Re: The home user problem returns

[Devdas Bhagat <devdas () dvb homelinux org>]

On 19/09/05 19:36 -0700, tbird () precision-guesswork com wrote:

[Warning: long, meandering response]

> Quoting Elizabeth Zwicky <zwicky () greatcircle com>:
>
> > On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
> > > i disagree. i don't know *anyone* who willingly makes a fundamental,
> > > significant change in their behavior without pain as a motivator.
> >
> > On the one hand, I agree with Tina -- people change their OWN
> > behavior based on their OWN pain. On the other hand, this insight
> > leads people to some terrible attempts at training, because people
> > (dogs, cats, octopus, anything with a brain of reasonable size)
> > do not respond effectively to imposed pain. Positive training
> > methods always work better on long-term measures.
>
> correct, as we expect from elizabeth :-) most of the time when i'm 
> presenting the use of endpoint enforcement techniques to system
> administrators (the folks who will be managing the systems) and their
> end users, i start by describing it as a reward system for proper 

> From my PoV, the problem is that the pain and the rewards are for the IT
department. The end user suffers from much less pain. However, the
problem is caused by end users (and management which thinks itself to be
above the rules).

Corporate end users have an IT staff to manage their work systems. Home 
systems today are networked, and have the same complex issues that corporate
systems do (or even more complexity). However, there is no _trained_ IT
staff to manage those systems. Positive training works when there is a
real reward. 

What is the reward for a home user to participate in security, when the 
only visible cost is of formatting and reinstalling the PC every few months? 
The price is a significant investment in time, and the tradeoff is not always 
in favour of security. 

> configuration, rather than a punishment system against incorrect or 
> compromised configurations. it's the same as the artificial ignorance 
> approach to log management, or good ol' deny all firewall
> rules. the list of "things that absolutely ought to be configured this way" 
> is shorter than the list of all possible things that should be prohibited.
>
> so of *course* most folks won't want to do that.
Or it is just too complicated to do things the right way [1]. People use
applications (and design protocols) without considering security. Some
designs work when targetted for a small, trustworthy crowd. But they
don't work when there are non trustworthy users.

Unfortunately, there is also a growing culture of avoiding
critical thinking. I have no idea why this is so, but the majority of
people I know don't stop and think through the consequences of their
actions.

> unfortunately, i am consistently told by marketing folks and journalists 
> that rewarding the right behavior isn't sexy enough to be newsworthy. 
> apparently selling "a kick ass system for maintaining proper system config,
> and simplifying enterprise desktop management" doesn't work - but "scan and 
> block" or "worm preventers" or "quarantine solutions" will. i think it's

People tend to be optimists. They don't expect things to go wrong. If
people were to apply the same rules to driving cars as they should apply
to running networked computers, then they would all be driving tanks [2].

> absurd, that stupid reactive approach to life. it was much easier to get
> the UNIX sys admins to adopt security mechanisms by pointing out how much
> easier they make system management, but apparently that's not always a
> good sell for the desk top folks. i don't get it.
I have a suspicion it has a lot to do with the way people learnt to
manage their systems securely. From what I have read of computing history,
Unix was insecure until the Morris worm. At that point of time, there
were few systems on the Internet, and most of them had competent
administrators. The next generation of administrators learnt from the
people who were bitten and was generally competent as well. This drove a
culture of security into Unix administrators. 

Also, Unix offers some excellent automation tools. This generally makes
the sysadmins more tolerant to scripting and automating tasks.

There is a pretty large number of users who are growing up with Linux,
and have no clue about security either. At this point, the only saving
grace is that they are still discouraged from running regularly as root.

Microsoft made its systems easy to manage for the single desktop scenario, 
by people who did not have sufficient skills or experience. This went
over into the corporate world, where single user desktops remained
common until a few years ago. Microsoft did not encourage a scripting
and automation culture either. This meant that a very large part of the
Windows administrator population is simply not familiar with the power
of scripting, and has been taught that the command line is arcane and
difficult.

They have learnt that bad things always happen, and reacting to them is
the only way to make sure things work again.

I have also seen an unfortunate tendency in home users to shrug off the
responsibility of managing their systems to the ISP or anyone else. "Not
my responsibility" is a popular refrain.

Perhaps a bit of media thrust is needed for this to be fixed?

Devdas Bhagat

[1] Default allow is easier to get new things working with than default
deny, which requires actual research into what is being done. 
[2] Ignoring those SUV driving Americans.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards