Educause Security Discussion mailing list archives
Re: Phishing E-mail Procedures
From: Tim Doty <tdoty () MST EDU>
Date: Thu, 26 Jan 2012 16:13:32 -0600
On Thu, 2012-01-26 at 14:45 -0500, Valdis Kletnieks wrote:
On Thu, 26 Jan 2012 12:24:10 CST, Tim Doty said:"Default Permit".... In short, it isn't something that security folks go preaching.Marcus's point is that it's a *dumb* idea - any security folks preaching it should probably be taken out back and shot. Or maybe shot out front and made an example of. ;)
A good debater changes topics instead of giving in. What I originally said was that he is "off target on every count" due to "personal bias or an application development issue". I didn't say he was wrong, just off base. My follow up was successfully distracted, but back to the point. He says that "default permit" is one of the six dumbest security ideas, that is so bad he equates it with brain damage. To back up his contention he talks about firewall rules and code execution. The immediate issue is he sets up a strawman. The premise is that people are actively supporting and pushing 'default permit' which is not something I've seen. The rest of it is just hamming for the crowd because it is well known and doesn't need repeating to security folks. They know it. Where there is substance is in the broader application of the principle. And this is where the logic completely falls apart. The premise, stated at the top, is that these are security ideas. He then applies it outside of that context. The application developer isn't thinking "wow, default permit is such a wonderful idea" -- he most likely doesn't have a clue that what he is doing is in fact that, much less the security implications of it. It isn't a "dumb idea" its a "problem from ignorance". The second case you mentioned was "enumerating badness". Antivirus is of course the obvious and easy target for this. But enumerating badness is not necessarily a dumb idea, much less a bad one.
Guess what I do with Snort? I enumerate badness (detection rules are an example of enumeration and with snort we don't try to detect what is good, but what is undesired). Sorry, but I'm not giving up on snort.And you know to add an "undesired" rule, how? ;)
Let's stay topical.
Might be illustrative to turn that around for a little while
Right... because you know so much about me and what I know and you will teach me a little lesson. And in the mean time try and forget the point that was made. Thanks, but no. Enumerating badness is doomed to failure, at least in a theoretical sense. Fortunately, the real world is a little more complex than that. Maybe you honestly didn't get the point with snort, so lets try another one. In a similar vein to the rant originally linked (for those who feel masochistic it is http://www.ranum.com/security/computer_security/editorials/dumb/) you can find other enumerations of badness. Like the linked page. At least, it *claims* to enumerate badness: it is giving the top six dumbest, most brain damaged security ideas ever that are still being floated around. If you don't think that is an enumeration of badness... I can't help you. But the recursive nature of that should be informative. All in all I'm beginning to understand why you place such a low value on user education. I'm no expert on that subject, but there are some basic principles. Easy to say, harder to apply. 1. Users don't care about security, they care about getting the job done. Lecturing them on how bad they are for violating security principles doesn't help. Instead, address how they can effectively, efficiently and reasonably get the job done while doing so in a more secure fashion. 2. Don't stick to your guns with absolutes. Be flexible. Don't forget that security is not a state, but a process. And, yes, this *does* apply to user education. Be careful about what you are educating them on: that security is pointless and useless, or how they can be productive and at least more secure than before. 3. Give them a solution. And that means a real solution, something that they can actually use in practice in the real world. Its easy to create a page and slam people for solving real problems in the real world, but it is much more difficult to provide better solutions when smart, educated people have already raised the bar. Finally, that is seriously a page of the 6 dumbest, most dangerous security ideas. Seriously? And he doesn't even mention passwords. (Not that I'm offering a real world solution for that one...) Tim Doty
Current thread:
- Re: Phishing E-mail Procedures, (continued)
- Re: Phishing E-mail Procedures Pete Hickey (Jan 26)
- Re: Phishing E-mail Procedures Bob Bayn (Jan 26)
- Re: Phishing E-mail Procedures Jesse Thompson (Jan 26)
- Re: Phishing E-mail Procedures Robert Meyers (Jan 26)
- Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
- Re: Phishing E-mail Procedures Jesse Thompson (Jan 26)
- Re: Phishing E-mail Procedures Doty, Timothy T. (Jan 26)
- Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
- Re: Phishing E-mail Procedures Tim Doty (Jan 26)
- Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
- Re: Phishing E-mail Procedures Tim Doty (Jan 26)
- Re: Phishing E-mail Procedures Roger A Safian (Jan 26)