RE: The home user problem returns

["Marcus J. Ranum" <mjr () ranum com>]

Scott Pinzon wrote:
> Marcus [...] I can't help feeling, in my
> pipsqueak opinion, that on this one you're way off base.

For years and years I have been longing for someone to come along
and convince me that I'm wrong. I'd love to be wrong about this stuff,
because it'd mean the world was a whole lot better place than I think
it is. So - bring it:

> -- Ignorance is never better than knowledge in any realm. But particular
> to network security, my experience is that most clueless users are also
> people of good will who will cease dangerous behaviors once they
> understand those behaviors ARE dangerous.

I think you must be a smart person. Smart people tend to value knowledge
because, well, it's something that happens to you as you're smart. It's
your coinage, if you will. It's always a shock when you realize that
most people don't. (*) 

> -- Educating users is another layer in "Defense in depth." If 10 out of
> 100 users click evil email attachments, and through education you reduce
> that to 3 out of 100, you've improved that layer.

You've improved it, but does it matter? That's my question.

1 idiot clicking attachments can infect 10,000 other idiots a day
if you reduce the idiot count from 10%, as you say, to 3% in an
organization of 1000 people, you've dropped from 100 idiots who
click attachments to 30. And those 30 will still send 300,000
emails a day and your mail server will still detonate. And, since
one of those idiots is probably your CTO, all of your execs in
h* management chain will probably get infected, too.... 

> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing emails,
> and more, have been quantitatively and demonstrably reduced at companies
> that institute end-user security training. 

The problem with such measures is that you can't really tell
how much of that is a result of the training and how much is a
result of normal "aversive experience."   For example, my mom
has never had any computer security training but after the first
time her machine got wiped by her IT guy (that's me) now
she's a lot more careful about spyware.

> -- And how do you know "it" (educating end users) is not working? We
> have no before/after comparison on what the Internet would be like if
> all of us who preach security had stopped five years ago. 

You can ask the exact same question in reverse, though, right?
"If it was working, how come we still have Internet security problems?"
Surely everyone has heard of them, by now. Surely everyone in the
US has heard of Identity Theft by now, etc.

This is one of those nasty intractables because you can't really
get a grip on the effectiveness of solutions because there's no
control group - we're working with entire populations.

I like to think of this problem as being similar to patching a leaky
roof. Well, you OBVIOUSLY are getting less water in the holes
that you've patched but it's hard to reason accurately about
whether you're much better off anyhow. In fact, patching your
roof may distract you from replacing your roof entirely. That's
how I conceptualize it, anyhow. I know it's a analogy and I hate
them but that's how that problem fits in Marcus-land.

> Maybe I'm misunderstanding you, but my take-away from your blog article
> is that you are so discouraged by end-user ignorance, you think we
> should all stop wasting our breath on them. 

Would you like to ghost-write for me? That's a GREAT way of putting it.

> Your recommendation is that
> we set up an environment through quarantining and what-not where users
> have no opportunity to hurt themselves.

Sort of, yeah. I think I'd say that it's probably more cost-effective to
simply keep users from hurting themselves than to teach them how
not to hurt themselves.

I.e: "Sit the F down. Shut the F up. Don't ask any questions.
This is your browser. It's called 'Zen4' and it only knows how to render
GIF, PNG, JPEG, CSS, and HTML. If you go to a website and it doesn't
display properly, you went to a bad website. This is your Email client.
It uses Zen4 to render anything you get. Anything it can't render, you
won't see because the spam blocker will have already junked it for you.
Have fun and thanks for working for Marcus-Land, where the user
comes last and the customer comes first!"

> In rebuttal, I cite the crusty
> old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
> (through technology) create an environment where clueless users can't
> hurt themselves.

My, that's a depressing thought. :(

> To keep a network secure, we need users on our side. We
> can get them there if we try.

My, that's an even more depressing thought. As an ex-sysadmin, I can
assure you that I've spent many years filled with the awareness that my
users are not only stupid, they're actively out to get me any chance they
can. They are not on my side. Even when they pretend to be on my side,
I know that the cookies they leave on my desk are loaded with rat-poison
so I'll die _after_ I restore the file they deleted but not a minute before.
And they all want root.

> Am I really the only one on this list who thinks so? Or Marcus, did I
> misinterpret you?

You didn't misinterpret me.

Sounds like you're another one of those "optimist" things I keep
hearing about. Maybe we should preserve you in a big jar of
formaldehyde so that all the firewall-wizards can point you out
to the newly-minted CISSPs, "Look... This is a computer security
optimist that we found. We think he somehow survived the big
asteroid strike... There are rumors there may be others, still living
in the deep jungles..."

mjr.
---
(* I read some scary stats in this month's LensWork that I found hard
to believe but .. 
1/3 of high school students never read another book in their lives
42% of college graduates never read another book after college
80% of US families did not buy or read a book last year 
70% of US adults have not ben in a bookstore in the last 5 years
57% of new books bought are never read to completion

Claimed source: Harold Jenkins www.jenkinsgroup.com)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards