Re: [fw-wiz] The home user problem returns

From: Mason Schmitt (mason_at_schmitt.ca)
Date: 09/13/05

  • Next message: Paul D. Robertson: "Re: [fw-wiz] The home user problem returns" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Tue, 13 Sep 2005 14:13:55 -0700

    >>Educating users to fix the problem doesn't work. Educating users there
    >>*is* a problem seems to work, just not en-mass.
    >
    > Nope. Because we're dealing with shared environments - so even if you
    > managed to somehow raise the clue level in 50% of the population it winds
    > up having almost no effect because the clueless infect the clueful
    > second-hand.

    I think that was Paul's point. Home users can't be educated to the
    point that the problem becomes "fixed". I don't think they need to be
    or should be, so if that's where the effort is being expended, then I
    agree - it's a waste of breath. I do think that over time education
    efforts will result in an increase in clue in the vast majority of
    people. If this weren't the case, then there would be no point to
    having a public education system... Not everyone is going to get
    straight 'A's, some people will fail, others who are living a hand to
    mouth existence, or who's country is too backward or too poor will or
    for whatever reason doesn't have education available to the masses will
    not learn - which leads nicely to your comment below concerning AIDS.

    > It's really a problem in epidemiology. Imagine if 50% of
    > your population refused to worry about AIDS yet was capable of having
    > sex with 1,000,000 different partners a day* - The numbers are all tipped
    > the wrong direction, for education to work. Spammers have pretty much
    > proved that.

    Well, no, the spammers haven't proven that. What the spammers have
    shown us is that even if they only sucker a minute percentage of the
    people that actually receive their crap, that it's financially
    worthwhile. The reason being that the economics of spam allow the
    spammers to plunder a public resource (the net) with relative impunity.
     Ecological economists such as Herman Daly, have shown that when you
    don't factor in the cost of continual withdrawal from a natural
    resource, that your books aren't really balancing. This is again an
    issue that is only going to be rectified by increasing the spammers
    costs which many people are working on.

    I also don't think the user education problem is an epidemiological one
    either. To suggest that ignorance to a growing and changing computer
    security environment is somehow like a rapidly spreading pathogen is a
    little bit of a stretch. If ignorance were infectious, you'd probably
    be dead or an idiot right now. I remember you ripping apart Dan Geer's
    mono culture idea that was such a big deal a little while back. Not
    trying to pick a fight here, I just don't get the argument.

    > my magic
    > 8-ball says "Outlook Not Good" and it's not talking about the
    > mail software from Microsoft. (But it'd be right if it was...)

    :)

    > Trying to point out that it's a social problem brings up this
    > immediate surge of knee-jerk "HACKING IS COOL!" reaction.
    > After my "Dumb ideas" article got slashdotted yesterday, I
    > have an in-box filled with about 250 "u r such a d0rk w3rd"
    > emails - all reacting to my observation that we need to decouple
    > hacking ideology from internet security if we want to make
    > progress. It's not happening and I, for one, am tired of this
    > fight.

    It's ok to take a break and regroup. It's also ok to retire. You have
    made progress. I know that I for one have copies of "Low Carb Security"
    and your recent "6 dumbest ideas..." hanging on my wall. I keep them
    there (and re-read them every so often) because they are successful
    attempts at distilling the millions of little problems into a few simple
    concepts that I can hold onto. I have learned a ton from this list and
    I'm now passing on the little bit that I have learned (and will continue
    to learn) to my co-workers, friends and our customers.

    > I came up with a really cool mental hack the other day on this
    > topic, but I haven't figured out how best to approach it. But,
    > basically, it's the observation that people _HATE_ spammers
    > and _HATE_ spam. Yet, people seem to _LOVE_ hackers
    > and think hacking is _COOL_. How did this happen??

    Hollywood, fiction, dumbass teenagers trying to carve out some sort of
    identity for themselves, money... What makes clothing fashions, music,
    etc popular? This is all just part of our society's poorly functioning
    machinery. The fact that you get a deluge of email as a result sucks,
    but don't take it personally.

    > Yet, nobody
    > (except me and a few of my weird buddies) seem to think
    > it's a problem that "security researchers" are overlapping
    > pretty seriously with rootkit/malware/trojan writers.

    You know, if you hadn't pointed this out some time ago, I wouldn't have
    given my nagging doubts too much thought, because I figured that these
    people are professionals, they know what they are doing. Silly me.
    Again however, I'm going to move a bit closer to the fence on this one,
    because despite the undercurrent of money and fame in the security
    industry right now, pressure is being applied that is going to force us
    to find ways of creating better software.

    > (*Did you wince when you read that? I did!)

    Yes.. :P 

    --
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Paul D. Robertson: "Re: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: Security Education in the Workplace
      ... You said you did threat modelling. ... building better security tests and have them hooked into the master build ... used to approach the education in the workplace, ... This would mean in many cases the materials ...
      (SecProg)
    • RE: User Education (was: New article on SecurityFocus)
      ... Those responsible for the education ... > security relates to their job - about the only time they run into it is ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Why Easy To Use Software Is Putting You At Risk
      ... So even if you do not want the piece of paper - education never hurts. ... Can Easy To Use Software Also Be Secure ... because DNS does not configure properly or security permissions are ... easier to work with then they use to is developers have created ...
      (Security-Basics)
    • Re: [fw-wiz] The home user problem returns
      ... > With the current state of Internet software, ... > We're wasting our breath in general. ... >>User education still needs to happen ... Security" and Paul's "Something About Security". ...
      (Firewall-Wizards)
    • RE: User Education (was: New article on SecurityFocus)
      ... Those responsible for the education ... security relates to their job - about the only time they run into it is ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)