connects with their malware-infested laptop and is able to propogate a virus via a remote execution exploit is going to cost a lot more in cleanup than a $50 config.
I'd assume at least one of their workstations has such a vulnerability - why bother installing security updates when you've got nothing worth securing, right?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</id>
	<title>Interesting</title>
	<author>Anonymous</author>
	<datestamp>1268736180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I agree with this assesment.  I work at an IT company that supports many different companies and users of different size.  We are a small operation (10 techs).</p><p>Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers.  Smaller businesses and individual users will reject them due to the lack of perceived risk.</p><p>Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it.  We said no problem and offered to setup a guest network and secure their internal wireless network.  No problems with their Cisco SA.  They still did not want to do it.  Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data?  we have nothing sensitive"</p><p>They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.</p><p>That's just one example.  Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.</p></htmltext>
<tokenext>I agree with this assesment .
I work at an IT company that supports many different companies and users of different size .
We are a small operation ( 10 techs ) .Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers .
Smaller businesses and individual users will reject them due to the lack of perceived risk.Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it .
We said no problem and offered to setup a guest network and secure their internal wireless network .
No problems with their Cisco SA .
They still did not want to do it .
Their reasoning was not the $ 50 one time cost but , " who would want to go to the trouble of accessing our data ?
we have nothing sensitive " They realized their customer databases were password protected within that application , understood they had nothing on their workstations or shares to hide , and basically said fuck it when we were offering a low cost , non-invasive , transparent to their customers solution.That 's just one example .
Lots of these " dumb endusers " fully understand the security and the solution and the cost , but feel they are not a valuable enough target to worry about it .</tokentext>
<sentencetext>I agree with this assesment.
I work at an IT company that supports many different companies and users of different size.
We are a small operation (10 techs).Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers.
Smaller businesses and individual users will reject them due to the lack of perceived risk.Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it.
We said no problem and offered to setup a guest network and secure their internal wireless network.
No problems with their Cisco SA.
They still did not want to do it.
Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data?
we have nothing sensitive"They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.That's just one example.
Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504900</id>
	<title>Re:good advice versus bad advice; costs to others</title>
	<author>Anonymous</author>
	<datestamp>1268760420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>The article doesn't talk about costs to others.</p></div><p>To be fair, the paper is an analysis of user behaviour and not the merit of security measures themselves. What I've managed to glean through a casual interest in behavioural economics is that people are often selfish and usually short-sighted in their decisions - if I don't understand or don't care about a measure's impact on others then why bother following it?</p></div>
	</htmltext>
<tokenext>The article does n't talk about costs to others.To be fair , the paper is an analysis of user behaviour and not the merit of security measures themselves .
What I 've managed to glean through a casual interest in behavioural economics is that people are often selfish and usually short-sighted in their decisions - if I do n't understand or do n't care about a measure 's impact on others then why bother following it ?</tokentext>
<sentencetext>The article doesn't talk about costs to others.To be fair, the paper is an analysis of user behaviour and not the merit of security measures themselves.
What I've managed to glean through a casual interest in behavioural economics is that people are often selfish and usually short-sighted in their decisions - if I don't understand or don't care about a measure's impact on others then why bother following it?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</id>
	<title>good advice versus bad advice; costs to others</title>
	<author>Anonymous</author>
	<datestamp>1268737080000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>
The paper is not entirely unreasonable. However, there are at least some holes in it.
</p><p>
It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice. They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally. Under this hypothesis, people would have perfect information about which security advice is good and which is bad.
</p><p>
The article doesn't talk about costs to others. People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people. On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud. That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.
</p><p>
Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures. E.g., on p. 2 he estimates the economic costs of a particular exploit. But these estimates aren't based on any actual data. That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?) protecting against a particular exploit. What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others. And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures. That's like trusting GM to estimate the economic effects of global warming.
</p></htmltext>
<tokenext>The paper is not entirely unreasonable .
However , there are at least some holes in it .
It lumps good and bad security advice together .
The economic benefit of following bad security advice ( e.g. , buying antivirus software ) is zero or negative , so of course anybody would be rational to ignore such advice .
That does n't mean it should be lumped together with * good * security advice .
They 're hypothesizing that people are acting like the idealized economic free agents beloved of economists : people with perfect information , acting rationally .
Under this hypothesis , people would have perfect information about which security advice is good and which is bad .
The article does n't talk about costs to others .
People who get their computers owned by a botnet are n't only suffering economic harm themselves , they 're inflicting harm on other people .
On p. 5 Herley talks about how Wells Fargo limits customers ' liability to $ 50 if they 're victims of fraud .
That does n't mean * nobody * pays the cost of the fraud .
We all pay those costs , indirectly .
Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures .
E.g. , on p. 2 he estimates the economic costs of a particular exploit .
But these estimates are n't based on any actual data .
That particular calculation is also kind of stupid , because he says that a user should n't spend more than " 0.98 seconds " ( does n't he understand significant figures ?
) protecting against a particular exploit .
What his analysis ignores is that there may be hundreds of such exploits out there , and that anything you do that protects against one exploit ( e.g. , not using a dictionary word as your password ) will also help to protect you against all the others .
And forgive me if I 'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures .
That 's like trusting GM to estimate the economic effects of global warming .</tokentext>
<sentencetext>
The paper is not entirely unreasonable.
However, there are at least some holes in it.
It lumps good and bad security advice together.
The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice.
That doesn't mean it should be lumped together with *good* security advice.
They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally.
Under this hypothesis, people would have perfect information about which security advice is good and which is bad.
The article doesn't talk about costs to others.
People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people.
On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud.
That doesn't mean *nobody* pays the cost of the fraud.
We all pay those costs, indirectly.
Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures.
E.g., on p. 2 he estimates the economic costs of a particular exploit.
But these estimates aren't based on any actual data.
That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?
) protecting against a particular exploit.
What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others.
And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures.
That's like trusting GM to estimate the economic effects of global warming.
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513856</id>
	<title>Re:Windows Joke</title>
	<author>Anonymous</author>
	<datestamp>1268858220000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Oh, Castaway. That was the best screensaver ever invented. I used to love the flying toasters, but then I saw poor Johnny Castaway on his island, and never looked back.</p></htmltext>
<tokenext>Oh , Castaway .
That was the best screensaver ever invented .
I used to love the flying toasters , but then I saw poor Johnny Castaway on his island , and never looked back .</tokentext>
<sentencetext>Oh, Castaway.
That was the best screensaver ever invented.
I used to love the flying toasters, but then I saw poor Johnny Castaway on his island, and never looked back.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504836</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>Anonymous</author>
	<datestamp>1268759580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It's intended to prevent account cracking rather than as a measure to limit breaches that already happened.</p><p>The article notes that forced password changes are of dubious benefit for systems that use an account lockout mechanism. It is somewhat useful when it comes to offline cracking, as by the time the offline password is cracked it has often already been changed on the live system.</p></htmltext>
<tokenext>It 's intended to prevent account cracking rather than as a measure to limit breaches that already happened.The article notes that forced password changes are of dubious benefit for systems that use an account lockout mechanism .
It is somewhat useful when it comes to offline cracking , as by the time the offline password is cracked it has often already been changed on the live system .</tokentext>
<sentencetext>It's intended to prevent account cracking rather than as a measure to limit breaches that already happened.The article notes that forced password changes are of dubious benefit for systems that use an account lockout mechanism.
It is somewhat useful when it comes to offline cracking, as by the time the offline password is cracked it has often already been changed on the live system.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501874</id>
	<title>Users just don't care, because it dosn't cost them</title>
	<author>maillemaker</author>
	<datestamp>1268736360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>As I said before, most users don't care because there are usually no consequences to ignoring security directives.</p><p>Most users figure that security is the corporation's problem.  They just figure that whatever they do will be protected "by the firewall" and they go on with life.  It's not their problem if things go wrong.</p></htmltext>
<tokenext>As I said before , most users do n't care because there are usually no consequences to ignoring security directives.Most users figure that security is the corporation 's problem .
They just figure that whatever they do will be protected " by the firewall " and they go on with life .
It 's not their problem if things go wrong .</tokentext>
<sentencetext>As I said before, most users don't care because there are usually no consequences to ignoring security directives.Most users figure that security is the corporation's problem.
They just figure that whatever they do will be protected "by the firewall" and they go on with life.
It's not their problem if things go wrong.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503672</id>
	<title>Re:Windows Joke</title>
	<author>Anonymous</author>
	<datestamp>1268748180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>That's like saying you like <a href="http://en.wikipedia.org/wiki/Parable\_of\_the\_broken\_window" title="wikipedia.org" rel="nofollow">the kid that breaks glass</a> [wikipedia.org], because you as a glazier stay in business. In reality, generating useless work costs the whole society.</p><p>Are you allowed to think about where your society -- the large family of the people of the USA -- is going as a whole, or would that be evil socialism?</p></htmltext>
<tokenext>That 's like saying you like the kid that breaks glass [ wikipedia.org ] , because you as a glazier stay in business .
In reality , generating useless work costs the whole society.Are you allowed to think about where your society -- the large family of the people of the USA -- is going as a whole , or would that be evil socialism ?</tokentext>
<sentencetext>That's like saying you like the kid that breaks glass [wikipedia.org], because you as a glazier stay in business.
In reality, generating useless work costs the whole society.Are you allowed to think about where your society -- the large family of the people of the USA -- is going as a whole, or would that be evil socialism?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511918</id>
	<title>Re:Good article!</title>
	<author>psydeshow</author>
	<datestamp>1268851980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The problem is that the difference is both a moving target and a matter of resources. What takes 30,000 hours on a laptop today might take 7000 hours in 2016. But what takes 30,000 hours on a laptop today would only take an hour or two using massive parallelism in a computing cloud, should the attacker be willing to pay for it.</p><p>Aside from effective key length, which makes even techies' eyes glaze over, there is no reliable index or baseline that we can use to compare different schemes against both time and available resources.</p><p>Even if you use effective strength as a yardstick, it still provides no justification for using one strength over another, because it depends on context. Keeping your brother out of your diary vs authorizing million-dollar wire transfers.... which should be protected by a longer password? It kinda depends on what's in the diary.</p></htmltext>
<tokenext>The problem is that the difference is both a moving target and a matter of resources .
What takes 30,000 hours on a laptop today might take 7000 hours in 2016 .
But what takes 30,000 hours on a laptop today would only take an hour or two using massive parallelism in a computing cloud , should the attacker be willing to pay for it.Aside from effective key length , which makes even techies ' eyes glaze over , there is no reliable index or baseline that we can use to compare different schemes against both time and available resources.Even if you use effective strength as a yardstick , it still provides no justification for using one strength over another , because it depends on context .
Keeping your brother out of your diary vs authorizing million-dollar wire transfers.... which should be protected by a longer password ?
It kinda depends on what 's in the diary .</tokentext>
<sentencetext>The problem is that the difference is both a moving target and a matter of resources.
What takes 30,000 hours on a laptop today might take 7000 hours in 2016.
But what takes 30,000 hours on a laptop today would only take an hour or two using massive parallelism in a computing cloud, should the attacker be willing to pay for it.Aside from effective key length, which makes even techies' eyes glaze over, there is no reliable index or baseline that we can use to compare different schemes against both time and available resources.Even if you use effective strength as a yardstick, it still provides no justification for using one strength over another, because it depends on context.
Keeping your brother out of your diary vs authorizing million-dollar wire transfers.... which should be protected by a longer password?
It kinda depends on what's in the diary.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503438</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502512</id>
	<title>XP Updates</title>
	<author>drumcat</author>
	<datestamp>1268739780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>What is rational about all the hurdles you have to jump through now?</htmltext>
<tokenext>What is rational about all the hurdles you have to jump through now ?</tokentext>
<sentencetext>What is rational about all the hurdles you have to jump through now?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900</id>
	<title>Some security measures don't seem practical.</title>
	<author>Richard Steiner</author>
	<datestamp>1268736420000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.</p><p>I understand the reasoning, and if it was only a handful of boxes<nobr> <wbr></nobr>.. or rarely used boxes<nobr> <wbr></nobr>... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.</p><p>I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.</p></htmltext>
<tokenext>I have to remember something like 70 passwords as a multiplatform software developer , and some of those hosts have passwords which expire every 30 days , ca n't repeat for at least a dozen iterations , and must contain at least one numeric , at least one upper-case and one lower-case alpha , and at least one non-alphanumeric symbol.I understand the reasoning , and if it was only a handful of boxes .. or rarely used boxes ... I would understand , but I 'm logging into 25 or 30 of these machines or applications on a daily basis.I can use a password manager like Keepass , and it 's okay , but I can see how some folks would resort to other means , try to use password patterns , etc .</tokentext>
<sentencetext>I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.I understand the reasoning, and if it was only a handful of boxes .. or rarely used boxes ... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501896</id>
	<title>Re:Wasted time</title>
	<author>Anonymous</author>
	<datestamp>1268736420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.;</p></div><p>I'd make a smarmy "Can you speak louder joke" like Pak there, but all I've got is deafening silence. Ya see, there's no way to make my soundcard work in *nix, from what I, and my friend who damn well *lives* in *nix can find. And we spent hours. I eventually had to use the shitty on-board sound.</p><p>As for wasting hours and hours, and money, I use MSE, took about 5 minutes to download and install, and Spy-bot, which also took about 5 minutes to download and install. MSE updates itself, and Spy-bot probably could, though I'm comfortable with just manually downloading the updates, which takes about 35 seconds. Scans run overnight.</p><p>So, I suppose, over my entire life, it might qualify as hours, plural. In fact, I wasted MORE time trying to get my sound card to work than I have with anti-virus/mal-ware programs.</p><p>Oh, and I ran without *any* protection for over a year, including doing torrents, and a monthly scan didn't pick up *anything.* Ever. So there's that for your "Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer."</p></div>
	</htmltext>
<tokenext>What dose n't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out , while they waste hours and hours of their time and money cleaning out their Windows installs , setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles , and even reinstalling their O.S .
; I 'd make a smarmy " Can you speak louder joke " like Pak there , but all I 've got is deafening silence .
Ya see , there 's no way to make my soundcard work in * nix , from what I , and my friend who damn well * lives * in * nix can find .
And we spent hours .
I eventually had to use the shitty on-board sound.As for wasting hours and hours , and money , I use MSE , took about 5 minutes to download and install , and Spy-bot , which also took about 5 minutes to download and install .
MSE updates itself , and Spy-bot probably could , though I 'm comfortable with just manually downloading the updates , which takes about 35 seconds .
Scans run overnight.So , I suppose , over my entire life , it might qualify as hours , plural .
In fact , I wasted MORE time trying to get my sound card to work than I have with anti-virus/mal-ware programs.Oh , and I ran without * any * protection for over a year , including doing torrents , and a monthly scan did n't pick up * anything .
* Ever .
So there 's that for your " Windows can be used safely and quickly without protection , but only by savvy users who do n't do any " real-world " stuff like torrent or allow the occasional ingorant user to use their computer .
"</tokentext>
<sentencetext>What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.
;I'd make a smarmy "Can you speak louder joke" like Pak there, but all I've got is deafening silence.
Ya see, there's no way to make my soundcard work in *nix, from what I, and my friend who damn well *lives* in *nix can find.
And we spent hours.
I eventually had to use the shitty on-board sound.As for wasting hours and hours, and money, I use MSE, took about 5 minutes to download and install, and Spy-bot, which also took about 5 minutes to download and install.
MSE updates itself, and Spy-bot probably could, though I'm comfortable with just manually downloading the updates, which takes about 35 seconds.
Scans run overnight.So, I suppose, over my entire life, it might qualify as hours, plural.
In fact, I wasted MORE time trying to get my sound card to work than I have with anti-virus/mal-ware programs.Oh, and I ran without *any* protection for over a year, including doing torrents, and a monthly scan didn't pick up *anything.
* Ever.
So there's that for your "Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.
"
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503452</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>Anonymous</author>
	<datestamp>1268746020000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>And you're forced to use passwords to log in?  I used to have a painful time too, but then I set up ssh certificate authentication and ssh-agent, and now I can log into all my remote hosts with just one passphrase a day.</p></htmltext>
<tokenext>And you 're forced to use passwords to log in ?
I used to have a painful time too , but then I set up ssh certificate authentication and ssh-agent , and now I can log into all my remote hosts with just one passphrase a day .</tokentext>
<sentencetext>And you're forced to use passwords to log in?
I used to have a painful time too, but then I set up ssh certificate authentication and ssh-agent, and now I can log into all my remote hosts with just one passphrase a day.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506108</id>
	<title>Re:Some security measures don't seem practical.</title>
	<author>precariousgray</author>
	<datestamp>1268822580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><blockquote><div><p>some of those hosts have passwords which expire every 30 days</p></div></blockquote><p>This is slightly off-topic, but I have to question how useful it is to require people to change their passwords often. Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password. Anyone have any thoughts on that?</p></div><p>I'd like to take this one step further:  is there <b>anyone</b> who actually creates a new password when they have to change theirs?  Mine are always another password I've used in the past, or a variation on the one I'm currently using.<br> <br>I made a conscious effort several years ago to create a few very strong passwords and memorize them.  I see no reason why I should have to change them.</p></div>
	</htmltext>
<tokenext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic , but I have to question how useful it is to require people to change their passwords often .
Chances are , when someone breaks into your computer , they 're going to leave a back door , so they can get in , regardless of the actual password .
Anyone have any thoughts on that ? I 'd like to take this one step further : is there anyone who actually creates a new password when they have to change theirs ?
Mine are always another password I 've used in the past , or a variation on the one I 'm currently using .
I made a conscious effort several years ago to create a few very strong passwords and memorize them .
I see no reason why I should have to change them .</tokentext>
<sentencetext>some of those hosts have passwords which expire every 30 daysThis is slightly off-topic, but I have to question how useful it is to require people to change their passwords often.
Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password.
Anyone have any thoughts on that?I'd like to take this one step further:  is there anyone who actually creates a new password when they have to change theirs?
Mine are always another password I've used in the past, or a variation on the one I'm currently using.
I made a conscious effort several years ago to create a few very strong passwords and memorize them.
I see no reason why I should have to change them.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502738</id>
	<title>Re:Interesting</title>
	<author>Jer</author>
	<datestamp>1268741040000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>  For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks).  We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.</p></div><p>This is actually one of the examples from TFA.  The contention is that the statistics show that a majority of the certificate errors that users run across are false positives and ignoring them is perfectly harmless.  And the TFA goes on to point out that a phisher would be pretty damn stupid to go to all the trouble to setup a fake domain and then put a broken certificate on it to throw up a warning and cause a potential victim to take a second look at the site and make sure it isn't something suspicious.</p><p>And IT people need to remember that what sounds like a "basic, unintrusive guideline" to us often sounds like babble, pointless rigmarole to make their jobs harder, or an IT person pulling an ego trip to the end users.  The last one is especially bad because many users can't tell the difference between "arbitrary rule handed down by IT that makes their jobs easier while making my life harder" and "good solid advice handed down by IT for a very good reason."  When they can't tell the difference, they'll just assume it's in the first camp and ignore it.  If you're going to make their lives harder, you better have a damn good reason for it.</p></div>
	</htmltext>
<tokenext>For example , advising users to actually read warnings about SSL -- after 5 words , they are bored and go back to ignoring SSL warnings ( and in some cases , falling victim to MITM attacks ) .
We are not talking about costly solutions here , just basic , unintrusive guidelines that people are ignoring.This is actually one of the examples from TFA .
The contention is that the statistics show that a majority of the certificate errors that users run across are false positives and ignoring them is perfectly harmless .
And the TFA goes on to point out that a phisher would be pretty damn stupid to go to all the trouble to setup a fake domain and then put a broken certificate on it to throw up a warning and cause a potential victim to take a second look at the site and make sure it is n't something suspicious.And IT people need to remember that what sounds like a " basic , unintrusive guideline " to us often sounds like babble , pointless rigmarole to make their jobs harder , or an IT person pulling an ego trip to the end users .
The last one is especially bad because many users ca n't tell the difference between " arbitrary rule handed down by IT that makes their jobs easier while making my life harder " and " good solid advice handed down by IT for a very good reason .
" When they ca n't tell the difference , they 'll just assume it 's in the first camp and ignore it .
If you 're going to make their lives harder , you better have a damn good reason for it .</tokentext>
<sentencetext>  For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks).
We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.This is actually one of the examples from TFA.
The contention is that the statistics show that a majority of the certificate errors that users run across are false positives and ignoring them is perfectly harmless.
And the TFA goes on to point out that a phisher would be pretty damn stupid to go to all the trouble to setup a fake domain and then put a broken certificate on it to throw up a warning and cause a potential victim to take a second look at the site and make sure it isn't something suspicious.And IT people need to remember that what sounds like a "basic, unintrusive guideline" to us often sounds like babble, pointless rigmarole to make their jobs harder, or an IT person pulling an ego trip to the end users.
The last one is especially bad because many users can't tell the difference between "arbitrary rule handed down by IT that makes their jobs easier while making my life harder" and "good solid advice handed down by IT for a very good reason.
"  When they can't tell the difference, they'll just assume it's in the first camp and ignore it.
If you're going to make their lives harder, you better have a damn good reason for it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170</id>
	<title>Re:Interesting</title>
	<author>slimjim8094</author>
	<datestamp>1268737740000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>But in that instance they're just being dumb. All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.</p><p>They feel they're not a valuable enough target, but are they right? Maybe - it's hard to say for sure. But what's the cost of being wrong? For a smallish salon, almost definitely enough to put them entirely out of business.</p><p>And the cost being $50? They're simply being stupid. None of this bullshit "analyzing the economic realities and making the logical choice", just stupid.</p><p>Fact of the matter is, all this stuff only needs to happen once - especially for a small business. No security can prevent a super-hacker-paratrooper team from taking everything, but it can improve a once-in-5-years odd from some kid, to a once-in-1000-years odd.</p><p>Some security *is* ridiculous. But most of it isn't. You provide a great anecdote but I suspect it's fairly common.</p><p>Security people are a bit like doctors. It's not really up to the patient to tell the doctor how to do their job, in most cases. Witness the whole autism-vaccine BS. In both professions, the customer can override the professional advice, but it's not a good idea.</p><p>Carrying the analogy a bit further: Reasonable security is a bit like a prostate exam. It's easy and straightforward, a little unpleasant, and entirely unnecessary until it saves your life. Is it rational to forgo a prostate exam because "why would I need a prostate exam? I don't have cancer"</p></htmltext>
<tokenext>But in that instance they 're just being dumb .
All it takes is one malicious kid , who likes credit card numbers , waiting for a haircut and firing up nmap and pull down the customer DB , or fire up Metasploit.They feel they 're not a valuable enough target , but are they right ?
Maybe - it 's hard to say for sure .
But what 's the cost of being wrong ?
For a smallish salon , almost definitely enough to put them entirely out of business.And the cost being $ 50 ?
They 're simply being stupid .
None of this bullshit " analyzing the economic realities and making the logical choice " , just stupid.Fact of the matter is , all this stuff only needs to happen once - especially for a small business .
No security can prevent a super-hacker-paratrooper team from taking everything , but it can improve a once-in-5-years odd from some kid , to a once-in-1000-years odd.Some security * is * ridiculous .
But most of it is n't .
You provide a great anecdote but I suspect it 's fairly common.Security people are a bit like doctors .
It 's not really up to the patient to tell the doctor how to do their job , in most cases .
Witness the whole autism-vaccine BS .
In both professions , the customer can override the professional advice , but it 's not a good idea.Carrying the analogy a bit further : Reasonable security is a bit like a prostate exam .
It 's easy and straightforward , a little unpleasant , and entirely unnecessary until it saves your life .
Is it rational to forgo a prostate exam because " why would I need a prostate exam ?
I do n't have cancer "</tokentext>
<sentencetext>But in that instance they're just being dumb.
All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.They feel they're not a valuable enough target, but are they right?
Maybe - it's hard to say for sure.
But what's the cost of being wrong?
For a smallish salon, almost definitely enough to put them entirely out of business.And the cost being $50?
They're simply being stupid.
None of this bullshit "analyzing the economic realities and making the logical choice", just stupid.Fact of the matter is, all this stuff only needs to happen once - especially for a small business.
No security can prevent a super-hacker-paratrooper team from taking everything, but it can improve a once-in-5-years odd from some kid, to a once-in-1000-years odd.Some security *is* ridiculous.
But most of it isn't.
You provide a great anecdote but I suspect it's fairly common.Security people are a bit like doctors.
It's not really up to the patient to tell the doctor how to do their job, in most cases.
Witness the whole autism-vaccine BS.
In both professions, the customer can override the professional advice, but it's not a good idea.Carrying the analogy a bit further: Reasonable security is a bit like a prostate exam.
It's easy and straightforward, a little unpleasant, and entirely unnecessary until it saves your life.
Is it rational to forgo a prostate exam because "why would I need a prostate exam?
I don't have cancer"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514664</id>
	<title>Re:Windows Joke</title>
	<author>aafiske</author>
	<datestamp>1268818020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yeah, linux is some magical fairyland where everything works and the computers never need to be rebooted or even upgraded as often because it's just so fast.</p><p>Honestly, "new versions quietly installing themselves while all the software keeps working" the hugest crock of shit I've heard in a long, long time. New kernels constantly break existing software, especially graphics drivers and virtual machines. No one wants to walk into work and find out all their virtual machines were magically broken overnight and IT is looking into it. Or better yet, three weeks later when they restart they're stuck at a commandline with some cryptic error messages and need to learn to browse the web in lynx while they google for what the hell is going wrong.</p><p>I'm not saying Windows is all kittens and puppies and sugar either. But linux is hardly as wonderful as everyone makes it out to be.</p></htmltext>
<tokenext>Yeah , linux is some magical fairyland where everything works and the computers never need to be rebooted or even upgraded as often because it 's just so fast.Honestly , " new versions quietly installing themselves while all the software keeps working " the hugest crock of shit I 've heard in a long , long time .
New kernels constantly break existing software , especially graphics drivers and virtual machines .
No one wants to walk into work and find out all their virtual machines were magically broken overnight and IT is looking into it .
Or better yet , three weeks later when they restart they 're stuck at a commandline with some cryptic error messages and need to learn to browse the web in lynx while they google for what the hell is going wrong.I 'm not saying Windows is all kittens and puppies and sugar either .
But linux is hardly as wonderful as everyone makes it out to be .</tokentext>
<sentencetext>Yeah, linux is some magical fairyland where everything works and the computers never need to be rebooted or even upgraded as often because it's just so fast.Honestly, "new versions quietly installing themselves while all the software keeps working" the hugest crock of shit I've heard in a long, long time.
New kernels constantly break existing software, especially graphics drivers and virtual machines.
No one wants to walk into work and find out all their virtual machines were magically broken overnight and IT is looking into it.
Or better yet, three weeks later when they restart they're stuck at a commandline with some cryptic error messages and need to learn to browse the web in lynx while they google for what the hell is going wrong.I'm not saying Windows is all kittens and puppies and sugar either.
But linux is hardly as wonderful as everyone makes it out to be.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202</id>
	<title>It's obvious</title>
	<author>vakuona</author>
	<datestamp>1268737980000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer. My personal pet hate is the password aging practice. It specifically does one of two things. It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones. The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days. And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember it</p><p>One reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.</p></htmltext>
<tokenext>It 's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer .
My personal pet hate is the password aging practice .
It specifically does one of two things .
It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones .
The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days .
And often you get thet password change prompt right when you are about to go on a long holiday , which guarantees that you will not be able to remember itOne reason for this is that organisations have to show that they are serious about security , and practices like password aging are easy 'objective ' metrics to demonstrate , even if they do not provide a measurable improvement in security .</tokentext>
<sentencetext>It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer.
My personal pet hate is the password aging practice.
It specifically does one of two things.
It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones.
The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days.
And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember itOne reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506518</id>
	<title>Re:Interesting</title>
	<author>Anonymous</author>
	<datestamp>1268828040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>this actually happened. the bill? well the company can now never again accept credit cards or 2/3 of their business.</p><p>the problem with disaster cost benefit is that its so big, people refuse to believe it. Why on earth would anybody live next to volcano or earthquake central. They do, by forgetting the risk thats a fact,</p></htmltext>
<tokenext>this actually happened .
the bill ?
well the company can now never again accept credit cards or 2/3 of their business.the problem with disaster cost benefit is that its so big , people refuse to believe it .
Why on earth would anybody live next to volcano or earthquake central .
They do , by forgetting the risk thats a fact,</tokentext>
<sentencetext>this actually happened.
the bill?
well the company can now never again accept credit cards or 2/3 of their business.the problem with disaster cost benefit is that its so big, people refuse to believe it.
Why on earth would anybody live next to volcano or earthquake central.
They do, by forgetting the risk thats a fact,</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503354</id>
	<title>Re:It's a fundamental human value calculation:</title>
	<author>Anonymous</author>
	<datestamp>1268745240000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The problem as I see it is not that people are idiots, it's that the IT "Professionals" are idiots.</p><p>You complain that people do not understand the cost of prevention vs cost of recovery argument, yet you make no attempt to quantify any of these these costs, leaving the user to think that you are simply trying to sell them snake oil just like any insurance salesman.</p><p>And after all, by selling security you really are just selling insurance, and if you can't quantify the cost of recovery and the probability of occurrence, how can you possibly expect a user to make a value decision?</p><p>As an engineering manager I deal with this shit every day; engineers telling me "we should do it this way because it will be cheaper in the long run".  My response is always the same: "How much cheaper?" and this question is usually met with a blank stare, and when I sit and work through the analysis with then the proposal usually turns out to be based on an opinion and with no underlying basis.  In short there is no attempt to understand the cost of "do" vs the cost of "do not".</p><p>So why not try this approach with your customers/stakeholders: "last year, one in x businesses your size without security had a threat realised which cost them on average $Y (therefore cost to do nothing is y/x).  However 1 in j businesses your size with security had a threat realised which cost them $k (therefore cost to do is k/j + security product cost).  As you can see, cost to "do" is way cheaper than cost to "do not" and you will repay your additional outlay in m years"</p><p>This is called analysis, and it is something that you "intelligent" people should be doing more of, instead of al the time you seem to spend stroking yourselves thinking how the rest of the world are idiots.</p></htmltext>
<tokenext>The problem as I see it is not that people are idiots , it 's that the IT " Professionals " are idiots.You complain that people do not understand the cost of prevention vs cost of recovery argument , yet you make no attempt to quantify any of these these costs , leaving the user to think that you are simply trying to sell them snake oil just like any insurance salesman.And after all , by selling security you really are just selling insurance , and if you ca n't quantify the cost of recovery and the probability of occurrence , how can you possibly expect a user to make a value decision ? As an engineering manager I deal with this shit every day ; engineers telling me " we should do it this way because it will be cheaper in the long run " .
My response is always the same : " How much cheaper ?
" and this question is usually met with a blank stare , and when I sit and work through the analysis with then the proposal usually turns out to be based on an opinion and with no underlying basis .
In short there is no attempt to understand the cost of " do " vs the cost of " do not " .So why not try this approach with your customers/stakeholders : " last year , one in x businesses your size without security had a threat realised which cost them on average $ Y ( therefore cost to do nothing is y/x ) .
However 1 in j businesses your size with security had a threat realised which cost them $ k ( therefore cost to do is k/j + security product cost ) .
As you can see , cost to " do " is way cheaper than cost to " do not " and you will repay your additional outlay in m years " This is called analysis , and it is something that you " intelligent " people should be doing more of , instead of al the time you seem to spend stroking yourselves thinking how the rest of the world are idiots .</tokentext>
<sentencetext>The problem as I see it is not that people are idiots, it's that the IT "Professionals" are idiots.You complain that people do not understand the cost of prevention vs cost of recovery argument, yet you make no attempt to quantify any of these these costs, leaving the user to think that you are simply trying to sell them snake oil just like any insurance salesman.And after all, by selling security you really are just selling insurance, and if you can't quantify the cost of recovery and the probability of occurrence, how can you possibly expect a user to make a value decision?As an engineering manager I deal with this shit every day; engineers telling me "we should do it this way because it will be cheaper in the long run".
My response is always the same: "How much cheaper?
" and this question is usually met with a blank stare, and when I sit and work through the analysis with then the proposal usually turns out to be based on an opinion and with no underlying basis.
In short there is no attempt to understand the cost of "do" vs the cost of "do not".So why not try this approach with your customers/stakeholders: "last year, one in x businesses your size without security had a threat realised which cost them on average $Y (therefore cost to do nothing is y/x).
However 1 in j businesses your size with security had a threat realised which cost them $k (therefore cost to do is k/j + security product cost).
As you can see, cost to "do" is way cheaper than cost to "do not" and you will repay your additional outlay in m years"This is called analysis, and it is something that you "intelligent" people should be doing more of, instead of al the time you seem to spend stroking yourselves thinking how the rest of the world are idiots.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505270</id>
	<title>We need to study probability perceptions</title>
	<author>UBfusion</author>
	<datestamp>1268766420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Interesting effort. However I don't see any user model behind it - and in fact economics are a good way to get rid of human models since the process of using average economic behaviour actually marginalises all the unknown parameters that normally should be taken into account for each individual.</p><p>Users' perception of risk, to which the paper devotes only a small paragraph, is to me of paramount importance. For example, personally, I will decide to more security measures under only either of the two conditions:</p><p>1. If I already have had a security accident incident in the past (or if a friend/family/colleague of mine had one).</p><p>2. If the perceived by me risk of a particular attack is considered as "high".</p><p>Both these are purely experiential factors. Advice from webpages of magazines or my firm's list of security measures are irrelevant to me because I consider their probability of occurring low. But when an accident happens near me, it will raise my perceived probability of the specific threat, and force me to take precautions.</p><p>Therefore, the above two factors increase the (subjective) probability of attacks and thus then and only then become motives for me to educate myself (or convince my friends/family/colleagues that they should listen to me).</p><p>In conclusion, in my humble opinion, users' conceptions of PROBABILITY is the primary factor that should be researched and taken into account when trying to approach security-related user behaviour.</p><p>Anybody familiar with the pioneering (and Nobel prize-worthty) 30-year old work of Tversky &amp; Kahnemann will find an abundance of well-established research results that will enable them and guide them to conduct research and publish at least 20 papers on users' (mis)perception of IT security and formulate highly predictive user models based on users' fallacies regarding the evaluation of  probability.</p><p>I am giving away this tip for free, since IT security is not my field. I just kindly ask future authors to acknowledge the source of the idea.</p></htmltext>
<tokenext>Interesting effort .
However I do n't see any user model behind it - and in fact economics are a good way to get rid of human models since the process of using average economic behaviour actually marginalises all the unknown parameters that normally should be taken into account for each individual.Users ' perception of risk , to which the paper devotes only a small paragraph , is to me of paramount importance .
For example , personally , I will decide to more security measures under only either of the two conditions : 1 .
If I already have had a security accident incident in the past ( or if a friend/family/colleague of mine had one ) .2 .
If the perceived by me risk of a particular attack is considered as " high " .Both these are purely experiential factors .
Advice from webpages of magazines or my firm 's list of security measures are irrelevant to me because I consider their probability of occurring low .
But when an accident happens near me , it will raise my perceived probability of the specific threat , and force me to take precautions.Therefore , the above two factors increase the ( subjective ) probability of attacks and thus then and only then become motives for me to educate myself ( or convince my friends/family/colleagues that they should listen to me ) .In conclusion , in my humble opinion , users ' conceptions of PROBABILITY is the primary factor that should be researched and taken into account when trying to approach security-related user behaviour.Anybody familiar with the pioneering ( and Nobel prize-worthty ) 30-year old work of Tversky &amp; Kahnemann will find an abundance of well-established research results that will enable them and guide them to conduct research and publish at least 20 papers on users ' ( mis ) perception of IT security and formulate highly predictive user models based on users ' fallacies regarding the evaluation of probability.I am giving away this tip for free , since IT security is not my field .
I just kindly ask future authors to acknowledge the source of the idea .</tokentext>
<sentencetext>Interesting effort.
However I don't see any user model behind it - and in fact economics are a good way to get rid of human models since the process of using average economic behaviour actually marginalises all the unknown parameters that normally should be taken into account for each individual.Users' perception of risk, to which the paper devotes only a small paragraph, is to me of paramount importance.
For example, personally, I will decide to more security measures under only either of the two conditions:1.
If I already have had a security accident incident in the past (or if a friend/family/colleague of mine had one).2.
If the perceived by me risk of a particular attack is considered as "high".Both these are purely experiential factors.
Advice from webpages of magazines or my firm's list of security measures are irrelevant to me because I consider their probability of occurring low.
But when an accident happens near me, it will raise my perceived probability of the specific threat, and force me to take precautions.Therefore, the above two factors increase the (subjective) probability of attacks and thus then and only then become motives for me to educate myself (or convince my friends/family/colleagues that they should listen to me).In conclusion, in my humble opinion, users' conceptions of PROBABILITY is the primary factor that should be researched and taken into account when trying to approach security-related user behaviour.Anybody familiar with the pioneering (and Nobel prize-worthty) 30-year old work of Tversky &amp; Kahnemann will find an abundance of well-established research results that will enable them and guide them to conduct research and publish at least 20 papers on users' (mis)perception of IT security and formulate highly predictive user models based on users' fallacies regarding the evaluation of  probability.I am giving away this tip for free, since IT security is not my field.
I just kindly ask future authors to acknowledge the source of the idea.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503846</id>
	<title>Re:What's up with /. Headlines?</title>
	<author>jlintern</author>
	<datestamp>1268749860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>noun gerund <b>adjective</b> noun <b>verb</b> adjective - WTF!?</p></div><p>Fixed that for you. "Security" is the type of advice being given, so it is effectively an adjective in this sentence. It's just subject-verb-adjective with a complex subject.</p><p>A headline with the same structure could have been:
"Students Taking Music Lessons Considered Intelligent", which I don't think anyone would have a problem with.</p><p>The real issue with this headline is that it's unclear if 1) advice is rational, 2) the rejection is rational, or 3) the users themselves are rational, which could be made clear by these alternatives:<br>
1) "Users Reject Rational Security Advice, Researcher Argues"<br>
2) "Rejecting Security Advice Is Rational For Users, Researcher Argues" <br>
3) "Rational Users Reject Security Advice, Researcher Argues"</p><p>The "considered" construction can be elegant in some cases but I don't think it should be used when it can introduce this sort of ambiguity.</p></div>
	</htmltext>
<tokenext>noun gerund adjective noun verb adjective - WTF !
? Fixed that for you .
" Security " is the type of advice being given , so it is effectively an adjective in this sentence .
It 's just subject-verb-adjective with a complex subject.A headline with the same structure could have been : " Students Taking Music Lessons Considered Intelligent " , which I do n't think anyone would have a problem with.The real issue with this headline is that it 's unclear if 1 ) advice is rational , 2 ) the rejection is rational , or 3 ) the users themselves are rational , which could be made clear by these alternatives : 1 ) " Users Reject Rational Security Advice , Researcher Argues " 2 ) " Rejecting Security Advice Is Rational For Users , Researcher Argues " 3 ) " Rational Users Reject Security Advice , Researcher Argues " The " considered " construction can be elegant in some cases but I do n't think it should be used when it can introduce this sort of ambiguity .</tokentext>
<sentencetext>noun gerund adjective noun verb adjective - WTF!
?Fixed that for you.
"Security" is the type of advice being given, so it is effectively an adjective in this sentence.
It's just subject-verb-adjective with a complex subject.A headline with the same structure could have been:
"Students Taking Music Lessons Considered Intelligent", which I don't think anyone would have a problem with.The real issue with this headline is that it's unclear if 1) advice is rational, 2) the rejection is rational, or 3) the users themselves are rational, which could be made clear by these alternatives:
1) "Users Reject Rational Security Advice, Researcher Argues"
2) "Rejecting Security Advice Is Rational For Users, Researcher Argues" 
3) "Rational Users Reject Security Advice, Researcher Argues"The "considered" construction can be elegant in some cases but I don't think it should be used when it can introduce this sort of ambiguity.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31527394</id>
	<title>Re:Interesting</title>
	<author>Simetrical</author>
	<datestamp>1268945460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>This is actually one of the examples from TFA.  The contention is that the statistics show that a majority of the certificate errors that users run across are false positives</p></div><p>You're grossly understating their conclusion (emphasis added):</p><blockquote><div><p>Ironically, one place a user will almost certainly never see a certificate error is on a phishing or malware hosting site. That is, using certificates is almost unknown among the reported phishing sites in PhishTank [7]. The rare cases that employ certificates use valid ones. The same is true of sites that host malicious content. Attackers wisely calculate that it is far better to go without a certificate than risk the warning. <strong>In fact, as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever.</strong></p></div> </blockquote><p>Repeated for people who skimmed the quote: "In fact, as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever."</p></div>
	</htmltext>
<tokenext>This is actually one of the examples from TFA .
The contention is that the statistics show that a majority of the certificate errors that users run across are false positivesYou 're grossly understating their conclusion ( emphasis added ) : Ironically , one place a user will almost certainly never see a certificate error is on a phishing or malware hosting site .
That is , using certificates is almost unknown among the reported phishing sites in PhishTank [ 7 ] .
The rare cases that employ certificates use valid ones .
The same is true of sites that host malicious content .
Attackers wisely calculate that it is far better to go without a certificate than risk the warning .
In fact , as far as we can determine , there is no evidence of a single user being saved from harm by a certificate error , anywhere , ever .
Repeated for people who skimmed the quote : " In fact , as far as we can determine , there is no evidence of a single user being saved from harm by a certificate error , anywhere , ever .
"</tokentext>
<sentencetext>This is actually one of the examples from TFA.
The contention is that the statistics show that a majority of the certificate errors that users run across are false positivesYou're grossly understating their conclusion (emphasis added):Ironically, one place a user will almost certainly never see a certificate error is on a phishing or malware hosting site.
