Firewall Wizards mailing list archives
RE: The home user problem returns
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 13 Sep 2005 19:21:11 -0400
Scott Pinzon wrote:
Marcus [...] I can't help feeling, in my pipsqueak opinion, that on this one you're way off base.
For years and years I have been longing for someone to come along and convince me that I'm wrong. I'd love to be wrong about this stuff, because it'd mean the world was a whole lot better place than I think it is. So - bring it:
-- Ignorance is never better than knowledge in any realm. But particular to network security, my experience is that most clueless users are also people of good will who will cease dangerous behaviors once they understand those behaviors ARE dangerous.
I think you must be a smart person. Smart people tend to value knowledge because, well, it's something that happens to you as you're smart. It's your coinage, if you will. It's always a shock when you realize that most people don't. (*)
-- Educating users is another layer in "Defense in depth." If 10 out of 100 users click evil email attachments, and through education you reduce that to 3 out of 100, you've improved that layer.
You've improved it, but does it matter? That's my question. 1 idiot clicking attachments can infect 10,000 other idiots a day if you reduce the idiot count from 10%, as you say, to 3% in an organization of 1000 people, you've dropped from 100 idiots who click attachments to 30. And those 30 will still send 300,000 emails a day and your mail server will still detonate. And, since one of those idiots is probably your CTO, all of your execs in h* management chain will probably get infected, too....
-- Educating users has been proven to work at company after company. Help desk calls, viral infections, falling victim to phishing emails, and more, have been quantitatively and demonstrably reduced at companies that institute end-user security training.
The problem with such measures is that you can't really tell how much of that is a result of the training and how much is a result of normal "aversive experience." For example, my mom has never had any computer security training but after the first time her machine got wiped by her IT guy (that's me) now she's a lot more careful about spyware.
-- And how do you know "it" (educating end users) is not working? We have no before/after comparison on what the Internet would be like if all of us who preach security had stopped five years ago.
You can ask the exact same question in reverse, though, right? "If it was working, how come we still have Internet security problems?" Surely everyone has heard of them, by now. Surely everyone in the US has heard of Identity Theft by now, etc. This is one of those nasty intractables because you can't really get a grip on the effectiveness of solutions because there's no control group - we're working with entire populations. I like to think of this problem as being similar to patching a leaky roof. Well, you OBVIOUSLY are getting less water in the holes that you've patched but it's hard to reason accurately about whether you're much better off anyhow. In fact, patching your roof may distract you from replacing your roof entirely. That's how I conceptualize it, anyhow. I know it's a analogy and I hate them but that's how that problem fits in Marcus-land.
Maybe I'm misunderstanding you, but my take-away from your blog article is that you are so discouraged by end-user ignorance, you think we should all stop wasting our breath on them.
Would you like to ghost-write for me? That's a GREAT way of putting it.
Your recommendation is that we set up an environment through quarantining and what-not where users have no opportunity to hurt themselves.
Sort of, yeah. I think I'd say that it's probably more cost-effective to simply keep users from hurting themselves than to teach them how not to hurt themselves. I.e: "Sit the F down. Shut the F up. Don't ask any questions. This is your browser. It's called 'Zen4' and it only knows how to render GIF, PNG, JPEG, CSS, and HTML. If you go to a website and it doesn't display properly, you went to a bad website. This is your Email client. It uses Zen4 to render anything you get. Anything it can't render, you won't see because the spam blocker will have already junked it for you. Have fun and thanks for working for Marcus-Land, where the user comes last and the customer comes first!"
In rebuttal, I cite the crusty old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T (through technology) create an environment where clueless users can't hurt themselves.
My, that's a depressing thought. :(
To keep a network secure, we need users on our side. We can get them there if we try.
My, that's an even more depressing thought. As an ex-sysadmin, I can assure you that I've spent many years filled with the awareness that my users are not only stupid, they're actively out to get me any chance they can. They are not on my side. Even when they pretend to be on my side, I know that the cookies they leave on my desk are loaded with rat-poison so I'll die _after_ I restore the file they deleted but not a minute before. And they all want root.
Am I really the only one on this list who thinks so? Or Marcus, did I misinterpret you?
You didn't misinterpret me. Sounds like you're another one of those "optimist" things I keep hearing about. Maybe we should preserve you in a big jar of formaldehyde so that all the firewall-wizards can point you out to the newly-minted CISSPs, "Look... This is a computer security optimist that we found. We think he somehow survived the big asteroid strike... There are rumors there may be others, still living in the deep jungles..." mjr. --- (* I read some scary stats in this month's LensWork that I found hard to believe but .. 1/3 of high school students never read another book in their lives 42% of college graduates never read another book after college 80% of US families did not buy or read a book last year 70% of US adults have not ben in a bookstore in the last 5 years 57% of new books bought are never read to completion Claimed source: Harold Jenkins www.jenkinsgroup.com) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The home user problem returns, (continued)
- RE: The home user problem returns hermit921 (Sep 13)
- RE: The home user problem returns Jim Seymour (Sep 13)
- Mitigating MS risks [Was: home users] Tina Bird (Sep 14)
- RE: The home user problem returns StefanDorn (Sep 22)
- RE: The home user problem returns hermit921 (Sep 13)
- RE: The home user problem returns Paul D. Robertson (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 13)
- RE: The home user problem returns David Lang (Sep 14)
- Re: The home user problem returns Michael Cassidy (Sep 22)
- RE: The home user problem returns R. DuFresne (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 22)
- RE: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns R. DuFresne (Sep 14)