RE: Security and the Under 30 User

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

Good morning,

I have been thinking a bit about this and reading every ones responses.
While I tend to agree with you to an extend I also have to, for my own
peace of mind, come to the conclusion that it is because of the line of
work we are in that the world seems that way.
I am sure if you ask a dentist then he will tell you it seems like
everyone is neglecting their oral hygiene when it should be blatantly
obvious they shouldn't.

People who don't have any interest in IT have over the last 10 years or
so been increasingly bombarded with how authority mismanages their
personal information. While I have to assume most people out there
attempting to protect their networks are doing the best job they are
able to. Losing a laptop loaded with other peoples personal information
should never happen, or at least only once and then be followed by a
significant penalty.
Instead society is schooling populations to think that personal
information is of little value. (This is where I have to bite my tongue
about my personal views of topics like national ID's, warrantless this
or that, Department of Homeland Security, and the list seems to grow
weekly these years).

My point being that society is educating people to not care about
personal privacy. So when you see that the sub30's don't seem to care,
ask what should have been the strong foundation personal responsibility
should have been built upon.

My point of view and have a great week.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of net sec consule
Sent: Thursday, February 07, 2008 11:26 AM
To: security-basics () securityfocus com
Subject: Security and the Under 30 User


Hi,

First, the disclaimer: I am over 40, have never been
'cool' and I have always been considered 'the tall,
lanky, four-eyed geek.'  But I don't get the under-30
crowd's attitude towards IT security. Can someone
please give me a clue? I am at a loss how to respond
to the attitude I hear, and it impacts my client's
security and my credibility.

I have been doing network security consulting for over
15 years. I also do several public service IT security
presentations to community and professional groups
each month. In either environment, I consistently get
a hostile reception from those under 30. The attitude
I get is "IT security is a bunch of moronic bull
(expletive deleted) dreamed up by paranoid moronic
geezers to justify their existence."

I my consulting practice, I often find where under 30
users either don't have anti-virus or anti-spyware
installed. Or, if their company has installed it, they
have disabled it. They label the AV concept 'stupid'
and believe that malware is just a fact of life and
you should 'get over it', and that it really isn't as
bad as 'people like me' claim it is. I also find that
the majority of the younger crowd has either disabled
the anti-virus that came with their personal computer
or did not renew the subscription when it expired.

You mention key stoke loggers and other spyware, the
attitude I get is "If you don't have anything to hide,
then you have nothing to worry about."  Or, "Why
should I worry about privacy? Every aspect of my life
is already out there for anyone to read in my blog on
MySpace."

If you bring up all the malware slowing down their
computer, you get arguments that AV software slows it
down worse. I also get the attitude that "Everything I
need to keep is on my flash drive, so what whenever my
performance starts to (expletive deleted), I just blow
away the hard drive and reinstall."

Mention Joe Lopez and his loss of bank funds, and the
attitude is that his case is an anomaly; "Why haven't
other cases made the news? He must have done something
to p-o BoA." And it never fails that someone claims to
have a friend that had money stolen from their bank
account or credit card, and the bank put the money
back. I bring up that we are all paying for such
losses by lower interest rates on savings and higher
credit card and bank free rates, they could care less.


(A couple of side note to banks:
   1) I have had many people claim that they would be
willing to pay $5 to $25 per transaction just to be
able to continue to use online banking if that was
what was required to offset the fraud costs. When
probing deeper, the per transaction cost appears to be
about one-half hour's pay. Just for the convenience of
not having to write a check or use snail mail.
   2) I have heard several of the younger crowd claim
that it is common practice that when you get mad at
your bank, just post your credit card information
on-line so that the bank gets a bunch of fraudulent
charges against the card and cancels it. They see it
as a way to punish the bank for upping their interest
rate or imposing late fees.)

In the corporate world, the attitude is even worse. I
have a client that recently implemented web content
filtering that blocks the social networking sites,
blogs, chat rooms, and other non-business content.
That resulted in the mass resignation of under 30
staff, because "I can't work here if I can't keep in
contact with my friends while I work." Some are even
screaming "age discrimination" because sites like
FoxNews or CNN 'that the old geezers use' were not
blocked.

Can someone please explain this attitude? Why the
fierce resistance to anything relating to security?
Why the "I don't care about privacy" attitude? Why do
they have to be in constant communication with their
friends, to the point they would rather be unemployed
than out of contact?

I do not understand and cannot comprehend these
attitudes!

Please enlighten me!

Thanks.



________________________________________________________________________
____________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.