Firewall Wizards mailing list archives
Re: The home user problem returns
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 27 Sep 2005 21:45:19 +0530
On 19/09/05 19:36 -0700, tbird () precision-guesswork com wrote: [Warning: long, meandering response]
Quoting Elizabeth Zwicky <zwicky () greatcircle com>:On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:i disagree. i don't know *anyone* who willingly makes a fundamental, significant change in their behavior without pain as a motivator.On the one hand, I agree with Tina -- people change their OWN behavior based on their OWN pain. On the other hand, this insight leads people to some terrible attempts at training, because people (dogs, cats, octopus, anything with a brain of reasonable size) do not respond effectively to imposed pain. Positive training methods always work better on long-term measures.correct, as we expect from elizabeth :-) most of the time when i'm presenting the use of endpoint enforcement techniques to system administrators (the folks who will be managing the systems) and their end users, i start by describing it as a reward system for proper
From my PoV, the problem is that the pain and the rewards are for the IT
department. The end user suffers from much less pain. However, the problem is caused by end users (and management which thinks itself to be above the rules). Corporate end users have an IT staff to manage their work systems. Home systems today are networked, and have the same complex issues that corporate systems do (or even more complexity). However, there is no _trained_ IT staff to manage those systems. Positive training works when there is a real reward. What is the reward for a home user to participate in security, when the only visible cost is of formatting and reinstalling the PC every few months? The price is a significant investment in time, and the tradeoff is not always in favour of security.
configuration, rather than a punishment system against incorrect or compromised configurations. it's the same as the artificial ignorance approach to log management, or good ol' deny all firewall rules. the list of "things that absolutely ought to be configured this way" is shorter than the list of all possible things that should be prohibited. so of *course* most folks won't want to do that.
Or it is just too complicated to do things the right way [1]. People use applications (and design protocols) without considering security. Some designs work when targetted for a small, trustworthy crowd. But they don't work when there are non trustworthy users. Unfortunately, there is also a growing culture of avoiding critical thinking. I have no idea why this is so, but the majority of people I know don't stop and think through the consequences of their actions.
unfortunately, i am consistently told by marketing folks and journalists that rewarding the right behavior isn't sexy enough to be newsworthy. apparently selling "a kick ass system for maintaining proper system config, and simplifying enterprise desktop management" doesn't work - but "scan and block" or "worm preventers" or "quarantine solutions" will. i think it's
People tend to be optimists. They don't expect things to go wrong. If people were to apply the same rules to driving cars as they should apply to running networked computers, then they would all be driving tanks [2].
absurd, that stupid reactive approach to life. it was much easier to get the UNIX sys admins to adopt security mechanisms by pointing out how much easier they make system management, but apparently that's not always a good sell for the desk top folks. i don't get it.
I have a suspicion it has a lot to do with the way people learnt to manage their systems securely. From what I have read of computing history, Unix was insecure until the Morris worm. At that point of time, there were few systems on the Internet, and most of them had competent administrators. The next generation of administrators learnt from the people who were bitten and was generally competent as well. This drove a culture of security into Unix administrators. Also, Unix offers some excellent automation tools. This generally makes the sysadmins more tolerant to scripting and automating tasks. There is a pretty large number of users who are growing up with Linux, and have no clue about security either. At this point, the only saving grace is that they are still discouraged from running regularly as root. Microsoft made its systems easy to manage for the single desktop scenario, by people who did not have sufficient skills or experience. This went over into the corporate world, where single user desktops remained common until a few years ago. Microsoft did not encourage a scripting and automation culture either. This meant that a very large part of the Windows administrator population is simply not familiar with the power of scripting, and has been taught that the command line is arcane and difficult. They have learnt that bad things always happen, and reacting to them is the only way to make sure things work again. I have also seen an unfortunate tendency in home users to shrug off the responsibility of managing their systems to the ISP or anyone else. "Not my responsibility" is a popular refrain. Perhaps a bit of media thrust is needed for this to be fixed? Devdas Bhagat [1] Default allow is easier to get new things working with than default deny, which requires actual research into what is being done. [2] Ignoring those SUV driving Americans. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The home user problem returns Mason Schmitt (Oct 05)
- <Possible follow-ups>
- Re: The home user problem returns Devdas Bhagat (Oct 05)
- RE: The home user problem returns Brian Loe (Oct 05)
- Re: The home user problem returns Dave Piscitello (Oct 05)
- Re: The home user problem returns Marcus J. Ranum (Oct 05)
- Re: The home user problem returns Paul D. Robertson (Oct 05)
- Re: The home user problem returns Marcus J. Ranum (Oct 05)
- RE: The home user problem returns Stewart, John (Oct 05)