That is, using certificates is almost unknown among the reported phishing sites in PhishTank [7].
The rare cases that employ certificates use valid ones.
The same is true of sites that host malicious content.
Attackers wisely calculate that it is far better to go without a certificate than risk the warning.
In fact, as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever.
Repeated for people who skimmed the quote: "In fact, as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever.
"
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502738</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502118</id>
	<title>Re:Interesting</title>
	<author>Anonymous</author>
	<datestamp>1268737500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>"Lots of these "dumb endusers" fully understand the security and the solution and the cost,"<br> <br>

Not my experience, not by a long shot.  Most people do not care enough about security to learn about it.  For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks).  We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.</htmltext>
<tokenext>" Lots of these " dumb endusers " fully understand the security and the solution and the cost , " Not my experience , not by a long shot .
Most people do not care enough about security to learn about it .
For example , advising users to actually read warnings about SSL -- after 5 words , they are bored and go back to ignoring SSL warnings ( and in some cases , falling victim to MITM attacks ) .
We are not talking about costly solutions here , just basic , unintrusive guidelines that people are ignoring .</tokentext>
<sentencetext>"Lots of these "dumb endusers" fully understand the security and the solution and the cost," 

Not my experience, not by a long shot.
Most people do not care enough about security to learn about it.
For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks).
We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502940</id>
	<title>Re:good advice versus bad advice; costs to others</title>
	<author>Rockoon</author>
	<datestamp>1268742240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I am reminded of a skit by the stand-up economist, Yoram Bauman.<br>
<br>
"If rational people think at the margin, then people arent rational. Nobody goes to the store and thinks <i>I'm going to buy an orange. I'm going to buy another orange. I'm going to buy another orange. I'm going to buy another orange.... </i>"</htmltext>
<tokenext>I am reminded of a skit by the stand-up economist , Yoram Bauman .
" If rational people think at the margin , then people arent rational .
Nobody goes to the store and thinks I 'm going to buy an orange .
I 'm going to buy another orange .
I 'm going to buy another orange .
I 'm going to buy another orange.... "</tokentext>
<sentencetext>I am reminded of a skit by the stand-up economist, Yoram Bauman.
"If rational people think at the margin, then people arent rational.
Nobody goes to the store and thinks I'm going to buy an orange.
I'm going to buy another orange.
I'm going to buy another orange.
I'm going to buy another orange.... "</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513830</id>
	<title>Re:Windows Joke</title>
	<author>Anonymous</author>
	<datestamp>1268858040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Get out of here you gitdarn good for nuthin' commie!</p><p>I's gots to get mine.  I'm entitled to it.  Everyone else can pull themselves up by the bootstraps.</p></htmltext>
<tokenext>Get out of here you gitdarn good for nuthin ' commie ! I 's gots to get mine .
I 'm entitled to it .
Everyone else can pull themselves up by the bootstraps .</tokentext>
<sentencetext>Get out of here you gitdarn good for nuthin' commie!I's gots to get mine.
I'm entitled to it.
Everyone else can pull themselves up by the bootstraps.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503672</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503238</id>
	<title>I used to agree with you ...</title>
	<author>nadahlman</author>
	<datestamp>1268744160000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>I used to hate expiring passwords on the financial data systems where I used to work. Then one day the Comptroller was locked out of his own account because he had tried his old password too many times. But it turned out the Comptroller was on vacation and hadn't even tried to log in.</p><p>It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later, and then subtly tampered with her own salary. She had also stolen the e-mail passwords of any employee who would have been alerted about the change, and instantly deleted the e-mail notifications as soon as she modified the system. She was sophisticated enough to alter other logs and alerts as well.</p><p>We might have locked down our internal systems better to begin with, but I have to say that she might have gotten away with it if it hadn't been for those darn password changes.</p></htmltext>
<tokenext>I used to hate expiring passwords on the financial data systems where I used to work .
Then one day the Comptroller was locked out of his own account because he had tried his old password too many times .
But it turned out the Comptroller was on vacation and had n't even tried to log in.It turned out that an inside person had put a physical keylogger ( USB pass-through device between computer and keyboard , ordered straight from China ) on the Comptroller 's computer one night and collected it a week later , and then subtly tampered with her own salary .
She had also stolen the e-mail passwords of any employee who would have been alerted about the change , and instantly deleted the e-mail notifications as soon as she modified the system .
She was sophisticated enough to alter other logs and alerts as well.We might have locked down our internal systems better to begin with , but I have to say that she might have gotten away with it if it had n't been for those darn password changes .</tokentext>
<sentencetext>I used to hate expiring passwords on the financial data systems where I used to work.
Then one day the Comptroller was locked out of his own account because he had tried his old password too many times.
But it turned out the Comptroller was on vacation and hadn't even tried to log in.It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later, and then subtly tampered with her own salary.
She had also stolen the e-mail passwords of any employee who would have been alerted about the change, and instantly deleted the e-mail notifications as soon as she modified the system.
She was sophisticated enough to alter other logs and alerts as well.We might have locked down our internal systems better to begin with, but I have to say that she might have gotten away with it if it hadn't been for those darn password changes.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503438</id>
	<title>Good article!</title>
	<author>Geoffrey.landis</author>
	<datestamp>1268745900000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>I have to say, the <a href="http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf" title="microsoft.com">linked</a> [microsoft.com] article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.</p><p><div class="quote"><p>"Third, the claimed benefits are not based on evidence:<br>we have a real scarcity of data on the frequency and<br>severity of attacks."</p></div><p>This is a very good point.  What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords?  How much safer do they get if you then say they have to have a symbol as well?</p><p>When they make me jump through hoops, I'd like to know what exactly I'm gaining.</p></div>
	</htmltext>
<tokenext>I have to say , the linked [ microsoft.com ] article is the best article on security that I have ever read ; and , for that matter , just about the first one that ever considers the radical concept that the user 's time is of value .
" Third , the claimed benefits are not based on evidence : we have a real scarcity of data on the frequency andseverity of attacks .
" This is a very good point .
What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords , to one which is one of 1E20 possible passwords ?
How much safer do they get if you then say they have to have a symbol as well ? When they make me jump through hoops , I 'd like to know what exactly I 'm gaining .</tokentext>
<sentencetext>I have to say, the linked [microsoft.com] article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.
"Third, the claimed benefits are not based on evidence:we have a real scarcity of data on the frequency andseverity of attacks.
"This is a very good point.
What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords?
How much safer do they get if you then say they have to have a symbol as well?When they make me jump through hoops, I'd like to know what exactly I'm gaining.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</id>
	<title>What's up with /. Headlines?</title>
	<author>AlgorithMan</author>
	<datestamp>1268740080000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>Users Rejecting Security Advice Considered Rational</p></div></blockquote><p>
noun gerund noun noun gerund adjective - WTF!?<br>
is sentence structure really that hard? how about</p><blockquote><div><p>Users reject security advice, that are considered rational</p></div></blockquote><p>
?<br>
What is up with<nobr> <wbr></nobr>/. headlines? lately you see lots like this one. It looks like
someone had thrown a dictionary into a blender...</p></div>
	</htmltext>
<tokenext>Users Rejecting Security Advice Considered Rational noun gerund noun noun gerund adjective - WTF ! ?
is sentence structure really that hard ?
how aboutUsers reject security advice , that are considered rational ?
What is up with / .
headlines ? lately you see lots like this one .
It looks like someone had thrown a dictionary into a blender.. .</tokentext>
<sentencetext>Users Rejecting Security Advice Considered Rational
noun gerund noun noun gerund adjective - WTF!?
is sentence structure really that hard?
how aboutUsers reject security advice, that are considered rational
?
What is up with /.
headlines? lately you see lots like this one.
It looks like
someone had thrown a dictionary into a blender...
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501894</id>
	<title>No Economic Incentive?</title>
	<author>jjoelc</author>
	<datestamp>1268736420000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>How about this one... At least in businesses...</p><p>Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.</p><p>It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.</p><p>Ain't reality a bitch?</p></htmltext>
<tokenext>How about this one... At least in businesses...Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically , without any intervention on their part.It is not their data , not their computer , and generally not their problem .
If something goes wrong... they might have to move to another desk for a little while , while " the computer guy " " fixes " everything for them .
They might even get a slap on the wrist for not following policy... But generally , the " users " have no reason to interrupt their busy day with any security policy that interrupts their busy schedule ( of facebook and slashdot browsing ) .
When malware hits , it is inevitably not their fault , but rather the fault of those same " computer guys " who have to go in and fix it.Ai n't reality a bitch ?</tokentext>
<sentencetext>How about this one... At least in businesses...Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.It is not their data, not their computer, and generally not their problem.
If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them.
They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing).
When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.Ain't reality a bitch?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504304</id>
	<title>Sounds like this guy rediscovered K.I.S.S.</title>
	<author>JSBiff</author>
	<datestamp>1268754120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>In one of the sections of this article, the author uses, as an example, how complex URL 'interpretation' can be for average users, going over all sorts of ways phishers can attack bank/ebay/paypal/amazon URL's.</p><p>I figured this out a long time ago. I'm very much a K.I.S.S. (Keep It Simple, Stupid.) advocate with regards to this particular problem. The advice I would give any 'average user' who came to me is simple: never click links, or call phone numbers, or use any other communications mechanism provided in emails purporting to come from a business entity. If it claims to come from your bank, you should probably call your bank's customer service phone number (from your bank statement or ATM card, or if you know your banks URL, open your browser and type it in yourself, or use a bookmark you have already preveiously saved in your browser from a previous visit to the bank's website) to verify if there is a problem with your account. Just take the email completely out of the equation.</p><p>That way, they don't have to judge if the email and link are legitimate or not - just don't use the email.</p><p>Links that are just to a page of photos, or a map, or something like that, are ok to click, generally, but if any link you follow from an email asks you for personal info or a login, or asks you to download something to the computer, just close the browser, step back, and do the above (e.g. calling the bank/business, or opening a new browser window and going to the proper website manually for by bookmark).</p><p>With that advice, I have to teach them exactly nothing about how to understand URLs. It's also fairly common-sense advice that most people can easily understand - it's very unlikely that the phone number on your bank statements and cards are not 'authentic'. Most bank statements probably include the URL of the bank's website, too, these days - mine definitely do.</p><p>By not following links in emails, you can avoid probably 99\% of phishing attacks - no matter how cleverly they manage disguise the links in the email.</p></htmltext>
<tokenext>In one of the sections of this article , the author uses , as an example , how complex URL 'interpretation ' can be for average users , going over all sorts of ways phishers can attack bank/ebay/paypal/amazon URL 's.I figured this out a long time ago .
I 'm very much a K.I.S.S .
( Keep It Simple , Stupid .
) advocate with regards to this particular problem .
The advice I would give any 'average user ' who came to me is simple : never click links , or call phone numbers , or use any other communications mechanism provided in emails purporting to come from a business entity .
If it claims to come from your bank , you should probably call your bank 's customer service phone number ( from your bank statement or ATM card , or if you know your banks URL , open your browser and type it in yourself , or use a bookmark you have already preveiously saved in your browser from a previous visit to the bank 's website ) to verify if there is a problem with your account .
Just take the email completely out of the equation.That way , they do n't have to judge if the email and link are legitimate or not - just do n't use the email.Links that are just to a page of photos , or a map , or something like that , are ok to click , generally , but if any link you follow from an email asks you for personal info or a login , or asks you to download something to the computer , just close the browser , step back , and do the above ( e.g .
calling the bank/business , or opening a new browser window and going to the proper website manually for by bookmark ) .With that advice , I have to teach them exactly nothing about how to understand URLs .
It 's also fairly common-sense advice that most people can easily understand - it 's very unlikely that the phone number on your bank statements and cards are not 'authentic' .
Most bank statements probably include the URL of the bank 's website , too , these days - mine definitely do.By not following links in emails , you can avoid probably 99 \ % of phishing attacks - no matter how cleverly they manage disguise the links in the email .</tokentext>
<sentencetext>In one of the sections of this article, the author uses, as an example, how complex URL 'interpretation' can be for average users, going over all sorts of ways phishers can attack bank/ebay/paypal/amazon URL's.I figured this out a long time ago.
I'm very much a K.I.S.S.
(Keep It Simple, Stupid.
) advocate with regards to this particular problem.
The advice I would give any 'average user' who came to me is simple: never click links, or call phone numbers, or use any other communications mechanism provided in emails purporting to come from a business entity.
If it claims to come from your bank, you should probably call your bank's customer service phone number (from your bank statement or ATM card, or if you know your banks URL, open your browser and type it in yourself, or use a bookmark you have already preveiously saved in your browser from a previous visit to the bank's website) to verify if there is a problem with your account.
Just take the email completely out of the equation.That way, they don't have to judge if the email and link are legitimate or not - just don't use the email.Links that are just to a page of photos, or a map, or something like that, are ok to click, generally, but if any link you follow from an email asks you for personal info or a login, or asks you to download something to the computer, just close the browser, step back, and do the above (e.g.
calling the bank/business, or opening a new browser window and going to the proper website manually for by bookmark).With that advice, I have to teach them exactly nothing about how to understand URLs.
It's also fairly common-sense advice that most people can easily understand - it's very unlikely that the phone number on your bank statements and cards are not 'authentic'.
Most bank statements probably include the URL of the bank's website, too, these days - mine definitely do.By not following links in emails, you can avoid probably 99\% of phishing attacks - no matter how cleverly they manage disguise the links in the email.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502640</id>
	<title>Security on the web</title>
	<author>daffey</author>
	<datestamp>1268740440000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Technically savy people are missing the point.  The average user doesn't understand 'how to install,understand messages, etc of all the security issues out there. (myself included) The average Joe is fearful of his security, but cannot negotiate the maze of security issues.  They go to retailers for answers, and get soaked for software solutions, much of which isn't any better than the free solutions, etc.
They are not"stupid/lazy/ or penny pincers".  Some (probably most) are smarter than the geeks on the web, but just in other areas.  Or were born before transistors existed, and Bakelite was the major synthetic insulator in electronics.</htmltext>
<tokenext>Technically savy people are missing the point .
The average user does n't understand 'how to install,understand messages , etc of all the security issues out there .
( myself included ) The average Joe is fearful of his security , but can not negotiate the maze of security issues .
They go to retailers for answers , and get soaked for software solutions , much of which is n't any better than the free solutions , etc .
They are not " stupid/lazy/ or penny pincers " .
Some ( probably most ) are smarter than the geeks on the web , but just in other areas .
Or were born before transistors existed , and Bakelite was the major synthetic insulator in electronics .</tokentext>
<sentencetext>Technically savy people are missing the point.
The average user doesn't understand 'how to install,understand messages, etc of all the security issues out there.
(myself included) The average Joe is fearful of his security, but cannot negotiate the maze of security issues.
They go to retailers for answers, and get soaked for software solutions, much of which isn't any better than the free solutions, etc.
They are not"stupid/lazy/ or penny pincers".
Some (probably most) are smarter than the geeks on the web, but just in other areas.
Or were born before transistors existed, and Bakelite was the major synthetic insulator in electronics.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504702</id>
	<title>Re:It's a fundamental human value calculation:</title>
	<author>Cabriel</author>
	<datestamp>1268758080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Or, as others in this thread have put it, people are idiots.</p></div><p>Or, perhaps, smarter than you give them credit for and you're using an unfortunately vocal minority to judge the whole. I'm not saying it's a small minority, but most people I know have no problems with viruses/botnets/rootkits nor identity theft.</p></div>
	</htmltext>
<tokenext>Or , as others in this thread have put it , people are idiots.Or , perhaps , smarter than you give them credit for and you 're using an unfortunately vocal minority to judge the whole .
I 'm not saying it 's a small minority , but most people I know have no problems with viruses/botnets/rootkits nor identity theft .</tokentext>
<sentencetext>Or, as others in this thread have put it, people are idiots.Or, perhaps, smarter than you give them credit for and you're using an unfortunately vocal minority to judge the whole.
I'm not saying it's a small minority, but most people I know have no problems with viruses/botnets/rootkits nor identity theft.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506740</id>
	<title>Maybe the average user has little to fear.</title>
	<author>Simulant</author>
	<datestamp>1268830140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
&nbsp; &nbsp; This is going to piss everyone off but seriously...</p><p>
&nbsp; &nbsp; Other than the hassle of an infected/compromised and possible identity theft, what do most people have to fear if their PC is compromised?   The worst case for most people would be identity theft, and most of those cases would simply result in bogus credit card charges which, in general, get refunded by the credit card agency.   Clean your PC, cancel your card(s), &amp; change your passwords and get on with your life.  Many worse things can happen.</p><p>
&nbsp; &nbsp; I'm sure you can all come up with more serious doomsday scenarios and there will always be serious exceptions but give me just one that is has the likelihood &amp; consequences to make an average user really care.</p><p>
&nbsp; &nbsp; I would even say the average business has little to fear as well.  Certainly their employees do.</p></htmltext>
<tokenext>    This is going to piss everyone off but seriously.. .     Other than the hassle of an infected/compromised and possible identity theft , what do most people have to fear if their PC is compromised ?
The worst case for most people would be identity theft , and most of those cases would simply result in bogus credit card charges which , in general , get refunded by the credit card agency .
Clean your PC , cancel your card ( s ) , &amp; change your passwords and get on with your life .
Many worse things can happen .
    I 'm sure you can all come up with more serious doomsday scenarios and there will always be serious exceptions but give me just one that is has the likelihood &amp; consequences to make an average user really care .
    I would even say the average business has little to fear as well .
Certainly their employees do .</tokentext>
<sentencetext>
    This is going to piss everyone off but seriously...
    Other than the hassle of an infected/compromised and possible identity theft, what do most people have to fear if their PC is compromised?
The worst case for most people would be identity theft, and most of those cases would simply result in bogus credit card charges which, in general, get refunded by the credit card agency.
Clean your PC, cancel your card(s), &amp; change your passwords and get on with your life.
Many worse things can happen.
    I'm sure you can all come up with more serious doomsday scenarios and there will always be serious exceptions but give me just one that is has the likelihood &amp; consequences to make an average user really care.
    I would even say the average business has little to fear as well.
Certainly their employees do.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501906</id>
	<title>the real reason</title>
	<author>Anonymous</author>
	<datestamp>1268736480000</datestamp>
	<modclass>Funny</modclass>
	<modscore>1</modscore>
	<htmltext><p>People reject security advice because everybody knows at least one poor sucker that is tech-savvy and can fix there FUBAR system.  That person may do it grudgingly, may b*tch the entire time, but they'll still do it.  Not only that, they'll do it for free.  Sound familiar?</p></htmltext>
<tokenext>People reject security advice because everybody knows at least one poor sucker that is tech-savvy and can fix there FUBAR system .
That person may do it grudgingly , may b * tch the entire time , but they 'll still do it .
Not only that , they 'll do it for free .
Sound familiar ?</tokentext>
<sentencetext>People reject security advice because everybody knows at least one poor sucker that is tech-savvy and can fix there FUBAR system.
That person may do it grudgingly, may b*tch the entire time, but they'll still do it.
Not only that, they'll do it for free.
Sound familiar?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503518</id>
	<title>Another possibility...</title>
	<author>WeatherGod</author>
	<datestamp>1268746560000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>
For some family members where I have suggested very basic security steps like disabling automatic logins, turning automatic updates on for everything (not just Windows), and a few other usual steps, they have asked "what for?  The hackers are gonna get in anyway!"
</p><p>
It has become so ingrained in them that hackers are everywhere and that they are so talented that it is futile to resist.  Quite honestly, I can't understand this mentality, but it does exist.
</p></htmltext>
<tokenext>For some family members where I have suggested very basic security steps like disabling automatic logins , turning automatic updates on for everything ( not just Windows ) , and a few other usual steps , they have asked " what for ?
The hackers are gon na get in anyway !
" It has become so ingrained in them that hackers are everywhere and that they are so talented that it is futile to resist .
Quite honestly , I ca n't understand this mentality , but it does exist .</tokentext>
<sentencetext>
For some family members where I have suggested very basic security steps like disabling automatic logins, turning automatic updates on for everything (not just Windows), and a few other usual steps, they have asked "what for?
The hackers are gonna get in anyway!
"

It has become so ingrained in them that hackers are everywhere and that they are so talented that it is futile to resist.
Quite honestly, I can't understand this mentality, but it does exist.
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504162</id>
	<title>Of Course</title>
	<author>CrazyDuke</author>
	<datestamp>1268752800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Of course it's an economic assessment.  And, you are dealing with people that think the lottery is the best-shot investment strategy for retirement.  Bad stuff only happens to bad people and I am a good person.  So, what's the point of this again?</p></htmltext>
<tokenext>Of course it 's an economic assessment .
And , you are dealing with people that think the lottery is the best-shot investment strategy for retirement .
Bad stuff only happens to bad people and I am a good person .
So , what 's the point of this again ?</tokentext>
<sentencetext>Of course it's an economic assessment.
And, you are dealing with people that think the lottery is the best-shot investment strategy for retirement.
Bad stuff only happens to bad people and I am a good person.
So, what's the point of this again?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506516</id>
	<title>Re:6. Change often</title>
	<author>Anonymous</author>
	<datestamp>1268827980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.</p></div><p>Nice theory, but wrong. Assuming reasonably strong password, the probability of guessing the password in the first n attempts is roughly equal to the probability of guessing it with the next n attempts.</p></div>
	</htmltext>
<tokenext>In theory , if you change your password often enough before the brute-force being complete , the attacker would have to start all over again.Nice theory , but wrong .
Assuming reasonably strong password , the probability of guessing the password in the first n attempts is roughly equal to the probability of guessing it with the next n attempts .</tokentext>
<sentencetext>In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.Nice theory, but wrong.
Assuming reasonably strong password, the probability of guessing the password in the first n attempts is roughly equal to the probability of guessing it with the next n attempts.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511518</id>
	<title>Re:It's obvious</title>
	<author>psydeshow</author>
	<datestamp>1268850840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.</p></div><p>Good, that's what I want. A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables. Theft happens, but at least the user will know right away if their wallet was stolen.</p><p>People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.</p></div>
	</htmltext>
<tokenext>If " users should write passwords down and keep the written-down password in a convenient , easy to access location " is part of your security plan , frequent resets and complicated password rules should do it.Good , that 's what I want .
A strong password , written on a card that the user keeps in their wallet or pocketbook along with their other valuables .
Theft happens , but at least the user will know right away if their wallet was stolen.People are n't afraid of strong passwords , they 're afraid of having to memorize and recall strong passwords .</tokentext>
<sentencetext>If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.Good, that's what I want.
A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables.
Theft happens, but at least the user will know right away if their wallet was stolen.People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503178</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505104</id>
	<title>Re:sentence structure</title>
	<author>Anonymous</author>
	<datestamp>1268763420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Users Rejecting Security Advice Considered <i>to be</i> Rational</p><p>Simple and clear.</p></htmltext>
<tokenext>Users Rejecting Security Advice Considered to be RationalSimple and clear .</tokentext>
<sentencetext>Users Rejecting Security Advice Considered to be RationalSimple and clear.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505698
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502788
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503130
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503560
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505718
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_55</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504496
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_46</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503894
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_62</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505470
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_45</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503712
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502946
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_52</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502828
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502478
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501810
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511018
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501906
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502806
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502700
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507030
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_44</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503238
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514006
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_67</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503452
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_58</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31508934
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507706
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514568
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502330
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505496
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503478
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_59</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502034
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505104
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_66</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503438
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511918
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_49</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503570
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501896
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506924
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503984
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502134
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505378
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_56</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503838
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503846
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_61</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503354
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504900
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503968
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502788
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503178
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511518
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502406
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_48</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505352
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_53</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506518
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513856
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_60</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514664
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_43</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502662
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507094
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504022
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502346
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_50</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504882
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506386
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503314
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506108
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_51</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503116
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_42</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506394
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_65</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502750
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505078
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504702
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504836
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503902
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_57</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503672
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513830
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502466
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503518
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31526414
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_64</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506516
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_47</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503516
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502738
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31527394
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_63</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502940
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_54</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503646
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_16_1931214_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502856
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501900
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503452
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502904
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506108
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505470
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505078
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507706
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504836
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505698
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503478
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502570
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503894
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504496
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503646
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504022
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505104
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503516
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503570
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503846
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505718
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501726
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501804
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513856
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502672
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503712
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503984
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31508934
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503672
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511018
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31513830
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514664
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503902
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506386
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506394
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501896
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506924
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501810
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502110
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502662
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502406
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502330
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503518
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31526414
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502100
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502196
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506516
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505352
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503560
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502030
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504900
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502940
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503838
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504882
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502466
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502750
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502254
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501834
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502828
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503354
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31504702
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503116
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514568
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503438
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511918
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501894
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502202
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502788
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503130
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503178
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31511518
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503238
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31514006
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502700
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507030
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505496
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501906
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502806
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501822
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502346
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503968
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502170
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503258
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31506518
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503314
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31507094
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502118
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502738
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31527394
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502856
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502180
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_16_1931214.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31501838
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502946
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502588
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502134
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31503534
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31505378
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502034
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_16_1931214.31502478
</commentlist>
</conversation>
