Re: [fw-wiz] The home user problem returns

From: Marcus J. Ranum (
Date: 09/08/05

  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns"
    To: Mason Schmitt <>, Kevin <>
    Date: Thu, 08 Sep 2005 13:33:22 -0400

    Mason Schmitt wrote:
    >I know that somewhere Marcus is getting ready to unfurl his IPS rant
    >(/me braces himself).

    Wow... Am I that bad? Am I that predictable? ;)

    >A public ISP just cannot be run like a corporate
    >network, it's a totally different beast.

    I completely agree!!! You've got a series of contradictory requirements.
    There's no way to satisfy them (or even a reasonable percentage of them)
    without creating more problems than you solve. Also, I knew an ISP back
    in the day (1995) that offered 2 kinds of Internet hookups - one that was
    firewalled, virus filtered, etc, and the other of which was wide open. Guess
    which one they sold NONE of? Well, that was an easy guess...

    > In fact, I know a lot of
    >techies that would argue that ISPs should be totally transparent. In
    >this day and age, I consider that view to be selfish and irresponsible.

    With the current state of Internet software, it's pointless. It'd be
    meaningful to encourage ISPs to filter traffic if there were end-to-end
    authenticated links going on, and nothing else. If you want to push
    things back far enough, intellectually, the problem is that anonymous
    Internet access is being offered. That's the underlying problem. Unless
    that particular problem is dealt with (and who'd want to be on the
    Internet that would result..?) we will not make progress from where
    we are.

    >Marcus and most of the rest of you, please keep preaching solid security
    >principles to businesses and governments, but when it comes to the home
    >user, you're wasting your breath.

    We're wasting our breath in general. Businesses are marginally better
    than home users - some of them - but governments are sometimes
    worse than home users, in my experience. The situation out there is
    terrible and shows no sign of improvement, in my opinion.

    >As with any security endeavour, a multi faceted or "defence in depth"
    >solution is the best solution.

    It's really more like a "defeat in depth" because you're accepting that
    things will go wrong at every layer in the system. What you're trying
    to do is reduce the surge of noise to manageable levels. That is a
    worthwhile goal but it puts you right in the middle of the eternal arms

    >User education
    >User education still needs to happen

    Pointless. If educating users was going to work, it would have worked
    by now. If Anna Kournikova worm and phishing hadn't gotten people
    to take this seriously years ago, they aren't going to next year, either.
    If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't
    get people to take it seriously, they aren't going to next year, either. Or
    the year after that.

    OBplug: I just completed an article for "certified security professional"
    on "The Six Dumbest Ideas in Computer Security" in which I list
    educating users as #5.
    or it's linked off
    I'll spare posting the entire breathless tirade here.

    [...other good stuff, deleted...]
    You're still an optimist, aren't you? It's always nice to find an optimist
    in Internet security. I feel like a birdwatcher who has seen the last of
    some vanishing breed whenever I run across one of you guys. ;)

    (* source: P-nut)

    firewall-wizards mailing list

  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns"