Full Disclosure mailing list archives
RE: Yes, user education is a lost cause ;-)
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 21 Jan 2004 16:51:38 -0600
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Tobias Weisserth Sent: Wednesday, January 21, 2004 1:23 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Yes, user education is a lost cause ;-) That is right. But it isn't reactive behaviour that will save the day. It is proactive behaviour that will make thing easier for us.
Agreed.
Keeping doors shut by default is one of those proactive measures. "Opportunities make thieves." is a well known saying in my native language. Meaning: if you leave doors open then you yourself are responsible that people start stealing from you.
Given this logic then, isn't it the user's fault for leaving the door open on their PC? Do you blame the home builder if the owner leaves the door unlocked? ISTM that your culture teaches you that it's the users' responsibility, not the manufacturers'.
There is nothing wrong with end users. THEY are the customers. The consumers. Remember? They buy OUR products. WE have to adapt to them, not they to us.
This I completely disagree with. Let me give you a real world example. An individual who owned a small, private airplane entered the plane and took off while so drunk that his alcohol level was three times the legal limit. In his drunken stupor he didn't close the cockpit door and latch it properly. At 10,000 feet the door suddenly popped open, he lost control of the aircraft, crashed and was killed instantly. Is this the aircraft manufacturer's fault? Keep in mind, they *could* have built the plane so that it was impossilbe to fly unless the door was securely latched. Does the pilot carry any of the blame? Or is the manufacturer entirely at fault? Due to this one "accident", should the manufacturer be forced to redesign the door mechanism? The customer isn't *always* king. Sometimes they are the court jester. As a producer, you have to decide just how far you're willing to go to accommodate idiots, if at all. The customer *isn't* always right, and sometimes the customer is entirely to blame for unforeseen outcomes.
Imagine an MS Windows Xp box as a 18 wheel truck delivered to a 18 year old with little driving experience. His truck has services running he doesn't need and understand, he is driving the truck with full administrator rights "out of the box". The truck even has a lever installed next to the gas pedal (labeled with "run attachment") which executes the ejector seat without warning the driver. Shouldn't you agree that it is wrong to hand such a vehicle to this 18 year old? Isn't the one to blame who actually permits the 18 year old to get on the data highway with this thing?
Yes. And that would be the licensing agency, *not* the manufacturer, would it not? Unfortunately, we don't require licensing before operating a computer. Perhaps we should.
No. We have to improve products so that they are easier to use and cause less confusion and cause to exploits due to standard end user behaviour. We have to alter the products, not the users. Users don't pay us to educate them, they pay us to deliver usable products.
I think you are deluding yourself. It isn't possible to design complex products that can be operated without any reference to an instruction set. Furthermore, the users aren't being trained on safe use of computers. They are merely being trained on basic use. It would be the same as teaching someone to drive without explaining what stop signs are, how to merge onto a freeway, what to do in an emergency, etc., etc. Safety training is a basic part of driver training. Why isn't safety training a basic part of computer training? Oh wait, we don't do *any* computer training. We just sell the computer and hand them some books which they will never read. :-)
After all, one of the most important parts of our job iswriting policy, is it not? Yes, but don't we write it in a way such as the end users in our organisation never actually recognise their existence? Don't we try to apply security in a way that blends into the their work-flow without requiring constant action on their behalf?
Of course, but not with *no* action on their part! You can't have a successful, secure network without user training and awareness. Otherwise you can put all the technical barricades up that you want, and I can simply call the secretary, tell her I'm with IT, there's something wrong with her account, and ask her to verify her password. So much for your technical barriers!
Yes, there will always be some small percentage that areeither stupidor combative, but the vast majority just need to understandthe risksin order to know how to behave in a secure manner.This is science-fiction and in your heart you know it :-) I have to admit that I dream of this too, but in my heart I know this is not the way it is going to be. Ever.
No, actually this exists, right here at UTD. We have a very responsive user group that has been getting educated for seven years now, and they are very aware of security risks, appropriate behavior, etc., etc. Of course we have those who are not. You will always have those. But the vast majority of our users are much more aware now than they were seven years ago, and that's because we have been consistently delivering the same message for seven years. I'm not saying others could do it as easily as we have, but I *am* saying that it is possible. Not with half-hearted, short-term efforts, but with a coordinated, consistent security awareness program. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Yes, user education is a lost cause ;-) Schmehl, Paul L (Jan 21)
- RE: Yes, user education is a lost cause ;-) Ron DuFresne (Jan 21)
- Re: Yes, user education is a lost cause ;-) Mattias Ahnberg (Jan 22)
- <Possible follow-ups>
- RE: Yes, user education is a lost cause ;-) Ian Latter (Jan 21)
- Re: Yes, user education is a lost cause ;-) Jason (Jan 21)
- Re: Yes, user education is a lost cause ;-) Ian Latter (Jan 21)
- RE: Yes, user education is a lost cause ;-) Remko Lodder (Jan 22)