Firewall Wizards mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 02 Jun 2005 16:00:50 -0400
Paul D. Robertson wrote:
They understood what they were doing- ordering DSL service.
You neatly sidestepped answering my important question, which is whether or not their product documentation might have included information that there was also a wireless access point included (and possibly even how to secure it) with the router. By that logic someone who chooses to remain ignorant about safe chainsawing techniques is not at fault if they cut their foot off because "all they needed to know was that they were cutting wood." I think that the laws on the books regarding vehicular manslaughter, etc, indicate that society has established an expectation of understanding and expertise on the part of users of tools that need expertise and knowledge. Perhaps the ISP's lawyers should have included a big red sticker on the router that read "BEFORE PLUGGING THIS IN YOU MUST HAVE A CLUE." But that's obvious. In fact, it probably also came with adminitions to "read the fine manual." Just like my chainsaw does.
Do you honestly think the documentation that comes with a DSL router gives the average consumer without wireless equipment enough information to make a real risk judgment?
Of course it doesn't. But that's an explanation, not an excuse.
I think there's a happier ground that's somewhere in the middle- and I think that absolving vendors of any of the downfall of their products is just as bad as making them responsible for all of it...
I agree with that. So does the law. If a vendor sells something based on deceptive claims it's against the law and vendors of various products (including a few cases involving computer security products) have been hauled in by the FTC for deceptive claims or marketing. * The only effect of getting lawyers involved in this kind of thing would be to have the DSL router come with 30 pages of legal warnings written by the providers' lawyers, disclaiming all liability for incorrect use of the product and/or service. In fact I bet if we researched this particular incident more closely we'd discover that the customers *already* had gotten and ignored such warnings. Maybe we could require that the ISP sell the product with a big red sticky WARNING label on it for the customer to peel off and ignore. In the best of all possible worlds, of course, the product would ship with unneccessary everything turned off, and a tight policy enabled by default. Requiring the customer to take a deliberate action to bring about their downfall is a good approach. I.e.: "Click
HERE<< to install new Spyware." Which, of course, they
will do. If you push this point to the legal system, all products will ship with a flourescent sticker that reads "RTFM" on it. And that's about it. I think that'd be funny but it won't help.
In this case, the product is shipped open so the vendors in question don't have to take the expense of support calls. In that case, I think it's reasonable to have them bear the brunt of the cost of that configuration choice.
I think neither of us know enough to say. Do you actually know that it shipped open for the vendors' convenience? Do you know whether the customer received any admonition to read the fine manual? For all I know, the customer might have paid $20 extra for a DSL router with "wireless" thinking that sounded Very Cool. We just don't know enough to say. I do know one thing: if CNN covered the story about some family of clueless yutzes having their door kicked in by gun-weilding law enforcement officers because they had their DSL mis-configured, *and* CNN covered the fact that the family had to *pay* for the expenses of the SWAT team, and the door, and their legal defense and the spackle to fix the bullet holes - - well, I bet a few more people would ask their providers, "this hasn't got that wireless stuff that attracts SWAT teams, does it? I don't want any of that..."
Ah grasshopper, you miss the point. The *life* of a security admin is to take the high road, but the *job* of a security admin is to get his organization to take the high road. That can only be done by ensuring that the executive level knows when it's doing the right thing.
I got that. I think we're violently in agreement on this point. Security experts should help their constituents understand that there is a true path, and help them walk it. Yet, above and beyond that is a truer path, still, which is that of telling people "the true path is for YOU to understand the path, and stop asking ME." :) Put differently: we're too busy trying to explain to lots of execs why the front of their trousers are all damp. Option #1 is to tell them "unzip before you p*ss" Option #2 is to tell them, "you should think before you p*ss" Option #3 is to tell them, "you should understand what you're doing as it affects yourself and others." Which is the true path, sensei?
I've never been accused of being appeasing, cajoling or stroking by anyone I've ever worked for. I suppose manipulative works when you have to go explain the auditor's conclusions for them in a meeting with the CIO.
I know you haven't. :) That's why I'll share beers with you any time. :)
This whole information security thing is eventually going to filter into everyone's consciousness as relevant, but only after there's lots of pain. Unfortunately, it's usually the innocent who bear the brunt of the cost of the great "learning experience"Ah, but you've said they're not innocent.
In that case, I was thinking of the poor suckers who were getting spammed as the "innocent" mjr. --- (* which begs the question of why Microsoft has not been hauled in by the FTC for claiming on the Windows XP box that you can now "safely and securely access the Internet". Excuse me? Bill, I've got news for you...) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Going meta (was RE: Ok, so now we have a firewall...), (continued)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? ArkanoiD (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? R. DuFresne (Jun 10)
- Re: Ok, so now we have a firewall, we're safe, right? Dave Piscitello (Jun 10)
- RE: Ok, so now we have a firewall, we're safe, right? Brian Loe (Jun 13)
- RE: Ok, so now we have a firewall, we're safe, right? Dave Piscitello (Jun 16)