Re: Security and the Under 30 User

[Wes Deviers <wdevie () hrcsb org>]

This is a poignant post.  I recently switched jobs, moving from General 
IT consulting to what has always been my home (Linux & security).  I 
took an unfortunate hiatus from it during the rush to find money after 
college.  I started doing Linux admin "stuff" at 16, and managed a 
dial-up ISP by 18.  The typical story of a man who went through high 
school without a prom date...  I am 25, now.

The job I moved from was at a company composed solely of graduates from 
my university, the oldest being 27.  That's an important point; it set 
not only the structure of the company, but also the culture.  In 
management's view, we were following the Google Model: if you give 
people enough rope...they'll make a rocket ship out of rope. 

With that background, my comments are inline and just a bit Devil's 
Advocatey.

On 02/07/2008 12:25 PM, net sec consule wrote:
> Hi,
>
> First, the disclaimer: I am over 40, have never been
> 'cool' and I have always been considered 'the tall,
> lanky, four-eyed geek.'  But I don't get the under-30
> crowd's attitude towards IT security. Can someone
> please give me a clue? I am at a loss how to respond
> to the attitude I hear, and it impacts my client's
> security and my credibility.
>
> I have been doing network security consulting for over
> 15 years. I also do several public service IT security
> presentations to community and professional groups
> each month. In either environment, I consistently get
> a hostile reception from those under 30. The attitude
> I get is "IT security is a bunch of moronic bull
> (expletive deleted) dreamed up by paranoid moronic
> geezers to justify their existence." 
>   
First, you have to remember that most of these folks recently graduated 
from a university where the computer security policy was managed by 
campus IT.  Campus IT is necessarily one-size-fits-all.  For instance, 
where I went to school they block all outbound and inbound SMTP traffic 
unless you jump through the approval hoops; they also shut down POP3 and 
IMAP access "for security".  From an IT point, it's a great idea.  From 
a user perspective, it forced everybody to stop using fat clients and 
move to whatever crappy web UI the school could come up with.  And it 
was, of course, much slower.

Then you have the overzealous IT folks to decided to shut down 
bittorrent, Kazaa/Morpheus/Limewire, etc, and did it in the name of 
"security".  True!  People using Limewire irresponsibly can beat up 
their computers pretty bad.  And considering the school gave everybody a 
copy of Symantec Corporate, they may as well not have had any 
antivirus.  But the -real- reason was because they didn't want to pay 
for more bandwidth and a bigger Packeteer.  "Security" gets the shaft 
again.

So you can see why recent university graduates might be hostile toward 
computer security.
> I my consulting practice, I often find where under 30
> users either don't have anti-virus or anti-spyware
> installed. Or, if their company has installed it, they
> have disabled it. They label the AV concept 'stupid'
> and believe that malware is just a fact of life and
> you should 'get over it', and that it really isn't as
> bad as 'people like me' claim it is. I also find that
> the majority of the younger crowd has either disabled
> the anti-virus that came with their personal computer
> or did not renew the subscription when it expired.
>   
That's because for their entire (online) lives it *has* been a fact of 
life.  In fairness, what can we expect?  We (being the security 
community) give the average home user absolute crap to work with.  OEMs 
ship PCs with Windows and IE with no AV protection, no malware 
protection, and not even the most recent updates!  This is unique to the 
computer industry; other industries ship incomplete products but it's a 
rarety when they're completely ill-suited to what they're designed for.  
People expect (and frankly, should have a right to) a "complete" system 
when they buy a computer.  If it's not on there when they buy it from 
HP/Dell/Apple, the experts, why should they spend extra money?  We 
consider AV and malware protection critical components because of 
our...paranoia.  They consider antivirus the equivalent of a floormat.  
A nice afterthought for when you have some extra cash.
> You mention key stoke loggers and other spyware, the
> attitude I get is "If you don't have anything to hide,
> then you have nothing to worry about."  Or, "Why
> should I worry about privacy? Every aspect of my life
> is already out there for anyone to read in my blog on
> MySpace."
>   
Unfortunate, but true.  No responsibility is directly on them, though.  
Most credit card companies "wipe" fraudulent charges.  But trying to 
explain how that works is akin to explaining why taxing businesses 
doesn't create tax revenue from nothing.  If you don't get it, you just 
don't get it.  I am worried, however, that privacy concerns are barely 
on the RADAR any more.
> If you bring up all the malware slowing down their
> computer, you get arguments that AV software slows it
> down worse. I also get the attitude that "Everything I
> need to keep is on my flash drive, so what whenever my
> performance starts to (expletive deleted), I just blow
> away the hard drive and reinstall."
>   
Both of those arguments are correct, though.  When I did PC repair as a 
sideline for gas money, basically every student that I met assumed they 
would have to reformat and reinstall Windows at least once every two 
years.  You have to have a pretty massive spyware colony to 
significantly slow a 3 Ghz machine down...but almost any AV engine will 
do it for $35.
> Mention Joe Lopez and his loss of bank funds, and the
> attitude is that his case is an anomaly; "Why haven't
> other cases made the news? He must have done something
> to p-o BoA." And it never fails that someone claims to
> have a friend that had money stolen from their bank
> account or credit card, and the bank put the money
> back. I bring up that we are all paying for such
> losses by lower interest rates on savings and higher
> credit card and bank free rates, they could care less.
>
>
> (A couple of side note to banks: 
>    1) I have had many people claim that they would be
> willing to pay $5 to $25 per transaction just to be
> able to continue to use online banking if that was
> what was required to offset the fraud costs. When
> probing deeper, the per transaction cost appears to be
> about one-half hour's pay. Just for the convenience of
> not having to write a check or use snail mail.
>    2) I have heard several of the younger crowd claim
> that it is common practice that when you get mad at
> your bank, just post your credit card information
> on-line so that the bank gets a bunch of fraudulent
> charges against the card and cancels it. They see it
> as a way to punish the bank for upping their interest
> rate or imposing late fees.)
>   
I've heard of this too, though I've never actually seen it.  I can, 
however, clearly see the moronic logic that leads down that path.  20-30 
= Entitlement!
> In the corporate world, the attitude is even worse. I
> have a client that recently implemented web content
> filtering that blocks the social networking sites,
> blogs, chat rooms, and other non-business content.
> That resulted in the mass resignation of under 30
> staff, because "I can't work here if I can't keep in
> contact with my friends while I work." Some are even
> screaming "age discrimination" because sites like
> FoxNews or CNN 'that the old geezers use' were not
> blocked.
>
> Can someone please explain this attitude? Why the
> fierce resistance to anything relating to security?
> Why the "I don't care about privacy" attitude? Why do
> they have to be in constant communication with their
> friends, to the point they would rather be unemployed
> than out of contact?
>   
Ah..this is an argument after my own heart.  Remember that these 
under-30s are facing two things that are somewhat unique to my 
generation.  The first is that many of them "grew up' around 24x7 
communication with friends.  My AIM name is 6 characters, no numbers.  
My ICQ number is 7 digits.  Most of my friends are the same way; of 
course, they're nerds, but it just meant that we were early adopters.  
There has *never* been a point in a 20-something's post-adolescent life 
where they could not instantly communicate with at least a few of their 
friends.  *Never*.  The first Real Job at Nameless, Inc hits pretty hard 
when they have to somehow occupy 8-10 hours of their life, every day, 
doing something they probably hate.

The second, and less concrete is that in some ways you could argue that 
my generation is more fragile than the Boomers.  We grew up without any 
serious hardships.  No recessions, no Cold War, no oil crisis, no World 
Wars, no dried up pension funds, no segregation and consequent 
integration.  And affluent.  More affluent, for more of our lives, than 
any American generation before.  This leads to a condition where many of 
Generation X+1has -no way to judge the seriousness of a disaster-.  To a 
self-absorbed, first-job X+1er, losing AIM or MSN at work is strikingly 
similar to losing Oxygen.

As to the first, using IM and MySpace at work is considered part of the 
perk package by many.  We grew up multitasking in the extreme.  I was 
fat and lazy as a teen, yet I still played baseball and other sports, 
took AP classes and got 5s on the tests, managed to waste hours of my 
life on IRC, learn Linux, read hundreds of books, have a girlfriend, AND 
run a moderately successful Team Fortress clan.  With AOL IM up the 
entire time.  Frankly, it was kind of insulting when my employer said 
that I couldn't have some IM client up because it was "decreasing my 
productivity."  They couldn't even fill my day with work-related 
activities as it was.

The company I left faced the exact kind of mutiny you were talking 
about.  IM and MySpace are my generation's version of the watercooler.  
It just so happens to be a lot easier to monitor.  When the company 
asked me to take away the Virtual Watercooler to raise productivity and 
"enhance security", the entire repair staff (8 people) we ready to turn 
in resignations immediately.  It's a representation of everything their 
parents told them to fight against.  To them, it took away one of 
largest perks to working there: the fact that they were human workers 
and not corporate drones.  What is more human that communication?

I somehow doubt this has been enlightening : )  BUT it is only going to 
get worse.  Remember, privacy is only valuable if you once had it, and 
X+1 is unquestionably the most datamined group that's ever lived.

Wes