RE: [fw-wiz] The home user problem returns

From: Marcus J. Ranum (
Date: 09/14/05

  • Next message: Paul D. Robertson: "RE: [fw-wiz] The home user problem returns"
    To: "Scott Pinzon" <>, "Paul D. Robertson" <>, "Chris Blask" <>
    Date: Tue, 13 Sep 2005 19:21:11 -0400

    Scott Pinzon wrote:
    >Marcus [...] I can't help feeling, in my
    >pipsqueak opinion, that on this one you're way off base.

    For years and years I have been longing for someone to come along
    and convince me that I'm wrong. I'd love to be wrong about this stuff,
    because it'd mean the world was a whole lot better place than I think
    it is. So - bring it:

    >-- Ignorance is never better than knowledge in any realm. But particular
    >to network security, my experience is that most clueless users are also
    >people of good will who will cease dangerous behaviors once they
    >understand those behaviors ARE dangerous.

    I think you must be a smart person. Smart people tend to value knowledge
    because, well, it's something that happens to you as you're smart. It's
    your coinage, if you will. It's always a shock when you realize that
    most people don't. (*)

    >-- Educating users is another layer in "Defense in depth." If 10 out of
    >100 users click evil email attachments, and through education you reduce
    >that to 3 out of 100, you've improved that layer.

    You've improved it, but does it matter? That's my question.

    1 idiot clicking attachments can infect 10,000 other idiots a day
    if you reduce the idiot count from 10%, as you say, to 3% in an
    organization of 1000 people, you've dropped from 100 idiots who
    click attachments to 30. And those 30 will still send 300,000
    emails a day and your mail server will still detonate. And, since
    one of those idiots is probably your CTO, all of your execs in
    h* management chain will probably get infected, too....

    >-- Educating users has been proven to work at company after company.
    >Help desk calls, viral infections, falling victim to phishing emails,
    >and more, have been quantitatively and demonstrably reduced at companies
    >that institute end-user security training.

    The problem with such measures is that you can't really tell
    how much of that is a result of the training and how much is a
    result of normal "aversive experience." For example, my mom
    has never had any computer security training but after the first
    time her machine got wiped by her IT guy (that's me) now
    she's a lot more careful about spyware.

    >-- And how do you know "it" (educating end users) is not working? We
    >have no before/after comparison on what the Internet would be like if
    >all of us who preach security had stopped five years ago.

    You can ask the exact same question in reverse, though, right?
    "If it was working, how come we still have Internet security problems?"
    Surely everyone has heard of them, by now. Surely everyone in the
    US has heard of Identity Theft by now, etc.

    This is one of those nasty intractables because you can't really
    get a grip on the effectiveness of solutions because there's no
    control group - we're working with entire populations.

    I like to think of this problem as being similar to patching a leaky
    roof. Well, you OBVIOUSLY are getting less water in the holes
    that you've patched but it's hard to reason accurately about
    whether you're much better off anyhow. In fact, patching your
    roof may distract you from replacing your roof entirely. That's
    how I conceptualize it, anyhow. I know it's a analogy and I hate
    them but that's how that problem fits in Marcus-land.

    >Maybe I'm misunderstanding you, but my take-away from your blog article
    >is that you are so discouraged by end-user ignorance, you think we
    >should all stop wasting our breath on them.

    Would you like to ghost-write for me? That's a GREAT way of putting it.

    >Your recommendation is that
    >we set up an environment through quarantining and what-not where users
    >have no opportunity to hurt themselves.

    Sort of, yeah. I think I'd say that it's probably more cost-effective to
    simply keep users from hurting themselves than to teach them how
    not to hurt themselves.

    I.e: "Sit the F down. Shut the F up. Don't ask any questions.
    This is your browser. It's called 'Zen4' and it only knows how to render
    GIF, PNG, JPEG, CSS, and HTML. If you go to a website and it doesn't
    display properly, you went to a bad website. This is your Email client.
    It uses Zen4 to render anything you get. Anything it can't render, you
    won't see because the spam blocker will have already junked it for you.
    Have fun and thanks for working for Marcus-Land, where the user
    comes last and the customer comes first!"

    > In rebuttal, I cite the crusty
    >old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
    >(through technology) create an environment where clueless users can't
    >hurt themselves.

    My, that's a depressing thought. :(

    >To keep a network secure, we need users on our side. We
    >can get them there if we try.

    My, that's an even more depressing thought. As an ex-sysadmin, I can
    assure you that I've spent many years filled with the awareness that my
    users are not only stupid, they're actively out to get me any chance they
    can. They are not on my side. Even when they pretend to be on my side,
    I know that the cookies they leave on my desk are loaded with rat-poison
    so I'll die _after_ I restore the file they deleted but not a minute before.
    And they all want root.

    >Am I really the only one on this list who thinks so? Or Marcus, did I
    >misinterpret you?

    You didn't misinterpret me.

    Sounds like you're another one of those "optimist" things I keep
    hearing about. Maybe we should preserve you in a big jar of
    formaldehyde so that all the firewall-wizards can point you out
    to the newly-minted CISSPs, "Look... This is a computer security
    optimist that we found. We think he somehow survived the big
    asteroid strike... There are rumors there may be others, still living
    in the deep jungles..."


    (* I read some scary stats in this month's LensWork that I found hard
    to believe but .. 
    1/3 of high school students never read another book in their lives
    42% of college graduates never read another book after college
    80% of US families did not buy or read a book last year 
    70% of US adults have not ben in a bookstore in the last 5 years
    57% of new books bought are never read to completion
    Claimed source: Harold Jenkins
    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "RE: [fw-wiz] The home user problem returns"