Re: The home user problem returns

[Mason Schmitt <mason () schmitt ca>]

> > It seems that there are two primary ways in which people
> > change.  Either
> > they make a conscious choice to change prior to a problem
> > getting out of
> > hand (requires knowledge that there is an impending problem and
> > knowledge of how to avoid the problem) or they endure more
> > and more pain
> > until they are forced to look at the problem and finally make
> > a choice.
>
>
> i disagree. i don't know *anyone* who willingly makes a fundamental,
> significant change in their behavior without pain as a motivator. for
every
> example of your first category that you can present, i can *probably*
> demonstrate that the "apparent" change is really an example of the person
> behaving consistently with some deeper part of their personality, which
> isn't changing.

Whether you believe the first kind of choice exists or not doesn't
really matter.  Perhaps I just like to believe that it does so that I
can have a bit more faith in the intelligence (latent intelligence?) of
humanity. :)

At any rate, I'm glad that you believe change due to pain is possible.
Just to be clear, I don't mean pain forced upon someone, I mean pain
that people experience as a result of their own action or inaction.

> so for me, the question is, how do we influence the *consequences* of
badly
> configured or managed machines - wherever they are, on corporate
networks or
> the internet - in order to create the change we want? how do we create a
> beneficial sort of pain?

It's already happening, we don't have to do anything to cause further
pain.  What we need to do is to have solutions and answers ready for
when people start looking for them.  That's why I said earlier that we
need to keep pushing forward, while still reaching out to see if anyone
is ready to listen yet.


> when i'm dealing with my relatives, i just change the configuration of
their
> computer when i'm visiting. that's not exactly a motivator, but hey, their
> machines are fully patched :-)

I do the same thing.  I usually also follow up by telling my mom or dad
why I did it and take that as an opportunity to tell them a bit about
what other things they may want to think about to help protect themselves.

> it's why i'm so interested in NAC and NAP and other sorts of enterprise
> technologies that let me use network connectivity as the bribe to get
> machines configured the way i want them. i'm creating pain for the end
user
> by not letting them get to the web without doing what i want - the
height of
> security admin arrogance, i'm sure, but i try to be reasonable in my
> expectations.

Arrogant maybe.  Intrusive probably.  However, I still think it's a
great idea.  That's kind of what I've been looking at except that I have
to be more reactive than proactive, so I'm planning to go with the leper
colony or penalty box idea.

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards