Re: The home user problem returns

[Mason Schmitt <mason () schmitt ca>]

> > I know that somewhere Marcus is getting ready to unfurl his IPS rant
> > (/me braces himself).
>
> Wow... Am I that bad? Am I that predictable?  ;)

I think you've been at this a really long time and you're fed up with
the bull. I've only been in computers for a few years and the current
state of things drives me nuts too.  The fact that you keep speaking out
is admirable. :)

> I knew an ISP back
> in the day (1995) that offered 2 kinds of Internet hookups - one that was
> firewalled, virus filtered, etc, and the other of which was wide open. Guess
> which one they sold NONE of? Well, that was an easy guess...

Yup.

> > In fact, I know a lot of
> > techies that would argue that ISPs should be totally transparent.  In
> > this day and age, I consider that view to be selfish and irresponsible.
>
> With the current state of Internet software, it's pointless. It'd be
> meaningful to encourage ISPs to filter traffic if there were end-to-end
> authenticated links going on, and nothing else. If you want to push
> things back far enough, intellectually, the problem is that anonymous
> Internet access is being offered. That's the underlying problem.

YES!!!  And the fact that there are groups that are working hard at
maintaining that anonymity bothers me.  I know that there's always the
concern about Big Brother, or worse and far more plausible, abuse of any
large scale trust/authentication systems that get setup in the future.


> Unless
> that particular problem is dealt with (and who'd want to be on the
> Internet that would result..?) we will not make progress from where
> we are.

I see trust and authentication systems as critical to the future of the
net, therefore I want to see it happen, but I'm deathly afraid of the
piece of *$^! system that could be put in place.  I can tell you right
now that centralized systems such as microsoft's passport are extremely
scary and have no place in in the future trust/auth systems that need to
exist.  Unfortunately I don't have a crystal ball (or any technical
background) to tell you what such systems should look like.

> > Marcus and most of the rest of you, please keep preaching solid security
> > principles to businesses and governments, but when it comes to the home
> > user, you're wasting your breath.
>
>
> We're wasting our breath in general. Businesses are marginally better
> than home users - some of them - but governments are sometimes
> worse than home users, in my experience. The situation out there is
> terrible and shows no sign of improvement, in my opinion.

On bad days and good days I fully agree.  The problem is that it can't
stay like this, so movement has to occur somewhere.  Perhaps you're
right that we're wasting our breath.  Here's another favourite Einstein
quote of mine that fits this situation.

   “The definition of insanity is doing the same thing over and
    over again and expecting a different result.”

While I think that user ed is still a critical piece to the puzzle, I
think that the way that we go about attempting to educate needs to
change.  That's what I was trying to get across in my last email.  It
takes one on one interaction with people.

> > As with any security endeavour, a multi faceted or "defence in depth"
> > solution is the best solution.
>
> It's really more like a "defeat in depth" because you're accepting that
> things will go wrong at every layer in the system. What you're trying
> to do is reduce the surge of noise to manageable levels. That is a
> worthwhile goal but it puts you right in the middle of the eternal arms
> race.

I'm well aware that I'm stuck in the middle of an arms race.  That's why
we outsourced spam control - that was just too messy an arms race to
continue to contend with in house.

> > User education
> > ----------------
> > User education still needs to happen
>
>
> Pointless.

I laughed out loud when I saw this one :)

> If educating users was going to work, it would have worked
> by now. If Anna Kournikova worm and phishing hadn't gotten people
> to take this seriously years ago, they aren't going to next year, either.
> If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't
> get people to take it seriously, they aren't going to next year, either. Or
> the year after that.

Very good points.  See my point above concerning changing approaches.
To be realistic, I'm not expecting mass religious conversion to happen.
 I'm hoping to keep finding those people that have an inkling that
something isn't right and just need some info to point them in the right
direction.  These people, once they get it, will tell others.  For
everyone else, I just want to get them to jump through the hoops of
turning on windows update, getting a firewall... yada yada yada.


> OBplug: I just completed an article for "certified security professional"
> on "The Six Dumbest Ideas in Computer Security" in which I list
> educating users as #5.
> http://www.certifiedsecuritypro.com/index.php/content/view/154/56/
> or it's linked off http://www.ranum.com
> I'll spare posting the entire breathless tirade here.

Excellent article.  It's going up on my bulletin board next to "Low Carb
Security" and Paul's "Something About Security".  I also sit my boss
down with things like this, because he'll actually read it and think
about it.

> From your article in the #5 dumbest idea section:

"Why are users expecting to get E-mails from banks where they don't have
accounts? Most of the problems that are addressable through user
education are self-correcting over time. As a younger generation of
workers moves into the workforce, they will come pre-installed with a
healthy scepticism about phishing and social engineering."

In my last email, this was one of the things that I stressed (or I hope
I did).  People need to learn to question.  My generation is doing a
good job in this area, but my parent's generation is as trusting as an
unspoiled child when it comes to the net.  I think the biggest problem
with the older crowd is that they don't really know what the net is -
I'm still working on my parents.  That's what I want to try to teach people.

> [...other good stuff, deleted...]
> You're still an optimist, aren't you? It's always nice to find an optimist
> in Internet security. I feel like a birdwatcher who has seen the last of
> some vanishing breed whenever I run across one of you guys. ;)

This is hilarious!  I got a good laugh out of this and had to show my
co-worker :)

In keeping with that Einstein quote about insanity, I'm trying to be
creative and come up with new ways of looking at the problem.  If I sit
myself down in the middle of it, it gets exceedingly frustrating and it
looks like there is no hope.  These are the days where my boss gets an
earful about how much crap is out there, how hopeless our position is,
etc.  Whenever I fall into that sort of situation, I recognize it as
unworkable and realise there must be another way to look at the problem.
  I'll keep trying to find new ways of approaching this and I'll make
headway, even if it is just, as you said, "reduce the surge of noise to
manageable levels".  I think you have to be incredibly persistent and
optimistic, or naive to make any meaningful headway in computer security
- not sure which one I am, maybe both.

Anyway, it's still fun and challenging, so why not keep at it.

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards