Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (Antonomasia)
2. Re: The home user problem returns (Marcus J. Ranum)
3. Re: The home user problem returns (Mason Schmitt)
4. Re: The home user problem returns (Mason Schmitt)
--__--__--
Message: 1
Date: Thu, 08 Sep 2005 22:29:36 +0100
To: mason@schmitt.ca, firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
From: ant@notatla.org.uk (Antonomasia)
From: mason@schmitt.ca
Those sound like good ideas.
> Getting away from people oriented approaches now. I'm planning to setup a
> "leper colony" (kudos to whomever coined that term. I also hope I'm not
> offending anyone...). The idea is simply to quarantine obviously infected
> machines from the rest of our network, and preferably from other members
There should be a charge for each occurrance of this. Give it a more acceptable
name and teach the customers it's a service like towing their car out of a ditch.
> immediately upon seeing spam from a spam zombie - even if
> the zombie is attempting to relay through our smarthost
> as opposed to the usual direct-to-mx spam zombie activity.
That should be easy to detect according to Richard Clayton.
http://www.cl.cam.ac.uk/users/rnc1/extrusion.pdf
see also http://www.cl.cam.ac.uk/users/rnc1/incoming.pdf
And in another mail:
> Marcus and most of the rest of you, please keep preaching solid security
> principles to businesses and governments,
On a good day they pay twice as much attention as the home users.
I could make a game of writing down things that happen at work and people
guessing which ones are true.
--
##############################################################
# Antonomasia ant notatla.org.uk #
# See http://www.notatla.org.uk/ #
##############################################################
--__--__--
Message: 2
Date: Thu, 08 Sep 2005 13:33:22 -0400
To: Mason Schmitt <mason@schmitt.ca>, Kevin <kkadow@gmail.com>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] The home user problem returns
Cc: firewall-wizards@honor.icsalabs.com
Mason Schmitt wrote:
>I know that somewhere Marcus is getting ready to unfurl his IPS rant
>(/me braces himself).
Wow... Am I that bad? Am I that predictable? ;)
>A public ISP just cannot be run like a corporate
>network, it's a totally different beast.
I completely agree!!! You've got a series of contradictory requirements.
There's no way to satisfy them (or even a reasonable percentage of them)
without creating more problems than you solve. Also, I knew an ISP back
in the day (1995) that offered 2 kinds of Internet hookups - one that was
firewalled, virus filtered, etc, and the other of which was wide open. Guess
which one they sold NONE of? Well, that was an easy guess...
> In fact, I know a lot of
>techies that would argue that ISPs should be totally transparent. In
>this day and age, I consider that view to be selfish and irresponsible.
With the current state of Internet software, it's pointless. It'd be
meaningful to encourage ISPs to filter traffic if there were end-to-end
authenticated links going on, and nothing else. If you want to push
things back far enough, intellectually, the problem is that anonymous
Internet access is being offered. That's the underlying problem. Unless
that particular problem is dealt with (and who'd want to be on the
Internet that would result..?) we will not make progress from where
we are.
>Marcus and most of the rest of you, please keep preaching solid security
>principles to businesses and governments, but when it comes to the home
>user, you're wasting your breath.
We're wasting our breath in general. Businesses are marginally better
than home users - some of them - but governments are sometimes
worse than home users, in my experience. The situation out there is
terrible and shows no sign of improvement, in my opinion.
>As with any security endeavour, a multi faceted or "defence in depth"
>solution is the best solution.
It's really more like a "defeat in depth" because you're accepting that
things will go wrong at every layer in the system. What you're trying
to do is reduce the surge of noise to manageable levels. That is a
worthwhile goal but it puts you right in the middle of the eternal arms
race.
>User education
>----------------
>User education still needs to happen
Pointless. If educating users was going to work, it would have worked
by now. If Anna Kournikova worm and phishing hadn't gotten people
to take this seriously years ago, they aren't going to next year, either.
If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't
get people to take it seriously, they aren't going to next year, either. Or
the year after that.
OBplug: I just completed an article for "certified security professional"
on "The Six Dumbest Ideas in Computer Security" in which I list
educating users as #5.
http://www.certifiedsecuritypro.com/index.php/content/view/154/56/
or it's linked off http://www.ranum.com
I'll spare posting the entire breathless tirade here.
[...other good stuff, deleted...]
You're still an optimist, aren't you? It's always nice to find an optimist
in Internet security. I feel like a birdwatcher who has seen the last of
some vanishing breed whenever I run across one of you guys. ;)
mjr.
(* source: P-nut)
--__--__--
Message: 3
Date: Thu, 08 Sep 2005 11:25:58 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Marcus J. Ranum wrote:
> ISPs have a completely different place in the security stack - your
> job is to carry goodness and badness;
I agree that the ISP's place in the security stack is different than
that of businesses and government. However, I don't think our job is to
carry badness. As a major choke point between thousands (in our case)
or millions (the big ones) of home users and the rest of the net, I
think ISPs absolutely should be doing whatever possible to restrict
badness on their networks. They have the visibility necessary to do the
job and they have the means to at least offer some basic protection.
The fact that ISPs are now seeing enough pressure (from customers, RBLs,
and worm/bot load on their networks) that they are starting to react, is
encouraging. Comcast, once the worlds greatest source of spam is now
working toward a full outbound port 25 block and has just made
available, to all of their customers, a McAfee software bundle that has
an antivirus app and personal firewall.
I don't think it's a great solution (probably marketing driven), but
certainly far better than what they had before.
as you point out, your end
> users (who are idiots) will resent your attempts to make things
> better for them.
I see my job as trying to provide as consistent and unencumbered an
experience as possible for our customers. Right now, spam, bots, and
#!$%ing spyware are getting in my way of doing that. I don't like the
fact that at the onset of each new worm, that I still have to contact
people and shut them down. I don't like the fact that customers phone
complaining that our service is slow and when they bring their computer
into our shop we find a massive spyware infestation (the current record
btw is 5300). As a result, we are willing to try anything that is
likely to gain us some ground. Right now one of the projects that we
have that is working really well is having customers bring in their
computer when they sign up. We give the PC a thorough enema and send it
back out with free antivirus and antispyware, windows updates turned on
and the XP firewall enabled. Twice a year we run a spring cleanup and a
fall tune-up which again goes through the enema process for $29. We're
fairly confident that this program is making a big dent in the number of
really vulnerable systems out there.
Our goal is to severely reduce the number of infections on our network
so that our customers can have a consistent and hassle free experience
on the net. I'd like to see all ISPs adopt that stance.
Sorry. Just realised this looks a whole lot like a sales pitch...
--
Mason
--__--__--
Message: 4
Date: Thu, 08 Sep 2005 12:42:30 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>I know that somewhere Marcus is getting ready to unfurl his IPS rant
>>(/me braces himself).
>
> Wow... Am I that bad? Am I that predictable? ;)
>
I think you've been at this a really long time and you're fed up with
the bull. I've only been in computers for a few years and the current
state of things drives me nuts too. The fact that you keep speaking out
is admirable. :)
> I knew an ISP back
> in the day (1995) that offered 2 kinds of Internet hookups - one that was
> firewalled, virus filtered, etc, and the other of which was wide open. Guess
> which one they sold NONE of? Well, that was an easy guess...
>
Yup.
>
>>In fact, I know a lot of
>>techies that would argue that ISPs should be totally transparent. In
>>this day and age, I consider that view to be selfish and irresponsible.
>
> With the current state of Internet software, it's pointless. It'd be
> meaningful to encourage ISPs to filter traffic if there were end-to-end
> authenticated links going on, and nothing else. If you want to push
> things back far enough, intellectually, the problem is that anonymous
> Internet access is being offered. That's the underlying problem.
YES!!! And the fact that there are groups that are working hard at
maintaining that anonymity bothers me. I know that there's always the
concern about Big Brother, or worse and far more plausible, abuse of any
large scale trust/authentication systems that get setup in the future.
> Unless
> that particular problem is dealt with (and who'd want to be on the
> Internet that would result..?) we will not make progress from where
> we are.
>
I see trust and authentication systems as critical to the future of the
net, therefore I want to see it happen, but I'm deathly afraid of the
piece of *$^! system that could be put in place. I can tell you right
now that centralized systems such as microsoft's passport are extremely
scary and have no place in in the future trust/auth systems that need to
exist. Unfortunately I don't have a crystal ball (or any technical
background) to tell you what such systems should look like.
>>Marcus and most of the rest of you, please keep preaching solid security
>>principles to businesses and governments, but when it comes to the home
>>user, you're wasting your breath.
>
>
> We're wasting our breath in general. Businesses are marginally better
> than home users - some of them - but governments are sometimes
> worse than home users, in my experience. The situation out there is
> terrible and shows no sign of improvement, in my opinion.
>
On bad days and good days I fully agree. The problem is that it can't
stay like this, so movement has to occur somewhere. Perhaps you're
right that we're wasting our breath. Here's another favourite Einstein
quote of mine that fits this situation.
�The definition of insanity is doing the same thing over and
over again and expecting a different result.�
While I think that user ed is still a critical piece to the puzzle, I
think that the way that we go about attempting to educate needs to
change. That's what I was trying to get across in my last email. It
takes one on one interaction with people.
>
>>As with any security endeavour, a multi faceted or "defence in depth"
>>solution is the best solution.
>
> It's really more like a "defeat in depth" because you're accepting that
> things will go wrong at every layer in the system. What you're trying
> to do is reduce the surge of noise to manageable levels. That is a
> worthwhile goal but it puts you right in the middle of the eternal arms
> race.
>
I'm well aware that I'm stuck in the middle of an arms race. That's why
we outsourced spam control - that was just too messy an arms race to
continue to contend with in house.
>
>>User education
>>----------------
>>User education still needs to happen
>
>
> Pointless.
I laughed out loud when I saw this one :)
> If educating users was going to work, it would have worked
> by now. If Anna Kournikova worm and phishing hadn't gotten people
> to take this seriously years ago, they aren't going to next year, either.
> If 600 Internet Explorer bugs and 1203 windows bugs* in 5 years didn't
> get people to take it seriously, they aren't going to next year, either. Or
> the year after that.
>
Very good points. See my point above concerning changing approaches.
To be realistic, I'm not expecting mass religious conversion to happen.
I'm hoping to keep finding those people that have an inkling that
something isn't right and just need some info to point them in the right
direction. These people, once they get it, will tell others. For
everyone else, I just want to get them to jump through the hoops of
turning on windows update, getting a firewall... yada yada yada.
> OBplug: I just completed an article for "certified security professional"
> on "The Six Dumbest Ideas in Computer Security" in which I list
> educating users as #5.
> http://www.certifiedsecuritypro.com/index.php/content/view/154/56/
> or it's linked off http://www.ranum.com
> I'll spare posting the entire breathless tirade here.
>
Excellent article. It's going up on my bulletin board next to "Low Carb
Security" and Paul's "Something About Security". I also sit my boss
down with things like this, because he'll actually read it and think
about it.
From your article in the #5 dumbest idea section:
"Why are users expecting to get E-mails from banks where they don't have
accounts? Most of the problems that are addressable through user
education are self-correcting over time. As a younger generation of
workers moves into the workforce, they will come pre-installed with a
healthy scepticism about phishing and social engineering."
In my last email, this was one of the things that I stressed (or I hope
I did). People need to learn to question. My generation is doing a
good job in this area, but my parent's generation is as trusting as an
unspoiled child when it comes to the net. I think the biggest problem
with the older crowd is that they don't really know what the net is -
I'm still working on my parents. That's what I want to try to teach people.
> [...other good stuff, deleted...]
> You're still an optimist, aren't you? It's always nice to find an optimist
> in Internet security. I feel like a birdwatcher who has seen the last of
> some vanishing breed whenever I run across one of you guys. ;)
This is hilarious! I got a good laugh out of this and had to show my
co-worker :)
In keeping with that Einstein quote about insanity, I'm trying to be
creative and come up with new ways of looking at the problem. If I sit
myself down in the middle of it, it gets exceedingly frustrating and it
looks like there is no hope. These are the days where my boss gets an
earful about how much crap is out there, how hopeless our position is,
etc. Whenever I fall into that sort of situation, I recognize it as
unworkable and realise there must be another way to look at the problem.
I'll keep trying to find new ways of approaching this and I'll make
headway, even if it is just, as you said, "reduce the surge of noise to
manageable levels". I think you have to be incredibly persistent and
optimistic, or naive to make any meaningful headway in computer security
- not sure which one I am, maybe both.
Anyway, it's still fun and challenging, so why not keep at it.
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment