Re: [fw-wiz] The home user problem returns

From: Chris Blask (
Date: 09/12/05

  • Next message: Paul Melson: "RE: [fw-wiz] The home user problem returns"
    To: Mason Schmitt <>, "Marcus J. Ranum" <>
    Date: Mon, 12 Sep 2005 10:52:49 -0400

    At 03:42 PM 9/8/2005, Mason Schmitt wrote:
    > > Wow... Am I that bad? Am I that predictable? ;)
    > >
    >I think you've been at this a really long time and you're fed up with
    >the bull. I've only been in computers for a few years and the current
    >state of things drives me nuts too. The fact that you keep speaking out
    >is admirable. :)

    That is the value - take what opinion you like but DON'T GIVE UP!

    > > If you want to push
    > > things back far enough, intellectually, the problem is that anonymous
    > > Internet access is being offered. That's the underlying problem.
    >YES!!! And the fact that there are groups that are working hard at
    >maintaining that anonymity bothers me. I know that there's always the
    >concern about Big Brother, or worse and far more plausible, abuse of any
    >large scale trust/authentication systems that get setup in the future.

    The problem is that, without any sort of identity (and there is
    exactly 0.0000% of net traffic using anything worth calling
    identity), it is impossible to treat Identified traffic and Anonymous
    traffic differently, as they logically deserve.

    >I see trust and authentication systems as critical to the future of the
    >net, therefore I want to see it happen, but I'm deathly afraid of the
    >piece of *$^! system that could be put in place. I can tell you right
    >now that centralized systems such as microsoft's passport are extremely
    >scary and have no place in in the future trust/auth systems that need to
    >exist. Unfortunately I don't have a crystal ball (or any technical
    >background) to tell you what such systems should look like.

    Decentralized, distributed responsibility. If I own an auth server
    then I am responsible for the activities of those who use it. If I
    can say: "Yes, this is a person, I know who it is, and I'm not
    telling you who that person is short of a court order legal in my
    jurisdiction", then the system works.

    >On bad days and good days I fully agree. The problem is that it can't
    >stay like this, so movement has to occur somewhere. Perhaps you're
    >right that we're wasting our breath.

    Marcus is right to keep people on their toes: no-one should expect to
    fire off ill-conceived comments or solutions and not get their lungs
    ripped out - this is all too important. Any actual good ideas can
    stand harsh comment - bullshit disintegrates.

    >Here's another favourite Einstein
    >quote of mine that fits this situation.

    > "The definition of insanity is doing the same thing over and
    > over again and expecting a different result."

    My favorite Albert is this (I like it so much it's been my standard
    sig for a while):

    "Make things as simple as possible but no simpler. " - Albert Einstein

    THIS is where things in our world get f**ked up IMSO: "We'll get a
    million angles to dance on the head of a pin, take the square root of
    their average size and use the results as Private Keys (sold by
    Verisinge and distributed by Microsloth)!"

    >While I think that user ed is still a critical piece to the puzzle, I
    >think that the way that we go about attempting to educate needs to
    >change. That's what I was trying to get across in my last email. It
    >takes one on one interaction with people.

    Education is a slippery topic. In short, we will achieve the edu
    goal with about 18 trillion hours of dedicated training and a factor
    of 1000 more in informal training. IOW - it ain't getting done
    tomorrow, but every little bit of effort gets us closer.

    The other side of edu is that vendors/providers need to get educated
    about what is a good idea and what is crap. Having (or not having)
    actual Customers doing actual Things with your product is the only
    education that counts, but vendors/providers usually miss the
    pertinent lessons even then.

    >I'm well aware that I'm stuck in the middle of an arms race. That's why
    >we outsourced spam control - that was just too messy an arms race to
    >continue to contend with in house.

    Spam control = Identity

    Identity is owned by the worst of our industry (both the "how to
    screw your customer in Three Easy Steps" business folks and the
    "no-one should use a computer if they can't carve one out of soap" engineers).

    At JamSpam we had all the stakeholders in one place, and the best we
    could do was AMY. I chaired the damn coalition so I take the blame,
    but it didn't surprise me at all (and I *am* an optimist!).

    >Very good points. See my point above concerning changing approaches.
    >To be realistic, I'm not expecting mass religious conversion to happen.
    > I'm hoping to keep finding those people that have an inkling that
    >something isn't right and just need some info to point them in the right
    >direction. These people, once they get it, will tell others. For
    >everyone else, I just want to get them to jump through the hoops of
    >turning on windows update, getting a firewall... yada yada yada.

    Education works, it is just a much much much bigger job than we
    think, with many different branches.

    o Much of the end-user education that needs to be done is social
    ("talk amongst yourselves") and we can never directly provide that,
    though we can tune the debate.

    o There is no quantity of end-user education that can shorten the
    amount of time it will take to "finish" that effort, but it is
    possible to have so little that it takes longer...

    >In my last email, this was one of the things that I stressed (or I hope
    >I did). People need to learn to question. My generation is doing a
    >good job in this area, but my parent's generation is as trusting as an
    >unspoiled child when it comes to the net. I think the biggest problem
    >with the older crowd is that they don't really know what the net is -
    >I'm still working on my parents. That's what I want to try to teach people.

    That right there is my point. The quantity of exposure that the
    average Joe needs to understand the issues being discussed is "N",
    where N is a very large number (particularly if Joe is 50+). We are
    currently about 1/N into the process...

    > > [...other good stuff, deleted...]
    > > You're still an optimist, aren't you? It's always nice to find an optimist
    > > in Internet security. I feel like a birdwatcher who has seen the last of
    > > some vanishing breed whenever I run across one of you guys. ;)

    chirp! ;~)

    >Whenever I fall into that sort of situation, I recognize it as
    >unworkable and realise there must be another way to look at the problem.


    "The fact that two people have different opinions on a topic does not
    mean that either is correct."

    >I'll keep trying to find new ways of approaching this and I'll make
    >headway, even if it is just, as you said, "reduce the surge of noise to
    >manageable levels". I think you have to be incredibly persistent and
    >optimistic, or naive to make any meaningful headway in computer security
    >- not sure which one I am, maybe both.

    Lucy: "You can't subtract five from three!"

    Linus: "You can if you're stupid!"

    Never underestimate the power of naive optimism.

    >Anyway, it's still fun and challenging, so why not keep at it.

    Beats pumping gas...



    It is not worth an intelligent man's time to be in the majority. By
    definition, there are already enough people to do that.

      - G. H. Hardy

    Chris Blask

    +1 416 358 9885

    firewall-wizards mailing list

  • Next message: Paul Melson: "RE: [fw-wiz] The home user problem returns"