Re: [fw-wiz] The home user problem returns

From: Marcus J. Ranum (
Date: 09/13/05

  • Next message: Chris Blask: "Re: [fw-wiz] The home user problem returns"
    To: "Paul D. Robertson" <>
    Date: Tue, 13 Sep 2005 11:11:57 -0400

    Paul D. Robertson wrote:
    >Educating users to fix the problem doesn't work. Educating users there
    >*is* a problem seems to work, just not en-mass.

    Nope. Because we're dealing with shared environments - so even if you
    managed to somehow raise the clue level in 50% of the population it winds
    up having almost no effect because the clueless infect the clueful
    second-hand. It's really a problem in epidemiology. Imagine if 50% of
    your population refused to worry about AIDS yet was capable of having
    sex with 1,000,000 different partners a day* - The numbers are all tipped
    the wrong direction, for education to work. Spammers have pretty much
    proved that.

    >We have to take this to the social trenches at some point, or
    >we'll be overrrun.

    Some of us have been trying that for a long time, and my magic
    8-ball says "Outlook Not Good" and it's not talking about the
    mail software from Microsoft. (But it'd be right if it was...)
    Trying to point out that it's a social problem brings up this
    immediate surge of knee-jerk "HACKING IS COOL!" reaction.
    After my "Dumb ideas" article got slashdotted yesterday, I
    have an in-box filled with about 250 "u r such a d0rk w3rd"
    emails - all reacting to my observation that we need to decouple
    hacking ideology from internet security if we want to make
    progress. It's not happening and I, for one, am tired of this

    I came up with a really cool mental hack the other day on this
    topic, but I haven't figured out how best to approach it. But,
    basically, it's the observation that people _HATE_ spammers
    and _HATE_ spam. Yet, people seem to _LOVE_ hackers
    and think hacking is _COOL_. How did this happen??
    System penetrations are actually a bigger pain in the neck
    than spam, are approximately as prevalent, and are much
    more damaging. But - if you had senior engineers who worked
    for anti-spam companies also selling spam-blocker-evasion
    tools to spammers, there would be hue and cry. Yet, nobody
    (except me and a few of my weird buddies) seem to think
    it's a problem that "security researchers" are overlapping
    pretty seriously with rootkit/malware/trojan writers. So, what's
    going on here? Why are we so upset about something that
    is relatively undamaging - to the point where people *CHEER*
    when AOL raffles off a spammer's car that was seized - but
    everyone in the media does the weewee of joy over some
    lame-brain "security researcher" who spends 90% of his
    life eating curry and single-stepping through Microsoft
    apps in Soft-Ice so he can find an exploit. We call spammers
    "scumballs" and "sleaze" and we call hackers "wiz kids" and
    "brilliant" and they're the same people, in some cases.

    >It's almost tempting to just migrate over to IPv6 space and start again,
    >with small gated communities- even if it's just so we get a 5 year break
    >between storms.

    IPv6 will create more problems than it solves. It's too complicated.
    My prediction is that they would be finding new DOS attacks against
    the stack for 100 years, except it'll never get fielded anyhow.

    In 1998 I (seriously) recommended we scrap all the Internet
    app-level code and start over, then blame the whole thing on
    Y2K. It actually would have worked. ;) A redesign of all the
    app-level traffic that is allowed across the Interet would cost
    significantly less than companies waste annually on firewalls
    and other IP contraceptives. It's not going to happen, though.

    >Computer security: Fighting the digital Alamo from inside the fort. We
    >know how it's gonna end.

    Paul? Wakey-wakey!! It ended in 1994 when we lost the battle
    to the browser-writers. We're just fighting because we're shot
    full of holes but we're too dumb or stubborn to lie down.

    (*Did you wince when you read that? I did!)

    firewall-wizards mailing list

  • Next message: Chris Blask: "Re: [fw-wiz] The home user problem returns"