RE: Hopefully not too OT

[Chris Blask <chris () blask org>]

Hi folks!

At 12:56 PM 5/5/2005, Paul D. Robertson wrote:
> On Tue, 3 May 2005 MHawkins () TULLIB COM wrote:
>
> > For some reason, most people look at their computer and think it is
> > inherently safe in the world. But when they look at almost anything else
> > they use or own, they intuitively see and know it is at risk at all times.
>
> No, they don't.

Well, they kinda do.  The continued existence of their possessions is a 
reliable test of the effectiveness of the security applied to those assets 
- whether they take the time to think consciously about the equation or not 
- so they find a level of operational security for those assets that they 
can feel comfortable with.

Where electronic assets diverge is that their owners cannot achieve the 
same level of comfort just by seeing that those assets are still in their 
possession from day to day.  For all they know those assets have also 
already been stolen or compromised.  It's like knowing that, while you see 
your car in your garage every day, it may disolve next time you touch it 
because all the metal has been stolen out from underneath the 
paint.  People don't know what they have to do to feel comfortable about 
the security of their virtual assets, so they either get fanatical about it 
or ignore it entirely (more often the latter, for lack of comprehensible 
expertise).

> > Car, house, boat, family, wine collection, iPod - they are all seen as 
> being
>
> Boats, planes, cars and iPods are generally "easy" to steal.  Houses are
> generally easy to get into.  Very few people can live with strong security
> controls, so they go with "good enough" until they get burned, then they
> look for more in a reactive manner.

That's not intrinsically a bad thing, though.  You want to secure your 
house?  Leave your porch light on.  That may be good enough that your home 
is not broken into during your lifetime.  If you have the only home in the 
neighborhood without bars in the windows, put some bars up and/or fix the 
neighborhood.  There isn't enough resource in the global economy to put 
military security in every person's home, it isn't necessary pragmatically, 
and even attempting to go down that road is imho missing the intersting 
points about humanity (one pertinent point: "humans excel at calculating 
acceptable risk and transforming inanimate material and situational 
opportunities into fantastic creations despite such risk").

Consumers are not to blame for failing to deploy electronic security - we 
are.  When and as we deliver security products that non-computer folks can 
grok, they consume them.  When and as we deliver security products that 
non-computer folks cannot understand the tangible value in, they do not 
consume them.

We have a lot of work to do to ensure this electronic communication thingy 
doesn't collapse from dry-rot, but I don't think it is about to fall into 
its basement just yet.

> > Why do people think differently of their computers?
>
> They don't.  People don't think about security until they're in an
> obviously insecure situation or anxiety gets to them.  Thus, as security
> professionals, our job is to both INCREASE and DECREASE their anxiety.

aargh.

You don't have to freak people out to sell bullet-proof windows in 
south-central LA - you just have to convince them that they can afford them 
and that they will work.

Our job is to decrease their anxiety, and the success of our efforts is 
measured by our ability to do so.

-woof!

-chris


Chris Blask
chris () blask org
blaskworks.blogspot.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards