funsec mailing list archives
Re: BBC Crosses The Line Again
From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
Date: Sat, 21 Mar 2009 21:32:24 -0700
Because I'm on the 'front lines' of handling user's problems (in SMBs of 1 to 180 workstations) I've seen what usually goes for 'user training' ... at this level of businesses. What I have found is that most technicians already know why not to do [action] and so either simply state "don't do it", skim over the reason not to do it and/or give the reason in a highly technical nature, which does nothing but confuse the user who then goes merrily along continuing to do [action]. I've laid off techs that were shocked because the user didn't know about [action] - wrong viewpoint. What I have also found is that _if_ the user understands the reasons why not to do [action] they will stay away from it. Every single time we have shown why not to do [action] to the user, from the user's viewpoint and with an idea that the user really knows absolutely nothing about [action] (or else he/she would probably be a technician and not a user) we get another safe user. Sincerely, Daniel H. Renner President Los Angeles Computerhelp A division of Computerhelp, Inc. 818-352-8700 http://losangelescomputerhelp.com "Inactivity is death" - Benito Mussolini (Even evil dictators know the truth...) funsec-request () linuxbox org wrote:
Date: Sat, 21 Mar 2009 09:42:32 -0400 From: Rich Kulawiec <rsk () gsp org> Subject: Re: [funsec] BBC Crosses The Line Again To: funsec () linuxbox org Message-ID: <20090321134231.GA30906 () gsp org> Content-Type: text/plain; charset=us-ascii On Fri, Mar 20, 2009 at 11:28:15AM -0700, Paul M. Moriarty wrote:OK, I'll play devil's advocate. What's the right way to educate the public? Because security companies have done a piss-poor job to date.I strongly concur with the latter statement, but note in passing that it's against the financial interests of most of them to do so...so we should be very surprised if they did. However, to answer the question: "none". The public has proven itself to be completely ineducable. As Marcus Ranum correctly pointed out in "The Six Dumbest Ideas in Computer Security", where he identified "user education" as one of them: If it was going to work, it would have worked by now. For example, we (for various values of "we") have been telling users for a very, very long time that they should never respond to a request for their password(s). Yet they do -- constantly. As another example, we have been telling users never to respond to spam. But they do. In large numbers. Consistently. (This, at least, can be mitigated by applying blacklist rules to outbound email traffic.) User education is a fine and noble endeavor. I've done a lot of it, as I'm sure many other people here have. But collectively, we have almost nothing to show for it. I think it's (past) time to get on board with Ranum and stop wasting our time with an approach that's failed. Oh, not that *other* approaches might turn out to be equally fruitless -- they might -- but let's give them their chance to fail. ---Rsk
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- BBC Crosses The Line Again Paul Ferguson (Mar 19)
- Re: BBC Crosses The Line Again Larry Seltzer (Mar 20)
- Re: BBC Crosses The Line Again Paul Ferguson (Mar 20)
- Re: BBC Crosses The Line Again Larry Seltzer (Mar 20)
- Re: BBC Crosses The Line Again Paul M. Moriarty (Mar 20)
- Re: BBC Crosses The Line Again nick hatch (Mar 20)
- Re: BBC Crosses The Line Again Paul Ferguson (Mar 20)
- Re: BBC Crosses The Line Again Larry Seltzer (Mar 20)
- Re: BBC Crosses The Line Again Paul M. Moriarty (Mar 20)
- Re: BBC Crosses The Line Again Valdis . Kletnieks (Mar 20)
- Re: BBC Crosses The Line Again Rich Kulawiec (Mar 21)
- <Possible follow-ups>
- Re: BBC Crosses The Line Again Daniel H. Renner (Mar 21)