Firewall Wizards mailing list archives
Re: The home user problem returns
From: Mason Schmitt <mason () schmitt ca>
Date: Thu, 08 Sep 2005 12:42:30 -0700
I know that somewhere Marcus is getting ready to unfurl his IPS rant (/me braces himself).Wow... Am I that bad? Am I that predictable? ;)
I think you've been at this a really long time and you're fed up with the bull. I've only been in computers for a few years and the current state of things drives me nuts too. The fact that you keep speaking out is admirable. :)
I knew an ISP back in the day (1995) that offered 2 kinds of Internet hookups - one that was firewalled, virus filtered, etc, and the other of which was wide open. Guess which one they sold NONE of? Well, that was an easy guess...
Yup.
In fact, I know a lot of techies that would argue that ISPs should be totally transparent. In this day and age, I consider that view to be selfish and irresponsible.With the current state of Internet software, it's pointless. It'd be meaningful to encourage ISPs to filter traffic if there were end-to-end authenticated links going on, and nothing else. If you want to push things back far enough, intellectually, the problem is that anonymous Internet access is being offered. That's the underlying problem.
YES!!! And the fact that there are groups that are working hard at maintaining that anonymity bothers me. I know that there's always the concern about Big Brother, or worse and far more plausible, abuse of any large scale trust/authentication systems that get setup in the future.
Unless that particular problem is dealt with (and who'd want to be on the Internet that would result..?) we will not make progress from where we are.
I see trust and authentication systems as critical to the future of the net, therefore I want to see it happen, but I'm deathly afraid of the piece of *$^! system that could be put in place. I can tell you right now that centralized systems such as microsoft's passport are extremely scary and have no place in in the future trust/auth systems that need to exist. Unfortunately I don't have a crystal ball (or any technical background) to tell you what such systems should look like.
Marcus and most of the rest of you, please keep preaching solid security principles to businesses and governments, but when it comes to the home user, you're wasting your breath.We're wasting our breath in general. Businesses are marginally better than home users - some of them - but governments are sometimes worse than home users, in my experience. The situation out there is terrible and shows no sign of improvement, in my opinion.
On bad days and good days I fully agree. The problem is that it can't stay like this, so movement has to occur somewhere. Perhaps you're right that we're wasting our breath. Here's another favourite Einstein quote of mine that fits this situation. “The definition of insanity is doing the same thing over and over again and expecting a different result.” While I think that user ed is still a critical piece to the puzzle, I think that the way that we go about attempting to educate needs to change. That's what I was trying to get across in my last email. It takes one on one interaction with people.
As with any security endeavour, a multi faceted or "defence in depth" solution is the best solution.It's really more like a "defeat in depth" because you're accepting that things will go wrong at every layer in the system. What you're trying to do is reduce the surge of noise to manageable levels. That is a worthwhile goal but it puts you right in the middle of the eternal arms race.
I'm well aware that I'm stuck in the middle of an arms race. That's why we outsourced spam control - that was just too messy an arms race to continue to contend with in house.
User education ---------------- User education still needs to happenPointless.
I laughed out loud when I saw this one :)
If educating users was going to work, it would have worked by now. If Anna Kournikova worm and phishing hadn't gotten people to take this seriously years ago, they aren't going to next year, either. If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't get people to take it seriously, they aren't going to next year, either. Or the year after that.
Very good points. See my point above concerning changing approaches. To be realistic, I'm not expecting mass religious conversion to happen. I'm hoping to keep finding those people that have an inkling that something isn't right and just need some info to point them in the right direction. These people, once they get it, will tell others. For everyone else, I just want to get them to jump through the hoops of turning on windows update, getting a firewall... yada yada yada.
OBplug: I just completed an article for "certified security professional" on "The Six Dumbest Ideas in Computer Security" in which I list educating users as #5. http://www.certifiedsecuritypro.com/index.php/content/view/154/56/ or it's linked off http://www.ranum.com I'll spare posting the entire breathless tirade here.
Excellent article. It's going up on my bulletin board next to "Low Carb Security" and Paul's "Something About Security". I also sit my boss down with things like this, because he'll actually read it and think about it.
From your article in the #5 dumbest idea section:
"Why are users expecting to get E-mails from banks where they don't have accounts? Most of the problems that are addressable through user education are self-correcting over time. As a younger generation of workers moves into the workforce, they will come pre-installed with a healthy scepticism about phishing and social engineering." In my last email, this was one of the things that I stressed (or I hope I did). People need to learn to question. My generation is doing a good job in this area, but my parent's generation is as trusting as an unspoiled child when it comes to the net. I think the biggest problem with the older crowd is that they don't really know what the net is - I'm still working on my parents. That's what I want to try to teach people.
[...other good stuff, deleted...] You're still an optimist, aren't you? It's always nice to find an optimist in Internet security. I feel like a birdwatcher who has seen the last of some vanishing breed whenever I run across one of you guys. ;)
This is hilarious! I got a good laugh out of this and had to show my co-worker :) In keeping with that Einstein quote about insanity, I'm trying to be creative and come up with new ways of looking at the problem. If I sit myself down in the middle of it, it gets exceedingly frustrating and it looks like there is no hope. These are the days where my boss gets an earful about how much crap is out there, how hopeless our position is, etc. Whenever I fall into that sort of situation, I recognize it as unworkable and realise there must be another way to look at the problem. I'll keep trying to find new ways of approaching this and I'll make headway, even if it is just, as you said, "reduce the surge of noise to manageable levels". I think you have to be incredibly persistent and optimistic, or naive to make any meaningful headway in computer security - not sure which one I am, maybe both. Anyway, it's still fun and challenging, so why not keep at it. -- Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: stopping bots from phoning home Paul D. Robertson (Sep 01)
- Re: stopping bots from phoning home mason (Sep 07)
- Re: stopping bots from phoning home Paul D. Robertson (Sep 08)
- <Possible follow-ups>
- Re: stopping bots from phoning home mason (Sep 08)
- Re: stopping bots from phoning home Kevin (Sep 08)
- Re: The home user problem returns Mason Schmitt (Sep 08)
- Re: The home user problem returns Marcus J. Ranum (Sep 12)
- Re: The home user problem returns Mason Schmitt (Sep 12)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- Re: The home user problem returns George Capehart (Sep 14)
- Re: The home user problem returns Dale W. Carder (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: stopping bots from phoning home Kevin (Sep 08)
- Re: stopping bots from phoning home mason (Sep 07)
- Re: The home user problem returns Paul D. Robertson (Sep 13)