Re: [fw-wiz] The home user problem returns
From: Mason Schmitt (mason_at_schmitt.ca)
To: "Marcus J. Ranum" <email@example.com> Date: Tue, 13 Sep 2005 18:58:27 -0700
>>I also don't think the user education problem is an epidemiological one
>>either. To suggest that ignorance to a growing and changing computer
>>security environment is somehow like a rapidly spreading pathogen is a
>>little bit of a stretch.
> I'm sorry, I really screwed up my explanation. Can I have another throw?
You may :)
> Don't look at the problem from a "successfulness of prevention" standpoint,
> look at it from a "propagation of failure" standpoint. With something like AIDS,
> if you can make a significant percentage of the population aware of the problem,
> you've made it possible for the "aware people" to enclave, meet, and breed, and
> isolate the "unaware people" or those who have decided to argue in favor of
> natural selection by taking risks anyhow. So, in an area where you can educate
> 50% of the population about something like AIDS you've got a fair chance that
> the 50% you educated will survive.
> Now, look at Internet security. If I educate 50% of the population about the
> need to worry about security, I still lose - horribly - because the other 50% of
> my population fails and their machines are used to attack the educated 50%!!
Up to this point, I think that the basic education I'm suggesting works
well in the home user's favour. If the newly educated home user is now
chanting our mantra, they are going to have a reasonable level of
protection from most of the automated attacks which is a big win.
> That wouldn't be a problem except for transitive trust(*)
I was only introduced to transitive trust when you started up a thread a
while back concerning the CardSystems problem, so I'm obviously new to
the details of the problem. So, a quick question if I may. Do spoofing
attacks such as phishing fall under transitive trust? I'm fairly
confident that pharming does.
- a big chunk, I have
> no idea how big, of the educated 50% would find themselves vulnerable to
> attacks from trusted parties and would be vulnerable, and then you'd very
> quickly be left with the only survivors being those who didn't trust anyone.
If I'm reading this right( and I doubt I am, because I can't imagine you
saying such a thing), you're suggesting that our newly minted
residential security guru is going to have some sort of trust
relationship with other home users on the net or even the same ISP?
There is no trust relationship.
The trusted parties that I can see actually being exploited themselves
and thus being involved in attacking our home user (via the pre-existing
trust relationship) are going to be the user's ISP's DNS servers and
maybe mail servers, windows update site, anti-virus update site, maybe
some others like that. Or if they are attached to work via a VPN -
problems at work.
Now, stepping outside of actual network attacks, you start to get into
identity theft through the home user's interaction with e-commerce
sites, their bank, their government... yada yada yada.
Is this the scope of the transitive trust issue? If it is, then I'd say
that we made some great headway by getting home users to do a modicum of
host hardening on their home pc, this will deal reasonably well with
automated attacks and even some social engineering ones such as Anna K.
If I'm missing something please help educate me.
> Another factor is that the environment would become poisoned after a certain
> point. I am on a satellite internet hookup (pity me!) and when there's a new
> worm out there doing a lot of scanning I can pretty much rest assured that
> I will have no internet access for 2 or 3 days.
> I call this "adaptive packet
> clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner
> hears about it.
> So, that's a lot of why I am so hard on the topic of user education. Unlike
> other problem areas where education is effective, user education in
> computer security is of questionable value because the propagation
> effect of one user making a mistake can overwhelm the results of your
> educational programme instantly. We've ALL heard the stories of the
> dweeboid executive who brings his laptop into the corporate WAN and
> plugs it in and releases something awful behind the firewall, right? Well,
> in 1/4 second, the entire educational programme at that organization
> was utterly mooted. When you're fighting AIDS or illiteracy, local
> failures do not propagate into massive system-wide failures.
> Please - don't get me wrong: education is great. But if corporations want
> to improve their security, it's not a particularly effective investment
Right, but the rogue laptop user connecting to the soft underbelly of a
corporate network is very different than our single home user scenario.
Very different. Perhaps you are correct that user education in
corporations is a lost cause, but I still don't think I have sufficient
reason to doubt that home users are a lost cause. They're the ones that
we're so worried about aren't they? Isn't that what we've been talking
about, or have we moved on to user education in general rather in a
> [Below I will use the term "Mechanism" here to abstractly mean
> "technological enforcement system" - firewalls, AV, attachment stripping,
> IPS, APCIP, whatever. Loosely, you can think of it as "something that protects
> the user whether they want it to or not"]
> I guess there's a matrix we'd want to explore:
> #1 - No Security Mechanism, No Security Education
> #2 - No Security Mechanism, Security Education for users
> #3 - Security Mechanisms in place, No Security Education
> #4 - Security Mechanisms in place, Security Education for users
> I predict that of those 4, the security differences between #3 and #4 would be
> I further predict that the difference between #1 and #2 would be minor.
> I would also predict that the largest difference would be between #4 and #1.
> Put more simply: my guess is that the measurable impact of education
> versus mechanism is minor. Add some cost factors in and you could
> make a WAG at an ROI for security education. Then you'd take your
> education programme out and shoot it.
Very good argument. Again, in the context of an enterprise environment,
I agree. Actually, I take that back. In the home user context I fully
agree too. If a home user is completely clueless but has the basic
protections in place, then they are effectively at #4 on your matrix.
That's where most of the "Security Education" needs to be with home
users. That's why I keep bringing up the "mantra". If we can just get
that far, then we've made a huge win.
-- Mason _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards