Re: [fw-wiz] The home user problem returns

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 09/27/05

  • Next message: Brian Loe: "RE: [fw-wiz] The home user problem returns" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 27 Sep 2005 21:45:19 +0530

    On 19/09/05 19:36 -0700, tbird@precision-guesswork.com wrote:

    [Warning: long, meandering response]

    > Quoting Elizabeth Zwicky <zwicky@greatcircle.com>:
    >
    > >
    > >On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
    > >>i disagree. i don't know *anyone* who willingly makes a fundamental,
    > >>significant change in their behavior without pain as a motivator.
    > >
    > >On the one hand, I agree with Tina -- people change their OWN
    > >behavior based on their OWN pain. On the other hand, this insight
    > >leads people to some terrible attempts at training, because people
    > >(dogs, cats, octopus, anything with a brain of reasonable size)
    > >do not respond effectively to imposed pain. Positive training
    > >methods always work better on long-term measures.
    >
    > correct, as we expect from elizabeth :-) most of the time when i'm
    > presenting the use of endpoint enforcement techniques to system
    > administrators (the folks who will be managing the systems) and their
    > end users, i start by describing it as a reward system for proper

    From my PoV, the problem is that the pain and the rewards are for the IT
    department. The end user suffers from much less pain. However, the
    problem is caused by end users (and management which thinks itself to be
    above the rules).

    Corporate end users have an IT staff to manage their work systems. Home
    systems today are networked, and have the same complex issues that corporate
    systems do (or even more complexity). However, there is no _trained_ IT
    staff to manage those systems. Positive training works when there is a
    real reward.

    What is the reward for a home user to participate in security, when the
    only visible cost is of formatting and reinstalling the PC every few months?
    The price is a significant investment in time, and the tradeoff is not always
    in favour of security.

    > configuration, rather than a punishment system against incorrect or
    > compromised configurations. it's the same as the artificial ignorance
    > approach to log management, or good ol' deny all firewall
    > rules. the list of "things that absolutely ought to be configured this way"
    > is shorter than the list of all possible things that should be prohibited.
    >
    > so of *course* most folks won't want to do that.
    >
    Or it is just too complicated to do things the right way [1]. People use
    applications (and design protocols) without considering security. Some
    designs work when targetted for a small, trustworthy crowd. But they
    don't work when there are non trustworthy users.

    Unfortunately, there is also a growing culture of avoiding
    critical thinking. I have no idea why this is so, but the majority of
    people I know don't stop and think through the consequences of their
    actions.

    > unfortunately, i am consistently told by marketing folks and journalists
    > that rewarding the right behavior isn't sexy enough to be newsworthy.
    > apparently selling "a kick ass system for maintaining proper system config,
    > and simplifying enterprise desktop management" doesn't work - but "scan and
    > block" or "worm preventers" or "quarantine solutions" will. i think it's

    People tend to be optimists. They don't expect things to go wrong. If
    people were to apply the same rules to driving cars as they should apply
    to running networked computers, then they would all be driving tanks [2].

    > absurd, that stupid reactive approach to life. it was much easier to get
    > the UNIX sys admins to adopt security mechanisms by pointing out how much
    > easier they make system management, but apparently that's not always a
    > good sell for the desk top folks. i don't get it.
    >
    I have a suspicion it has a lot to do with the way people learnt to
    manage their systems securely. From what I have read of computing history,
    Unix was insecure until the Morris worm. At that point of time, there
    were few systems on the Internet, and most of them had competent
    administrators. The next generation of administrators learnt from the
    people who were bitten and was generally competent as well. This drove a
    culture of security into Unix administrators.

    Also, Unix offers some excellent automation tools. This generally makes
    the sysadmins more tolerant to scripting and automating tasks.

    There is a pretty large number of users who are growing up with Linux,
    and have no clue about security either. At this point, the only saving
    grace is that they are still discouraged from running regularly as root.

    Microsoft made its systems easy to manage for the single desktop scenario,
    by people who did not have sufficient skills or experience. This went
    over into the corporate world, where single user desktops remained
    common until a few years ago. Microsoft did not encourage a scripting
    and automation culture either. This meant that a very large part of the
    Windows administrator population is simply not familiar with the power
    of scripting, and has been taught that the command line is arcane and
    difficult.

    They have learnt that bad things always happen, and reacting to them is
    the only way to make sure things work again.

    I have also seen an unfortunate tendency in home users to shrug off the
    responsibility of managing their systems to the ISP or anyone else. "Not
    my responsibility" is a popular refrain.

    Perhaps a bit of media thrust is needed for this to be fixed?

    Devdas Bhagat

    [1] Default allow is easier to get new things working with than default
    deny, which requires actual research into what is being done.
    [2] Ignoring those SUV driving Americans.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Brian Loe: "RE: [fw-wiz] The home user problem returns"