RE: Security and the Under 30 User

["Timmothy Lester" <Timmothy.Lester () primeadvisors com>]

Under 30 here,
I don't know why you are bias about people under 30.  I have actually
found it a LOT harder to convince older people, that they have to use
words that aren't in the dictionary for their eBay and PayPal account
passwords (they usually use crap like: piggy, Henry, or Go Mets).  It is
especially hard to convince older people not to open an email from
people they don't know. (They get defensive and say "I NEVER do that";
even after watching them do it.)  Users over 30 are much more prone to
phishing attacks, because they don't understand that people on the
internet are out to get them, and get confused when they get an e-mail
about their "lost password" ;).  However, people in the technology field
need to be educated, regardless of age!  I have come across techs of all
ages who aren't concerned about "hackers and Bots".  I believe that
MySpace is junk, and wouldn't even let my friends go there on my
personal computer.  Anyone trying to access MySpace on a work computer
is a doof. I wonder if it would be legal to make some Bots, and
mass-mails, that would teach people about security.  I always wanted to
make some "good Samaritan bots"..

Even simple stuff, such as:
**NET SEND RANDOM_IP "Turn off messenger service dumbass"
**Mass Mail>> Click on this link >>and when you click it, you get adware
installed which prompts you constantly; "never open e-mail from
un-trusted sources dummy :)"
**Trick someone into installing a virus, and every time they double
click something it will have a very educational whitepaper about
security that pops up.
**A BOT that connects to already infected computers, and notifies them
that their rooted.
**A BOT that searches for unsecure passwords/hashes, and notifies users
to change them. 

The first rule of persuasion is to induce fear!!! Without fear, people
won't care about security.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of mgk.mailing
Sent: Friday, February 08, 2008 5:49 AM
To: net sec consule
Cc: security-basics () securityfocus com
Subject: Re: Security and the Under 30 User

Hi there

I'm under 30, have facebook etc but apart from that am a reasonable 
kinda guy :).  I too get thoroughly annoyed with the attitude of some 
people my age, but i don't think this is an age issue.  its an idiot 
issue.  If people want to post details that let them get screwed over 
on-line the facility has always been there.  it just hasn't been 
available to the majority of users.  I am shocked at what you say later 
however, posting details online to "screw over" the bank is an idiot 
thing to do as it will be the ordinary people who have accounts there 
that will have to pay for the fraud.

The attitude that exists isnt restricted to under 30s (although i 
concede that that is where alot of it resides)  and seems to stem from 
the belief that whatever you do on-line wont impact you in real life, 
and if you think its bad at the moment, wait for the current teenagers 
to grow up and get credit etc.  I think the problems you are talking 
about will be around for a while longer, as the technology has matured 
faster, becoming more accessible and almost free, outpacing the maturity

and sensibility of your average user.

tbh I weep for the future...

/mgk

also dismayed.


net sec consule wrote:
> Hi,
>
> First, the disclaimer: I am over 40, have never been
> 'cool' and I have always been considered 'the tall,
> lanky, four-eyed geek.'  But I don't get the under-30
> crowd's attitude towards IT security. Can someone
> please give me a clue? I am at a loss how to respond
> to the attitude I hear, and it impacts my client's
> security and my credibility.
>
> I have been doing network security consulting for over
> 15 years. I also do several public service IT security
> presentations to community and professional groups
> each month. In either environment, I consistently get
> a hostile reception from those under 30. The attitude
> I get is "IT security is a bunch of moronic bull
> (expletive deleted) dreamed up by paranoid moronic
> geezers to justify their existence." 
>
> I my consulting practice, I often find where under 30
> users either don't have anti-virus or anti-spyware
> installed. Or, if their company has installed it, they
> have disabled it. They label the AV concept 'stupid'
> and believe that malware is just a fact of life and
> you should 'get over it', and that it really isn't as
> bad as 'people like me' claim it is. I also find that
> the majority of the younger crowd has either disabled
> the anti-virus that came with their personal computer
> or did not renew the subscription when it expired.
>
> You mention key stoke loggers and other spyware, the
> attitude I get is "If you don't have anything to hide,
> then you have nothing to worry about."  Or, "Why
> should I worry about privacy? Every aspect of my life
> is already out there for anyone to read in my blog on
> MySpace."
>
> If you bring up all the malware slowing down their
> computer, you get arguments that AV software slows it
> down worse. I also get the attitude that "Everything I
> need to keep is on my flash drive, so what whenever my
> performance starts to (expletive deleted), I just blow
> away the hard drive and reinstall."
>
> Mention Joe Lopez and his loss of bank funds, and the
> attitude is that his case is an anomaly; "Why haven't
> other cases made the news? He must have done something
> to p-o BoA." And it never fails that someone claims to
> have a friend that had money stolen from their bank
> account or credit card, and the bank put the money
> back. I bring up that we are all paying for such
> losses by lower interest rates on savings and higher
> credit card and bank free rates, they could care less.
>
>
> (A couple of side note to banks: 
>    1) I have had many people claim that they would be
> willing to pay $5 to $25 per transaction just to be
> able to continue to use online banking if that was
> what was required to offset the fraud costs. When
> probing deeper, the per transaction cost appears to be
> about one-half hour's pay. Just for the convenience of
> not having to write a check or use snail mail.
>    2) I have heard several of the younger crowd claim
> that it is common practice that when you get mad at
> your bank, just post your credit card information
> on-line so that the bank gets a bunch of fraudulent
> charges against the card and cancels it. They see it
> as a way to punish the bank for upping their interest
> rate or imposing late fees.)
>
> In the corporate world, the attitude is even worse. I
> have a client that recently implemented web content
> filtering that blocks the social networking sites,
> blogs, chat rooms, and other non-business content.
> That resulted in the mass resignation of under 30
> staff, because "I can't work here if I can't keep in
> contact with my friends while I work." Some are even
> screaming "age discrimination" because sites like
> FoxNews or CNN 'that the old geezers use' were not
> blocked.
>
> Can someone please explain this attitude? Why the
> fierce resistance to anything relating to security?
> Why the "I don't care about privacy" attitude? Why do
> they have to be in constant communication with their
> friends, to the point they would rather be unemployed
> than out of contact?
>
> I do not understand and cannot comprehend these
> attitudes!
>
> Please enlighten me!
>
> Thanks.
________________________________________________________________________
____________
> Looking for last minute shopping deals?  
> Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>