Firewall Wizards mailing list archives
Re: The home user problem returns
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 13 Sep 2005 11:11:57 -0400
Paul D. Robertson wrote:
Educating users to fix the problem doesn't work. Educating users there *is* a problem seems to work, just not en-mass.
Nope. Because we're dealing with shared environments - so even if you managed to somehow raise the clue level in 50% of the population it winds up having almost no effect because the clueless infect the clueful second-hand. It's really a problem in epidemiology. Imagine if 50% of your population refused to worry about AIDS yet was capable of having sex with 1,000,000 different partners a day* - The numbers are all tipped the wrong direction, for education to work. Spammers have pretty much proved that.
We have to take this to the social trenches at some point, or we'll be overrrun.
Some of us have been trying that for a long time, and my magic 8-ball says "Outlook Not Good" and it's not talking about the mail software from Microsoft. (But it'd be right if it was...) Trying to point out that it's a social problem brings up this immediate surge of knee-jerk "HACKING IS COOL!" reaction. After my "Dumb ideas" article got slashdotted yesterday, I have an in-box filled with about 250 "u r such a d0rk w3rd" emails - all reacting to my observation that we need to decouple hacking ideology from internet security if we want to make progress. It's not happening and I, for one, am tired of this fight. I came up with a really cool mental hack the other day on this topic, but I haven't figured out how best to approach it. But, basically, it's the observation that people _HATE_ spammers and _HATE_ spam. Yet, people seem to _LOVE_ hackers and think hacking is _COOL_. How did this happen?? System penetrations are actually a bigger pain in the neck than spam, are approximately as prevalent, and are much more damaging. But - if you had senior engineers who worked for anti-spam companies also selling spam-blocker-evasion tools to spammers, there would be hue and cry. Yet, nobody (except me and a few of my weird buddies) seem to think it's a problem that "security researchers" are overlapping pretty seriously with rootkit/malware/trojan writers. So, what's going on here? Why are we so upset about something that is relatively undamaging - to the point where people *CHEER* when AOL raffles off a spammer's car that was seized - but everyone in the media does the weewee of joy over some lame-brain "security researcher" who spends 90% of his life eating curry and single-stepping through Microsoft apps in Soft-Ice so he can find an exploit. We call spammers "scumballs" and "sleaze" and we call hackers "wiz kids" and "brilliant" and they're the same people, in some cases.
It's almost tempting to just migrate over to IPv6 space and start again, with small gated communities- even if it's just so we get a 5 year break between storms.
IPv6 will create more problems than it solves. It's too complicated. My prediction is that they would be finding new DOS attacks against the stack for 100 years, except it'll never get fielded anyhow. In 1998 I (seriously) recommended we scrap all the Internet app-level code and start over, then blame the whole thing on Y2K. It actually would have worked. ;) A redesign of all the app-level traffic that is allowed across the Interet would cost significantly less than companies waste annually on firewalls and other IP contraceptives. It's not going to happen, though.
Computer security: Fighting the digital Alamo from inside the fort. We know how it's gonna end.
Paul? Wakey-wakey!! It ended in 1994 when we lost the battle to the browser-writers. We're just fighting because we're shot full of holes but we're too dumb or stubborn to lie down. mjr. (*Did you wince when you read that? I did!) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The home user problem returns, (continued)
- RE: The home user problem returns Paul Melson (Sep 13)
- RE: The home user problem returns Eugene Kuznetsov (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Paul D. Robertson (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 14)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Message not available
- Message not available
- Re: The home user problem returns mason (Sep 14)
- RE: The home user problem returns Paul Melson (Sep 22)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)