Re: BBC Crosses The Line Again

["Daniel H. Renner" <dan () losangelescomputerhelp com>]

Because I'm on the 'front lines' of handling user's problems (in SMBs of 1 to 180 workstations) I've seen what usually 
goes for 'user training' ... at this level of businesses.

What I have found is that most technicians already know why not to do [action] and so either simply state "don't do 
it", skim over the reason not to do it and/or give the reason in a highly technical nature, which does nothing but 
confuse the user who then goes merrily along continuing to do [action].  I've laid off techs that were shocked because 
the user didn't know about [action] - wrong viewpoint.

What I have also found is that _if_ the user understands the reasons why not to do [action] they will stay away from it.

Every single time we have shown why not to do [action] to the user, from the user's viewpoint and with an idea that the 
user really knows absolutely nothing about [action] (or else he/she would probably be a technician and not a user) we 
get another safe user.


Sincerely,

Daniel H. Renner
President
Los Angeles Computerhelp
A division of Computerhelp, Inc.
818-352-8700
http://losangelescomputerhelp.com

"Inactivity is death" - Benito Mussolini
(Even evil dictators know the truth...)


funsec-request () linuxbox org wrote:
> Date: Sat, 21 Mar 2009 09:42:32 -0400
> From: Rich Kulawiec <rsk () gsp org>
> Subject: Re: [funsec] BBC Crosses The Line Again
> To: funsec () linuxbox org
> Message-ID: <20090321134231.GA30906 () gsp org>
> Content-Type: text/plain; charset=us-ascii
>
> On Fri, Mar 20, 2009 at 11:28:15AM -0700, Paul M. Moriarty wrote:
> > OK, I'll play devil's advocate.  What's the right way to educate the  
> > public?  Because security companies have done a piss-poor job to date.
>
> I strongly concur with the latter statement, but note in passing that
> it's against the financial interests of most of them to do so...so we
> should be very surprised if they did.
>
> However, to answer the question: "none".  The public has proven
> itself to be completely ineducable.  As Marcus Ranum correctly pointed
> out in "The Six Dumbest Ideas in Computer Security", where he identified
> "user education" as one of them:
>
>       If it was going to work, it would have worked by now.
>
> For example, we (for various values of "we") have been telling users
> for a very, very long time that they should never respond to a request
> for their password(s).  Yet they do -- constantly. 
>
> As another example, we have been telling users never to respond to spam.
> But they do.  In large numbers.  Consistently.  (This, at least, can
> be mitigated by applying blacklist rules to outbound email traffic.)
>
> User education is a fine and noble endeavor.  I've done a lot of it,
> as I'm sure many other people here have.  But collectively, we have
> almost nothing to show for it.  I think it's (past) time to get on
> board with Ranum and stop wasting our time with an approach that's
> failed.  Oh, not that *other* approaches might turn out to be equally
> fruitless -- they might -- but let's give them their chance to fail.
>
> ---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.