Re: The home user problem returns

[Mason Schmitt <mason () schmitt ca>]

> You know what I find highly ironic in all of this -- and I don't mean to
> pick on you or your ISP -- is that there is a single symptom, a common
> thread that ties together all of these problems you're attempting to combat.
> And that common thread is required or at least preferred by all of the major
> ISPs, and that is Windows desktops.  In other words, ISPs everywhere are
> complicit in their own security and performance headaches.

The irony is not lost on me at all.  In my department, we pick on our
level 1 tech support guys all the time.  One of our digs is that if we
could just get all our customers to buy Macs, they would be out of a job.

In terms of ISPs preferring windows, that's really related to ease of
support.  If you have a single dominant platform and a very limited
number of applications on that platform that you have to support, then
you're miles ahead of a heterogeneous network.  With support being one
of the larger costs of running an ISP, every little bit helps.

> The bitter pill for the clueful is that those people that run a firewall
> appliance or build their own Linux/BSD firewall for their home network
> typically get no support from their ISP.  (If you have Comcast cable like I
> do, you can't even register your cable modem without a Windows box.  That
> was an unpleasant surprise when I moved recently.)

I've heard that happens at some of the larger ISPs.  That again relates
to the sorry state of tech support at most ISPs.

> It is not lost on me that this is all due to market forces beyond the
> control of even the largest ISPs.  But I think we can all agree that this is
> and will continue to be the primary trade-off that those charged (saddled
> with?) network security must live with, at least in the short-term.

I fully agree.  If customers are to run windows, I wish that we could at
least get them to run XP SP2.  We still have a large percentage of our
customer base running 9x, me, 2000.  Aside from that, the issue is of
course, that these are not security people.  Which to a certain degree
makes choice of platform less of an issue.  I know that the last thing I
want to see is Linux/BSD in the hands of Joe Noob.  Which takes me right
back to the point I made in an earlier email about home users needing to
be protected.  These people are unlikely to want to learn about computer
security because it doesn't interest them.  I also don't think they
should have to.  What they really need is a tool that allows them to do
what they want to do, while simultaneously providing a base level of
security that is managed by the provider of that system.

I realize I may be sounding a bit hypocritical at this point.  So, I'll
try to clarify.

I don't think people should have to know much about computer security,
"security apps" like anti-virus, firewalls, etc.  I think that computers
should be ubiquitous, non intrusive and largely trustworthy.  The
problem is that this is so far from current reality as to be easily
confused with fantasy.  So, in our current environment, the home user
has to be involved, simply due to the fact that the tool they are using
has so many wheels and cogs exposed and those wheels and cogs need
constant attention.  That's why the prevailing wisdom seems to be that
computers need sys admins if they are to be maintained properly.


> At the same time, I don't want special treatment from my ISP (I mean, I
> *do*, but I don't want it institutionalized).  I don't want the "secure
> people here, insecure people there" mentality from what is essentially a
> utility.  Nothing personal, but the likelihood that an ISP will properly be
> able to correctly and continually analyze the security stance of anyone's
> home network is slim enough that I'd prefer not to pay more per month for
> them to try (and probably fail).  I can barely do it myself, and I am one of
> 2 users (that I know of) and I built it.

This is where Marcus's comment about reducing the noise to a manageable
level applies.  As well, the idea that multiple levels of low to
moderate defences can add up to a fairly decent defence.  You're right,
looking at home networks from the outside in a largely automated fashion
is not going to be 100% effective in controlling security problems - not
even close.  However, if ISPs implement a number of different defences
they may actually be able to gain some ground without negatively
impacting the vast majority of their customers.  An ISP can never hope
to provide as robust a defence as a more controlled environment such as
a business network, that's not the ISP's job.  However, I think it is
realistic to expect that an ISP can fall within the 80/20 rule, where
they are able to block 80% of the badness.

I have a plan that I'm working through right now that I can share if
anyone is interested.  BTW, does anyone feel I'm going off topic with
this stuff?  Paul keeps letting them through, so maybe that means
something...

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards