Re: The home user problem returns

[Mason Schmitt <mason () schmitt ca>]

> > Educating users to fix the problem doesn't work.  Educating users there 
> > *is* a problem seems to work, just not en-mass.
>
> Nope. Because we're dealing with shared environments - so even if you
> managed to somehow raise the clue level in 50% of the population it winds
> up having almost no effect because the clueless infect the clueful
> second-hand.

I think that was Paul's point.  Home users can't be educated to the
point that the problem becomes "fixed".  I don't think they need to be
or should be, so if that's where the effort is being expended, then I
agree - it's a waste of breath.  I do think that over time education
efforts will result in an increase in clue in the vast majority of
people.  If this weren't the case, then there would be no point to
having a public education system...  Not everyone is going to get
straight 'A's, some people will fail, others who are living a hand to
mouth existence, or who's country is too backward or too poor will or
for whatever reason doesn't have education available to the masses will
not learn - which leads nicely to your comment below concerning AIDS.

> It's really a problem in epidemiology. Imagine if 50% of
> your population refused to worry about AIDS yet was capable of having
> sex with 1,000,000 different partners a day* - The numbers are all tipped
> the wrong direction, for education to work. Spammers have pretty much
> proved that.

Well, no, the spammers haven't proven that.  What the spammers have
shown us is that even if they only sucker a minute percentage of the
people that actually receive their crap, that it's financially
worthwhile.  The reason being that the economics of spam allow the
spammers to plunder a public resource (the net) with relative impunity.
 Ecological economists such as Herman Daly, have shown that when you
don't factor in the cost of continual withdrawal from a natural
resource, that your books aren't really balancing.  This is again an
issue that is only going to be rectified by increasing the spammers
costs which many people are working on.

I also don't think the user education problem is an epidemiological one
either.  To suggest that ignorance to a growing and changing computer
security environment is somehow like a rapidly spreading pathogen is a
little bit of a stretch.  If ignorance were infectious, you'd probably
be dead or an idiot right now.  I remember you ripping apart Dan Geer's
mono culture idea that was such a big deal a little while back.  Not
trying to pick a fight here, I just don't get the argument.

> my magic
> 8-ball says "Outlook Not Good" and it's not talking about the
> mail software from Microsoft. (But it'd be right if it was...)

:)

> Trying to point out that it's a social problem brings up this
> immediate surge of knee-jerk "HACKING IS COOL!" reaction.
> After my "Dumb ideas" article got slashdotted yesterday, I
> have an in-box filled with about 250 "u r such a d0rk w3rd"
> emails - all reacting to my observation that we need to decouple
> hacking ideology from internet security if we want to make
> progress. It's not happening and I, for one, am tired of this
> fight.

It's ok to take a break and regroup.  It's also ok to retire.  You have
made progress.  I know that I for one have copies of "Low Carb Security"
and your recent "6 dumbest ideas..." hanging on my wall.  I keep them
there (and re-read them every so often) because they are successful
attempts at distilling the millions of little problems into a few simple
concepts that I can hold onto.  I have learned a ton from this list and
I'm now passing on the little bit that I have learned (and will continue
to learn) to my co-workers, friends and our customers.


> I came up with a really cool mental hack the other day on this
> topic, but I haven't figured out how best to approach it. But,
> basically, it's the observation that people _HATE_ spammers
> and _HATE_ spam. Yet, people seem to _LOVE_ hackers
> and think hacking is _COOL_. How did this happen??

Hollywood, fiction, dumbass teenagers trying to carve out some sort of
identity for themselves, money...  What makes clothing fashions, music,
etc popular?  This is all just part of our society's poorly functioning
machinery.  The fact that you get a deluge of email as a result sucks,
but don't take it personally.

> Yet, nobody
> (except me and a few of my weird buddies) seem to think
> it's a problem that "security researchers" are overlapping
> pretty seriously with rootkit/malware/trojan writers.

You know, if you hadn't pointed this out some time ago, I wouldn't have
given my nagging doubts too much thought, because I figured that these
people are professionals, they know what they are doing.  Silly me.
Again however, I'm going to move a bit closer to the fence on this one,
because despite the undercurrent of money and fame in the security
industry right now, pressure is being applied that is going to force us
to find ways of creating better software.

> (*Did you wince when you read that? I did!) 

Yes..  :P

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards