Re: BBC Crosses The Line Again

[Rich Kulawiec <rsk () gsp org>]

On Fri, Mar 20, 2009 at 11:28:15AM -0700, Paul M. Moriarty wrote:
> OK, I'll play devil's advocate.  What's the right way to educate the  
> public?  Because security companies have done a piss-poor job to date.

I strongly concur with the latter statement, but note in passing that
it's against the financial interests of most of them to do so...so we
should be very surprised if they did.

However, to answer the question: "none".  The public has proven
itself to be completely ineducable.  As Marcus Ranum correctly pointed
out in "The Six Dumbest Ideas in Computer Security", where he identified
"user education" as one of them:

        If it was going to work, it would have worked by now.

For example, we (for various values of "we") have been telling users
for a very, very long time that they should never respond to a request
for their password(s).  Yet they do -- constantly. 

As another example, we have been telling users never to respond to spam.
But they do.  In large numbers.  Consistently.  (This, at least, can
be mitigated by applying blacklist rules to outbound email traffic.)

User education is a fine and noble endeavor.  I've done a lot of it,
as I'm sure many other people here have.  But collectively, we have
almost nothing to show for it.  I think it's (past) time to get on
board with Ranum and stop wasting our time with an approach that's
failed.  Oh, not that *other* approaches might turn out to be equally
fruitless -- they might -- but let's give them their chance to fail.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.