RE: Yes, user education is a lost cause ;-)

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Tobias Weisserth
> Sent: Wednesday, January 21, 2004 1:23 PM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Yes, user education is a lost cause ;-)
>
> That is right. But it isn't reactive behaviour that will save the day.
> It is proactive behaviour that will make thing easier for us.
Agreed.
 
> Keeping doors shut by default is one of those proactive measures.
> "Opportunities make thieves." is a well known saying in my 
> native language. Meaning: if you leave doors open then you 
> yourself are responsible that people start stealing from you.
Given this logic then, isn't it the user's fault for leaving the door
open on their PC?  Do you blame the home builder if the owner leaves the
door unlocked?  ISTM that your culture teaches you that it's the users'
responsibility, not the manufacturers'.
> There is nothing wrong with end users. THEY are the 
> customers. The consumers. Remember? They buy OUR products. WE 
> have to adapt to them, not they to us.
This I completely disagree with.  Let me give you a real world example.
An individual who owned a small, private airplane entered the plane and
took off while so drunk that his alcohol level was three times the legal
limit.  In his drunken stupor he didn't close the cockpit door and latch
it properly.  At 10,000 feet the door suddenly popped open, he lost
control of the aircraft, crashed and was killed instantly.

Is this the aircraft manufacturer's fault?  Keep in mind, they *could*
have built the plane so that it was impossilbe to fly unless the door
was securely latched.  Does the pilot carry any of the blame?  Or is the
manufacturer entirely at fault?  Due to this one "accident", should the
manufacturer be forced to redesign the door mechanism?

The customer isn't *always* king.  Sometimes they are the court jester.
As a producer, you have to decide just how far you're willing to go to
accommodate idiots, if at all.  The customer *isn't* always right, and
sometimes the customer is entirely to blame for unforeseen outcomes.
> Imagine an MS Windows Xp box as a 18 wheel truck delivered to 
> a 18 year old with little driving experience. His truck has 
> services running he doesn't need and understand, he is 
> driving the truck with full administrator rights "out of the 
> box". The truck even has a lever installed next to the gas 
> pedal (labeled with "run attachment") which executes the 
> ejector seat without warning the driver. Shouldn't you agree 
> that it is wrong to hand such a vehicle to this 18 year old? 
> Isn't the one to blame who actually permits the 18 year old 
> to get on the data highway with this thing?
Yes.  And that would be the licensing agency, *not* the manufacturer,
would it not?  Unfortunately, we don't require licensing before
operating a computer.  Perhaps we should.
> No. We have to improve products so that they are easier to 
> use and cause less confusion and cause to exploits due to 
> standard end user behaviour.
> We have to alter the products, not the users. Users don't pay 
> us to educate them, they pay us to deliver usable products.
I think you are deluding yourself.  It isn't possible to design complex
products that can be operated without any reference to an instruction
set.  Furthermore, the users aren't being trained on safe use of
computers.  They are merely being trained on basic use.  It would be the
same as teaching someone to drive without explaining what stop signs
are, how to merge onto a freeway, what to do in an emergency, etc., etc.
Safety training is a basic part of driver training.  Why isn't safety
training a basic part of computer training?  Oh wait, we don't do *any*
computer training.  We just sell the computer and hand them some books
which they will never read.  :-)
 
> > After all, one of the most important parts of our job is 
> writing policy, is it not?
>
> Yes, but don't we write it in a way such as the end users in 
> our organisation never actually recognise their existence? 
> Don't we try to apply security in a way that blends into the 
> their work-flow without requiring constant action on their behalf?
Of course, but not with *no* action on their part!  You can't have a
successful, secure network without user training and awareness.
Otherwise you can put all the technical barricades up that you want, and
I can simply call the secretary, tell her I'm with IT, there's something
wrong with her account, and ask her to verify her password.  So much for
your technical barriers!
> > Yes, there will always be some small percentage that are 
> either stupid 
> > or combative, but the vast majority just need to understand 
> the risks 
> > in order to know how to behave in a secure manner.
>
> This is science-fiction and in your heart you know it :-)
>
> I have to admit that I dream of this too, but in my heart I 
> know this is not the way it is going to be. Ever.
No, actually this exists, right here at UTD.  We have a very responsive
user group that has been getting educated for seven years now, and they
are very aware of security risks, appropriate behavior, etc., etc.  Of
course we have those who are not.  You will always have those.  But the
vast majority of our users are much more aware now than they were seven
years ago, and that's because we have been consistently delivering the
same message for seven years.  I'm not saying others could do it as
easily as we have, but I *am* saying that it is possible.  Not with
half-hearted, short-term efforts, but with a coordinated, consistent
security awareness program.
 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html