Re: The home user problem returns

["Marcus J. Ranum" <mjr () ranum com>]

Paul D. Robertson wrote:
> Educating users to fix the problem doesn't work.  Educating users there 
> *is* a problem seems to work, just not en-mass.

Nope. Because we're dealing with shared environments - so even if you
managed to somehow raise the clue level in 50% of the population it winds
up having almost no effect because the clueless infect the clueful
second-hand. It's really a problem in epidemiology. Imagine if 50% of
your population refused to worry about AIDS yet was capable of having
sex with 1,000,000 different partners a day* - The numbers are all tipped
the wrong direction, for education to work. Spammers have pretty much
proved that.

> We have to take this to the social trenches at some point, or 
> we'll be overrrun.

Some of us have been trying that for a long time, and my magic
8-ball says "Outlook Not Good" and it's not talking about the
mail software from Microsoft. (But it'd be right if it was...)
Trying to point out that it's a social problem brings up this
immediate surge of knee-jerk "HACKING IS COOL!" reaction.
After my "Dumb ideas" article got slashdotted yesterday, I
have an in-box filled with about 250 "u r such a d0rk w3rd"
emails - all reacting to my observation that we need to decouple
hacking ideology from internet security if we want to make
progress. It's not happening and I, for one, am tired of this
fight.

I came up with a really cool mental hack the other day on this
topic, but I haven't figured out how best to approach it. But,
basically, it's the observation that people _HATE_ spammers
and _HATE_ spam. Yet, people seem to _LOVE_ hackers
and think hacking is _COOL_. How did this happen??
System penetrations are actually a bigger pain in the neck
than spam, are approximately as prevalent, and are much
more damaging. But - if you had senior engineers who worked
for anti-spam companies also selling spam-blocker-evasion
tools to spammers, there would be hue and cry. Yet, nobody
(except me and a few of my weird buddies) seem to think
it's a problem that "security researchers" are overlapping
pretty seriously with rootkit/malware/trojan writers. So, what's
going on here? Why are we so upset about something that
is relatively undamaging - to the point where people *CHEER*
when AOL raffles off a spammer's car that was seized - but
everyone in the media does the weewee of joy over some
lame-brain "security researcher" who spends 90% of his
life eating curry and single-stepping through Microsoft
apps in Soft-Ice so he can find an exploit. We call spammers
"scumballs" and "sleaze" and we call hackers "wiz kids" and
"brilliant" and they're the same people, in some cases.

> It's almost tempting to just migrate over to IPv6 space and start again, 
> with small gated communities- even if it's just so we get a 5 year break 
> between storms.

IPv6 will create more problems than it solves. It's too complicated.
My prediction is that they would be finding new DOS attacks against
the stack for 100 years, except it'll never get fielded anyhow.

In 1998 I (seriously) recommended we scrap all the Internet
app-level code and start over, then blame the whole thing on
Y2K. It actually would have worked. ;) A redesign of all the
app-level traffic that is allowed across the Interet would cost
significantly less than companies waste annually on firewalls
and other IP contraceptives. It's not going to happen, though.

> Computer security:  Fighting the digital Alamo from inside the fort.  We 
> know how it's gonna end.

Paul? Wakey-wakey!! It ended in 1994 when we lost the battle
to the browser-writers. We're just fighting because we're shot
full of holes but we're too dumb or stubborn to lie down.

mjr.
(*Did you wince when you read that? I did!) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards