Re: The home user problem returns

[Mason Schmitt <mason () schmitt ca>]

> Educating users to fix the problem doesn't work.  Educating users there 
> *is* a problem seems to work, just not en-mass.

Exactly right.

> Part of the prolem is that end-users are *used* to malware.  When the 
> computer gets too slow, they call "that person who understands this" to 
> come clean off the computer and it's ok for another 2 months.  Partially, 
> Microsoft is to blame for taking the reliability out of computer 
> software- the levee isn't designed for a big storm, and partially malware 
> that doesn't kill its host has made these all tropical storms. (Hey, 
> someone had to do the Digital Katrina thing, I've saved everyone else 
> the trouble.)

The fact that users are accepting malware is indeed frustrating.  From
the user education perspective, there are two approaches.
1 - Just keep drilling the mantra home (firewall, anti-virus,
anti-spyware, windows updates).  Rinse and repeat.  It has been shown
that constant repetition of a few basic concepts like this does work.
The effectiveness of this approach is amplified when there is personal
interaction between the person reiterating and the person listening.
This is why we need to get more people chanting the mantra.

2 - Just as you said above, let people know there is a problem.  Some
will hear that and it will get them thinking - these are the people that
can make changes before it causes them pain.  Others won't listen.
These are the people that are going to spend the $50+ every couple of
months to get their PC cleaned out and after a while will start getting
upset about it.  Once they have endured enough upset, they will do
something about it.  I have seen this play itself out over and over
again in the 4 years I have worked at this ISP.  What's really
sad/entertaining is that some people need to go through the pain process
for each new threat that emerges.

> Anna K. and phishing work(ed) because of the social aspects of their 
> delivery- we're still trying to fight a technical battle against a social 
> problem.  We have to take this to the social trenches at some point, or 
> we'll be overrrun.

Sometimes people problems need to be solved entirely in (meat space /
carbon layer / layer8).  Other times people problems can be solved
entirely in layer7 and below.  However, more often than not, a solution
that combines both approaches will be the most effective.  I believe
that's why we typically say that policy should be put in place and then
reinforced using technology.  Where we run into problems is when
either/both side(s) of the coin is/are horribly unbalanced.  Such is the
current state of the onion.  The software sucks and people's
understanding of the Internet sucks.

That was a whole lot of blather about very little...


Try looking at the problem this way.
I know that some of you have been harping on these issues for a long
long time, some even longer than that.  The problem is that while it
seems like a long long time to you, for the general public they are just
now starting to glimpse the issues.

I read somewhere that the general public's understanding of science lags
50 years behind those doing the research.  I'm fairly certain that's
true - possibly even today despite some of the research being available
online.

So, what we have is a combination of hysteresis in public understanding
and an absence, until fairly recently, of a pain stimulus (money).
Getting people to understand is just going to take time - perhaps a fair
bit of time.  But the process of understanding will be accelerated due
to the introduction of a pain stimulus in the form of monetary loss.
Now that we are seeing large scale information theft in the media
(CardSystems), laws concerning disclosure and organized crime getting
involved in online fraud; people/governments/vendors are going to take
notice.  They just needed to feel it before they would react.

> Tell him if rants like that didn't work in the past, there's no way 
> they'll work now...  No, don't tell him- because all we can do is all we 
> can do.  Even if it's not enough, it's still a good fight.

Yes it is, but you need the patience of mother to be able to keep it up.
 You'll have to keep doing it until the Internet community grows up.
Even then, it will still need to happen, but the message then will be
more sophisticated.  Fortunately, you'll get more and more help along
the way as people start to wake up.  These are just growing pains.  Wait
until the the Internet reaches adolescence....

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards