Re: [fw-wiz] The home user problem returns
From: Chris Blask (chris_at_blask.org)
To: Mason Schmitt <firstname.lastname@example.org>, "Marcus J. Ranum" <email@example.com> Date: Mon, 12 Sep 2005 10:52:49 -0400
At 03:42 PM 9/8/2005, Mason Schmitt wrote:
> > Wow... Am I that bad? Am I that predictable? ;)
>I think you've been at this a really long time and you're fed up with
>the bull. I've only been in computers for a few years and the current
>state of things drives me nuts too. The fact that you keep speaking out
>is admirable. :)
That is the value - take what opinion you like but DON'T GIVE UP!
> > If you want to push
> > things back far enough, intellectually, the problem is that anonymous
> > Internet access is being offered. That's the underlying problem.
>YES!!! And the fact that there are groups that are working hard at
>maintaining that anonymity bothers me. I know that there's always the
>concern about Big Brother, or worse and far more plausible, abuse of any
>large scale trust/authentication systems that get setup in the future.
The problem is that, without any sort of identity (and there is
exactly 0.0000% of net traffic using anything worth calling
identity), it is impossible to treat Identified traffic and Anonymous
traffic differently, as they logically deserve.
>I see trust and authentication systems as critical to the future of the
>net, therefore I want to see it happen, but I'm deathly afraid of the
>piece of *$^! system that could be put in place. I can tell you right
>now that centralized systems such as microsoft's passport are extremely
>scary and have no place in in the future trust/auth systems that need to
>exist. Unfortunately I don't have a crystal ball (or any technical
>background) to tell you what such systems should look like.
Decentralized, distributed responsibility. If I own an auth server
then I am responsible for the activities of those who use it. If I
can say: "Yes, this is a person, I know who it is, and I'm not
telling you who that person is short of a court order legal in my
jurisdiction", then the system works.
>On bad days and good days I fully agree. The problem is that it can't
>stay like this, so movement has to occur somewhere. Perhaps you're
>right that we're wasting our breath.
Marcus is right to keep people on their toes: no-one should expect to
fire off ill-conceived comments or solutions and not get their lungs
ripped out - this is all too important. Any actual good ideas can
stand harsh comment - bullshit disintegrates.
>Here's another favourite Einstein
>quote of mine that fits this situation.
> "The definition of insanity is doing the same thing over and
> over again and expecting a different result."
My favorite Albert is this (I like it so much it's been my standard
sig for a while):
"Make things as simple as possible but no simpler. " - Albert Einstein
THIS is where things in our world get f**ked up IMSO: "We'll get a
million angles to dance on the head of a pin, take the square root of
their average size and use the results as Private Keys (sold by
Verisinge and distributed by Microsloth)!"
>While I think that user ed is still a critical piece to the puzzle, I
>think that the way that we go about attempting to educate needs to
>change. That's what I was trying to get across in my last email. It
>takes one on one interaction with people.
Education is a slippery topic. In short, we will achieve the edu
goal with about 18 trillion hours of dedicated training and a factor
of 1000 more in informal training. IOW - it ain't getting done
tomorrow, but every little bit of effort gets us closer.
The other side of edu is that vendors/providers need to get educated
about what is a good idea and what is crap. Having (or not having)
actual Customers doing actual Things with your product is the only
education that counts, but vendors/providers usually miss the
pertinent lessons even then.
>I'm well aware that I'm stuck in the middle of an arms race. That's why
>we outsourced spam control - that was just too messy an arms race to
>continue to contend with in house.
Spam control = Identity
Identity is owned by the worst of our industry (both the "how to
screw your customer in Three Easy Steps" business folks and the
"no-one should use a computer if they can't carve one out of soap" engineers).
At JamSpam we had all the stakeholders in one place, and the best we
could do was AMY. I chaired the damn coalition so I take the blame,
but it didn't surprise me at all (and I *am* an optimist!).
>Very good points. See my point above concerning changing approaches.
>To be realistic, I'm not expecting mass religious conversion to happen.
> I'm hoping to keep finding those people that have an inkling that
>something isn't right and just need some info to point them in the right
>direction. These people, once they get it, will tell others. For
>everyone else, I just want to get them to jump through the hoops of
>turning on windows update, getting a firewall... yada yada yada.
Education works, it is just a much much much bigger job than we
think, with many different branches.
o Much of the end-user education that needs to be done is social
("talk amongst yourselves") and we can never directly provide that,
though we can tune the debate.
o There is no quantity of end-user education that can shorten the
amount of time it will take to "finish" that effort, but it is
possible to have so little that it takes longer...
>In my last email, this was one of the things that I stressed (or I hope
>I did). People need to learn to question. My generation is doing a
>good job in this area, but my parent's generation is as trusting as an
>unspoiled child when it comes to the net. I think the biggest problem
>with the older crowd is that they don't really know what the net is -
>I'm still working on my parents. That's what I want to try to teach people.
That right there is my point. The quantity of exposure that the
average Joe needs to understand the issues being discussed is "N",
where N is a very large number (particularly if Joe is 50+). We are
currently about 1/N into the process...
> > [...other good stuff, deleted...]
> > You're still an optimist, aren't you? It's always nice to find an optimist
> > in Internet security. I feel like a birdwatcher who has seen the last of
> > some vanishing breed whenever I run across one of you guys. ;)
>Whenever I fall into that sort of situation, I recognize it as
>unworkable and realise there must be another way to look at the problem.
"The fact that two people have different opinions on a topic does not
mean that either is correct."
>I'll keep trying to find new ways of approaching this and I'll make
>headway, even if it is just, as you said, "reduce the surge of noise to
>manageable levels". I think you have to be incredibly persistent and
>optimistic, or naive to make any meaningful headway in computer security
>- not sure which one I am, maybe both.
Lucy: "You can't subtract five from three!"
Linus: "You can if you're stupid!"
Never underestimate the power of naive optimism.
>Anyway, it's still fun and challenging, so why not keep at it.
Beats pumping gas...
It is not worth an intelligent man's time to be in the majority. By
definition, there are already enough people to do that.
- G. H. Hardy
+1 416 358 9885
firewall-wizards mailing list