Re: [fw-wiz] The home user problem returns

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 09/08/05

  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns"
    To: Mason Schmitt <mason@schmitt.ca>, Kevin <kkadow@gmail.com>
    Date: Thu, 08 Sep 2005 13:33:22 -0400
    
    

    Mason Schmitt wrote:
    >I know that somewhere Marcus is getting ready to unfurl his IPS rant
    >(/me braces himself).

    Wow... Am I that bad? Am I that predictable? ;)

    >A public ISP just cannot be run like a corporate
    >network, it's a totally different beast.

    I completely agree!!! You've got a series of contradictory requirements.
    There's no way to satisfy them (or even a reasonable percentage of them)
    without creating more problems than you solve. Also, I knew an ISP back
    in the day (1995) that offered 2 kinds of Internet hookups - one that was
    firewalled, virus filtered, etc, and the other of which was wide open. Guess
    which one they sold NONE of? Well, that was an easy guess...

    > In fact, I know a lot of
    >techies that would argue that ISPs should be totally transparent. In
    >this day and age, I consider that view to be selfish and irresponsible.

    With the current state of Internet software, it's pointless. It'd be
    meaningful to encourage ISPs to filter traffic if there were end-to-end
    authenticated links going on, and nothing else. If you want to push
    things back far enough, intellectually, the problem is that anonymous
    Internet access is being offered. That's the underlying problem. Unless
    that particular problem is dealt with (and who'd want to be on the
    Internet that would result..?) we will not make progress from where
    we are.

    >Marcus and most of the rest of you, please keep preaching solid security
    >principles to businesses and governments, but when it comes to the home
    >user, you're wasting your breath.

    We're wasting our breath in general. Businesses are marginally better
    than home users - some of them - but governments are sometimes
    worse than home users, in my experience. The situation out there is
    terrible and shows no sign of improvement, in my opinion.

    >As with any security endeavour, a multi faceted or "defence in depth"
    >solution is the best solution.

    It's really more like a "defeat in depth" because you're accepting that
    things will go wrong at every layer in the system. What you're trying
    to do is reduce the surge of noise to manageable levels. That is a
    worthwhile goal but it puts you right in the middle of the eternal arms
    race.

    >User education
    >----------------
    >User education still needs to happen

    Pointless. If educating users was going to work, it would have worked
    by now. If Anna Kournikova worm and phishing hadn't gotten people
    to take this seriously years ago, they aren't going to next year, either.
    If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't
    get people to take it seriously, they aren't going to next year, either. Or
    the year after that.

    OBplug: I just completed an article for "certified security professional"
    on "The Six Dumbest Ideas in Computer Security" in which I list
    educating users as #5.
    http://www.certifiedsecuritypro.com/index.php/content/view/154/56/
    or it's linked off http://www.ranum.com
    I'll spare posting the entire breathless tirade here.

    [...other good stuff, deleted...]
    You're still an optimist, aren't you? It's always nice to find an optimist
    in Internet security. I feel like a birdwatcher who has seen the last of
    some vanishing breed whenever I run across one of you guys. ;)

    mjr.
    (* source: P-nut)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: [fw-wiz] The home user problem returns
      ... > With the current state of Internet software, ... > We're wasting our breath in general. ... >>User education still needs to happen ... Security" and Paul's "Something About Security". ...
      (Firewall-Wizards)
    • Risks Digest 27.65
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Harvard student tried to dodge exam with bomb hoax ... Someone's Been Siphoning Data Through a Huge Security Hole in the Internet ...
      (comp.risks)
    • Risks Digest 26.65
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Internet Amorality, and Cutting Thailand Off From the Internet ... "Face Unlock feature in Galaxy Nexus poses security risk" (Matt Hamblen via ... Facebook Settles With F.T.C. Over Deception Charges ...
      (comp.risks)
    • Risks Digest 26.94
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Olympics security poster 'gibberish' to Arabic speakers ... Apple removes security app from the App Store ... Who Really Invented the Internet? ...
      (comp.risks)
    • [NT] Vulnerability in Microsoft Data Access Components Allows Code Execution (MS07-009)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... this vulnerability by preventing Active Scripting and ActiveX controls ... mode sets the security level for the Internet zone to High. ...
      (Securiteam)