Re: [fw-wiz] The home user problem returns

From: Chris Blask (chris_at_blask.org)
Date: 09/12/05

  • Next message: Paul Melson: "RE: [fw-wiz] The home user problem returns"
    To: Mason Schmitt <mason@schmitt.ca>, "Marcus J. Ranum" <mjr@ranum.com>
    Date: Mon, 12 Sep 2005 10:52:49 -0400
    
    

    At 03:42 PM 9/8/2005, Mason Schmitt wrote:
    .d.
    > > Wow... Am I that bad? Am I that predictable? ;)
    > >
    >I think you've been at this a really long time and you're fed up with
    >the bull. I've only been in computers for a few years and the current
    >state of things drives me nuts too. The fact that you keep speaking out
    >is admirable. :)

    That is the value - take what opinion you like but DON'T GIVE UP!

    .d.
    > > If you want to push
    > > things back far enough, intellectually, the problem is that anonymous
    > > Internet access is being offered. That's the underlying problem.
    >
    >YES!!! And the fact that there are groups that are working hard at
    >maintaining that anonymity bothers me. I know that there's always the
    >concern about Big Brother, or worse and far more plausible, abuse of any
    >large scale trust/authentication systems that get setup in the future.

    The problem is that, without any sort of identity (and there is
    exactly 0.0000% of net traffic using anything worth calling
    identity), it is impossible to treat Identified traffic and Anonymous
    traffic differently, as they logically deserve.

    .d.
    >I see trust and authentication systems as critical to the future of the
    >net, therefore I want to see it happen, but I'm deathly afraid of the
    >piece of *$^! system that could be put in place. I can tell you right
    >now that centralized systems such as microsoft's passport are extremely
    >scary and have no place in in the future trust/auth systems that need to
    >exist. Unfortunately I don't have a crystal ball (or any technical
    >background) to tell you what such systems should look like.

    Decentralized, distributed responsibility. If I own an auth server
    then I am responsible for the activities of those who use it. If I
    can say: "Yes, this is a person, I know who it is, and I'm not
    telling you who that person is short of a court order legal in my
    jurisdiction", then the system works.

    .d.
    >On bad days and good days I fully agree. The problem is that it can't
    >stay like this, so movement has to occur somewhere. Perhaps you're
    >right that we're wasting our breath.

    Marcus is right to keep people on their toes: no-one should expect to
    fire off ill-conceived comments or solutions and not get their lungs
    ripped out - this is all too important. Any actual good ideas can
    stand harsh comment - bullshit disintegrates.

    >Here's another favourite Einstein
    >quote of mine that fits this situation.

    > "The definition of insanity is doing the same thing over and
    > over again and expecting a different result."

    My favorite Albert is this (I like it so much it's been my standard
    sig for a while):

    "Make things as simple as possible but no simpler. " - Albert Einstein

    THIS is where things in our world get f**ked up IMSO: "We'll get a
    million angles to dance on the head of a pin, take the square root of
    their average size and use the results as Private Keys (sold by
    Verisinge and distributed by Microsloth)!"

    >While I think that user ed is still a critical piece to the puzzle, I
    >think that the way that we go about attempting to educate needs to
    >change. That's what I was trying to get across in my last email. It
    >takes one on one interaction with people.

    Education is a slippery topic. In short, we will achieve the edu
    goal with about 18 trillion hours of dedicated training and a factor
    of 1000 more in informal training. IOW - it ain't getting done
    tomorrow, but every little bit of effort gets us closer.

    The other side of edu is that vendors/providers need to get educated
    about what is a good idea and what is crap. Having (or not having)
    actual Customers doing actual Things with your product is the only
    education that counts, but vendors/providers usually miss the
    pertinent lessons even then.

    .d.
    >I'm well aware that I'm stuck in the middle of an arms race. That's why
    >we outsourced spam control - that was just too messy an arms race to
    >continue to contend with in house.

    Spam control = Identity

    Identity is owned by the worst of our industry (both the "how to
    screw your customer in Three Easy Steps" business folks and the
    "no-one should use a computer if they can't carve one out of soap" engineers).

    At JamSpam we had all the stakeholders in one place, and the best we
    could do was AMY. I chaired the damn coalition so I take the blame,
    but it didn't surprise me at all (and I *am* an optimist!).

    .d.
    >Very good points. See my point above concerning changing approaches.
    >To be realistic, I'm not expecting mass religious conversion to happen.
    > I'm hoping to keep finding those people that have an inkling that
    >something isn't right and just need some info to point them in the right
    >direction. These people, once they get it, will tell others. For
    >everyone else, I just want to get them to jump through the hoops of
    >turning on windows update, getting a firewall... yada yada yada.

    Education works, it is just a much much much bigger job than we
    think, with many different branches.

    o Much of the end-user education that needs to be done is social
    ("talk amongst yourselves") and we can never directly provide that,
    though we can tune the debate.

    o There is no quantity of end-user education that can shorten the
    amount of time it will take to "finish" that effort, but it is
    possible to have so little that it takes longer...

    .d.
    >In my last email, this was one of the things that I stressed (or I hope
    >I did). People need to learn to question. My generation is doing a
    >good job in this area, but my parent's generation is as trusting as an
    >unspoiled child when it comes to the net. I think the biggest problem
    >with the older crowd is that they don't really know what the net is -
    >I'm still working on my parents. That's what I want to try to teach people.

    That right there is my point. The quantity of exposure that the
    average Joe needs to understand the issues being discussed is "N",
    where N is a very large number (particularly if Joe is 50+). We are
    currently about 1/N into the process...

    > > [...other good stuff, deleted...]
    > > You're still an optimist, aren't you? It's always nice to find an optimist
    > > in Internet security. I feel like a birdwatcher who has seen the last of
    > > some vanishing breed whenever I run across one of you guys. ;)

    chirp! ;~)

    .d.
    >Whenever I fall into that sort of situation, I recognize it as
    >unworkable and realise there must be another way to look at the problem.

    Precisely!

    "The fact that two people have different opinions on a topic does not
    mean that either is correct."

    >I'll keep trying to find new ways of approaching this and I'll make
    >headway, even if it is just, as you said, "reduce the surge of noise to
    >manageable levels". I think you have to be incredibly persistent and
    >optimistic, or naive to make any meaningful headway in computer security
    >- not sure which one I am, maybe both.

    Lucy: "You can't subtract five from three!"

    Linus: "You can if you're stupid!"

    Never underestimate the power of naive optimism.

    >Anyway, it's still fun and challenging, so why not keep at it.

    Beats pumping gas...

    -cheers!

    -chris

    It is not worth an intelligent man's time to be in the majority. By
    definition, there are already enough people to do that.

      - G. H. Hardy

    Chris Blask
    chris@blask.org
    http://blaskworks.blogspot.com

    +1 416 358 9885

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Melson: "RE: [fw-wiz] The home user problem returns"