Firewall Wizards mailing list archives

RE: The home user problem returns

From: "Scott Pinzon" <Scott.Pinzon () watchguard com>
Date: Tue, 13 Sep 2005 10:09:40 -0700

I've been watching with a certain morbid fascination as Marcus has
ranted in his own blog and in FW-WIZ (and who knows where else) that
educating users about security is one of the "dumbest ideas" and "if it
was ever going to work, it would have by now." I have tremendous respect
for you, Marcus (epecially since you have, I dunno, six times the years
in computer security that I do). But I can't help feeling, in my
pipsqueak opinion, that on this one you're way off base.

 My reasoning, in short: 

-- Ignorance is never better than knowledge in any realm. But particular
to network security, my experience is that most clueless users are also
people of good will who will cease dangerous behaviors once they
understand those behaviors ARE dangerous.

-- Educating users is another layer in "Defense in depth." If 10 out of
100 users click evil email attachments, and through education you reduce
that to 3 out of 100, you've improved that layer.

-- Educating users has been proven to work at company after company.
Help desk calls, viral infections, falling victim to phishing emails,
and more, have been quantitatively and demonstrably reduced at companies
that institute end-user security training. 

-- And how do you know "it" (educating end users) is not working? We
have no before/after comparison on what the Internet would be like if
all of us who preach security had stopped five years ago.  

Maybe I'm misunderstanding you, but my take-away from your blog article
is that you are so discouraged by end-user ignorance, you think we
should all stop wasting our breath on them. Your recommendation is that
we set up an environment through quarantining and what-not where users
have no opportunity to hurt themselves. In rebuttal, I cite the crusty
old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
(through technology) create an environment where clueless users can't
hurt themselves. To keep a network secure, we need users on our side. We
can get them there if we try.

Am I really the only one on this list who thinks so? Or Marcus, did I
misinterpret you?


SCOTT PINZON, CISSP
Editor-in-Chief, LiveSecurity Service
WatchGuard Technologies, Inc.
505 5th Ave. South | Suite 500 | Seattle | WA | 98104
206.613.6648

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D.
Robertson
Sent: Tuesday, September 13, 2005 7:48 AM
To: Chris Blask
Cc: Mason Schmitt; Marcus J. Ranum; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] The home user problem returns

On Mon, 12 Sep 2005, Chris Blask wrote:

The problem is that, without any sort of identity (and there is 
exactly 0.0000% of net traffic using anything worth calling identity),

it is impossible to treat Identified traffic and Anonymous traffic 
differently, as they logically deserve.


Two words:  Identity Fraud.

Decentralized, distributed responsibility.  If I own an auth server 
then I am responsible for the activities of those who use it.  If I


You're willing to be responsible for your user's behavior?  After
they're Trojaned?

Just like the encryption boundary problem that is the reason SSL is
severely broken as a concept, the use of identity can't be done in a
system that's not closed, and we don't have the methods, technologies or
wherewithall to close the software, transport and physical endpoints
everywhere.

Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
paul () compuwar net       which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: The home user problem returns, (continued)
- - - RE: The home user problem returns Hile . William (Sep 22)
    - RE: The home user problem returns Jim Seymour (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
  - RE: The home user problem returns Brian Loe (Sep 13)
  - Re: The home user problem returns R. DuFresne (Sep 13)
    - Re: The home user problem returns Mason Schmitt (Sep 13)
    - RE: The home user problem returns lordchariot (Sep 13)
- RE: The home user problem returns Behm, Jeffrey L. (Sep 13)
  - Re: The home user problem returns Mason Schmitt (Sep 13)
  - RE: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns Scott Pinzon (Sep 13)
  - RE: The home user problem returns hermit921 (Sep 13)
    - RE: The home user problem returns Jim Seymour (Sep 13)
    - Mitigating MS risks [Was: home users] Tina Bird (Sep 14)
    - RE: The home user problem returns StefanDorn (Sep 22)
  - RE: The home user problem returns Paul D. Robertson (Sep 13)
    - RE: The home user problem returns Tina Bird (Sep 13)
    - RE: The home user problem returns David Lang (Sep 14)
    - Re: The home user problem returns Michael Cassidy (Sep 22)
  - RE: The home user problem returns R. DuFresne (Sep 13)
  - RE: The home user problem returns Brian Loe (Sep 22)

(Thread continues...)