No, it was the "Use sound computing practices and you'll probably be OK, but you could still be hit by a bus if you step outside and an asteroid if you don't" argument. In other words, the same sort of compromise that we all make every day when we interact with the world.
What I hear you saying is that we all have to weigh risk vs. benefit as we interact with the world. I certainly agree in principle, but maybe we don't judge the sides the same way.
I saw one study claiming the majority of PCs (59%) are pwned by malware. This seemed to be a bit biased and non-scientific, but we know there are multi-million node botnets so the actual number is quite high. So the comparison isn't with the risk of getting hit by a bus, the baseline expectation from the typical user behavior you advocate is to be compromised periodically.
I work for a data security company by day and research that stuff at night too. So I'm painfully aware that on any given day there are usually multiple not-yet-patched vulnerabilities. Occasionally I have customer info on my computer, info about not-yet-public vulnerabilities, or I just can't afford the energy needed to clean up afterwards if I were to get pwned. I judge the downside risk much higher than the upside.
So I mostly interact with the web with a browser Noscript mode, and even that via a series of virtual machines and remote access that don't allow file or clipboard sharing. It turns out that I liked the web better without the 2.0 anyway.
We probably won't be able to find common ground, though -- I actually prefer to see ads for oscilloscopes and hosting services, rather than tampons and farm implements.
Now if there were a way to allow only Oscilloscope Pr0n I'd be all over that. I do in fact have DigiKey and Mouser whitelisted. :-)
I certainly agree in principle, but maybe we don't judge the sides the same way. ... I saw one study claiming the majority of PCs (59%) are pwned by malware.
How many of those attacks came through Javascript, though? It would be interesting if there were a public resource that keeps track of attack vectors, so we could accurately assess the risks.
How many of those attacks came through Javascript, though?
The majority of the opportunistic drive-by web malware seems to depend on script. Sometimes the vulnerability is in the Javascript interpreter itself, sometimes the attacker wants to lightly obfuscate web sites and payloads from scanners, and sometimes it seems the malware authors are just lousy web designers using script gratuitously.
If you also eliminate Adobe products from your attack surface, you've bypassed a huge percentage of web malware.
Of course if you're the subject of a targeted attack then all bets are off.
It would be interesting if there were a public resource that keeps track of attack vectors, so we could accurately assess the risks.
What I hear you saying is that we all have to weigh risk vs. benefit as we interact with the world. I certainly agree in principle, but maybe we don't judge the sides the same way.
I saw one study claiming the majority of PCs (59%) are pwned by malware. This seemed to be a bit biased and non-scientific, but we know there are multi-million node botnets so the actual number is quite high. So the comparison isn't with the risk of getting hit by a bus, the baseline expectation from the typical user behavior you advocate is to be compromised periodically.
I work for a data security company by day and research that stuff at night too. So I'm painfully aware that on any given day there are usually multiple not-yet-patched vulnerabilities. Occasionally I have customer info on my computer, info about not-yet-public vulnerabilities, or I just can't afford the energy needed to clean up afterwards if I were to get pwned. I judge the downside risk much higher than the upside.
So I mostly interact with the web with a browser Noscript mode, and even that via a series of virtual machines and remote access that don't allow file or clipboard sharing. It turns out that I liked the web better without the 2.0 anyway.
We probably won't be able to find common ground, though -- I actually prefer to see ads for oscilloscopes and hosting services, rather than tampons and farm implements.
Now if there were a way to allow only Oscilloscope Pr0n I'd be all over that. I do in fact have DigiKey and Mouser whitelisted. :-)