Re: The home user problem returns

["Marcus J. Ranum" <mjr () ranum com>]

Mason Schmitt wrote:
> I know that somewhere Marcus is getting ready to unfurl his IPS rant
> (/me braces himself).

Wow... Am I that bad? Am I that predictable?  ;)

> A public ISP just cannot be run like a corporate
> network, it's a totally different beast. 

I completely agree!!! You've got a series of contradictory requirements.
There's no way to satisfy them (or even a reasonable percentage of them)
without creating more problems than you solve. Also, I knew an ISP back
in the day (1995) that offered 2 kinds of Internet hookups - one that was
firewalled, virus filtered, etc, and the other of which was wide open. Guess
which one they sold NONE of? Well, that was an easy guess...

> In fact, I know a lot of
> techies that would argue that ISPs should be totally transparent.  In
> this day and age, I consider that view to be selfish and irresponsible.

With the current state of Internet software, it's pointless. It'd be
meaningful to encourage ISPs to filter traffic if there were end-to-end
authenticated links going on, and nothing else. If you want to push
things back far enough, intellectually, the problem is that anonymous
Internet access is being offered. That's the underlying problem. Unless
that particular problem is dealt with (and who'd want to be on the
Internet that would result..?) we will not make progress from where
we are.

> Marcus and most of the rest of you, please keep preaching solid security
> principles to businesses and governments, but when it comes to the home
> user, you're wasting your breath.

We're wasting our breath in general. Businesses are marginally better
than home users - some of them - but governments are sometimes
worse than home users, in my experience. The situation out there is
terrible and shows no sign of improvement, in my opinion.

> As with any security endeavour, a multi faceted or "defence in depth"
> solution is the best solution.

It's really more like a "defeat in depth" because you're accepting that
things will go wrong at every layer in the system. What you're trying
to do is reduce the surge of noise to manageable levels. That is a
worthwhile goal but it puts you right in the middle of the eternal arms
race.

> User education
> ----------------
> User education still needs to happen

Pointless. If educating users was going to work, it would have worked
by now. If Anna Kournikova worm and phishing hadn't gotten people
to take this seriously years ago, they aren't going to next year, either.
If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't
get people to take it seriously, they aren't going to next year, either. Or
the year after that.

OBplug: I just completed an article for "certified security professional"
on "The Six Dumbest Ideas in Computer Security" in which I list
educating users as #5.
http://www.certifiedsecuritypro.com/index.php/content/view/154/56/
or it's linked off http://www.ranum.com
I'll spare posting the entire breathless tirade here.

[...other good stuff, deleted...]
You're still an optimist, aren't you? It's always nice to find an optimist
in Internet security. I feel like a birdwatcher who has seen the last of
some vanishing breed whenever I run across one of you guys. ;)

mjr.
(* source: P-nut) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards