Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: The home user problem returns (Paul Melson)
2. Re: The home user problem returns (Chris Blask)
3. RE: The home user problem returns (Paul Melson)
4. RE: The home user problem returns (Paul Melson)
--__--__--
Message: 1
From: "Paul Melson" <pmelson@gmail.com>
To: "'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Mon, 12 Sep 2005 10:13:34 -0400
-----Original Message-----
Subject: Re: [fw-wiz] The home user problem returns
> I see my job as trying to provide as consistent and unencumbered an
experience as
> possible for our customers. Right now, spam, bots, and #!$%ing spyware
are getting in
> my way of doing that. I don't like the fact that at the onset of each new
worm, that I
> still have to contact people and shut them down. I don't like the fact
that customers
> phone complaining that our service is slow and when they bring their
computer into our
> shop we find a massive spyware infestation (the current record btw is
5300). As a
> result, we are willing to try anything that is likely to gain us some
ground. Right
> now one of the projects that we have that is working really well is having
customers
> bring in their computer when they sign up. We give the PC a thorough
enema and send it
> back out with free antivirus and antispyware, windows updates turned on
and the XP
> firewall enabled. Twice a year we run a spring cleanup and a fall tune-up
which again
> goes through the enema process for $29. We're fairly confident that this
program is
> making a big dent in the number of really vulnerable systems out there.
>
> Our goal is to severely reduce the number of infections on our network so
that our
> customers can have a consistent and hassle free experience on the net.
I'd like to see
> all ISPs adopt that stance.
You know what I find highly ironic in all of this -- and I don't mean to
pick on you or your ISP -- is that there is a single symptom, a common
thread that ties together all of these problems you're attempting to combat.
And that common thread is required or at least preferred by all of the major
ISPs, and that is Windows desktops. In other words, ISPs everywhere are
complicit in their own security and performance headaches.
The bitter pill for the clueful is that those people that run a firewall
appliance or build their own Linux/BSD firewall for their home network
typically get no support from their ISP. (If you have Comcast cable like I
do, you can't even register your cable modem without a Windows box. That
was an unpleasant surprise when I moved recently.)
It is not lost on me that this is all due to market forces beyond the
control of even the largest ISPs. But I think we can all agree that this is
and will continue to be the primary trade-off that those charged (saddled
with?) network security must live with, at least in the short-term. Finding
an effective way for ISPs to deal with this that doesn't drive customers
away is certainly a noble goal, but I haven't seen a solution that has
scaled well yet.
At the same time, I don't want special treatment from my ISP (I mean, I
*do*, but I don't want it institutionalized). I don't want the "secure
people here, insecure people there" mentality from what is essentially a
utility. Nothing personal, but the likelihood that an ISP will properly be
able to correctly and continually analyze the security stance of anyone's
home network is slim enough that I'd prefer not to pay more per month for
them to try (and probably fail). I can barely do it myself, and I am one of
2 users (that I know of) and I built it.
> Sorry. Just realised this looks a whole lot like a sales pitch...
That's what makes you a security "professional." :-)
PaulM
PS - Sorry for the Monday morning grouch.
--__--__--
Message: 2
Date: Mon, 12 Sep 2005 10:52:49 -0400
To: Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] The home user problem returns
Cc: firewall-wizards@honor.icsalabs.com
--=====================_193206781==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 03:42 PM 9/8/2005, Mason Schmitt wrote:
.d.
> > Wow... Am I that bad? Am I that predictable? ;)
> >
>I think you've been at this a really long time and you're fed up with
>the bull. I've only been in computers for a few years and the current
>state of things drives me nuts too. The fact that you keep speaking out
>is admirable. :)
That is the value - take what opinion you like but DON'T GIVE UP!
.d.
> > If you want to push
> > things back far enough, intellectually, the problem is that anonymous
> > Internet access is being offered. That's the underlying problem.
>
>YES!!! And the fact that there are groups that are working hard at
>maintaining that anonymity bothers me. I know that there's always the
>concern about Big Brother, or worse and far more plausible, abuse of any
>large scale trust/authentication systems that get setup in the future.
The problem is that, without any sort of identity (and there is
exactly 0.0000% of net traffic using anything worth calling
identity), it is impossible to treat Identified traffic and Anonymous
traffic differently, as they logically deserve.
.d.
>I see trust and authentication systems as critical to the future of the
>net, therefore I want to see it happen, but I'm deathly afraid of the
>piece of *$^! system that could be put in place. I can tell you right
>now that centralized systems such as microsoft's passport are extremely
>scary and have no place in in the future trust/auth systems that need to
>exist. Unfortunately I don't have a crystal ball (or any technical
>background) to tell you what such systems should look like.
Decentralized, distributed responsibility. If I own an auth server
then I am responsible for the activities of those who use it. If I
can say: "Yes, this is a person, I know who it is, and I'm not
telling you who that person is short of a court order legal in my
jurisdiction", then the system works.
.d.
>On bad days and good days I fully agree. The problem is that it can't
>stay like this, so movement has to occur somewhere. Perhaps you're
>right that we're wasting our breath.
Marcus is right to keep people on their toes: no-one should expect to
fire off ill-conceived comments or solutions and not get their lungs
ripped out - this is all too important. Any actual good ideas can
stand harsh comment - bullshit disintegrates.
>Here's another favourite Einstein
>quote of mine that fits this situation.
> "The definition of insanity is doing the same thing over and
> over again and expecting a different result."
My favorite Albert is this (I like it so much it's been my standard
sig for a while):
"Make things as simple as possible but no simpler. " - Albert Einstein
THIS is where things in our world get f**ked up IMSO: "We'll get a
million angles to dance on the head of a pin, take the square root of
their average size and use the results as Private Keys (sold by
Verisinge and distributed by Microsloth)!"
>While I think that user ed is still a critical piece to the puzzle, I
>think that the way that we go about attempting to educate needs to
>change. That's what I was trying to get across in my last email. It
>takes one on one interaction with people.
Education is a slippery topic. In short, we will achieve the edu
goal with about 18 trillion hours of dedicated training and a factor
of 1000 more in informal training. IOW - it ain't getting done
tomorrow, but every little bit of effort gets us closer.
The other side of edu is that vendors/providers need to get educated
about what is a good idea and what is crap. Having (or not having)
actual Customers doing actual Things with your product is the only
education that counts, but vendors/providers usually miss the
pertinent lessons even then.
.d.
>I'm well aware that I'm stuck in the middle of an arms race. That's why
>we outsourced spam control - that was just too messy an arms race to
>continue to contend with in house.
Spam control = Identity
Identity is owned by the worst of our industry (both the "how to
screw your customer in Three Easy Steps" business folks and the
"no-one should use a computer if they can't carve one out of soap" engineers).
At JamSpam we had all the stakeholders in one place, and the best we
could do was AMY. I chaired the damn coalition so I take the blame,
but it didn't surprise me at all (and I *am* an optimist!).
.d.
>Very good points. See my point above concerning changing approaches.
>To be realistic, I'm not expecting mass religious conversion to happen.
> I'm hoping to keep finding those people that have an inkling that
>something isn't right and just need some info to point them in the right
>direction. These people, once they get it, will tell others. For
>everyone else, I just want to get them to jump through the hoops of
>turning on windows update, getting a firewall... yada yada yada.
Education works, it is just a much much much bigger job than we
think, with many different branches.
o Much of the end-user education that needs to be done is social
("talk amongst yourselves") and we can never directly provide that,
though we can tune the debate.
o There is no quantity of end-user education that can shorten the
amount of time it will take to "finish" that effort, but it is
possible to have so little that it takes longer...
.d.
>In my last email, this was one of the things that I stressed (or I hope
>I did). People need to learn to question. My generation is doing a
>good job in this area, but my parent's generation is as trusting as an
>unspoiled child when it comes to the net. I think the biggest problem
>with the older crowd is that they don't really know what the net is -
>I'm still working on my parents. That's what I want to try to teach people.
That right there is my point. The quantity of exposure that the
average Joe needs to understand the issues being discussed is "N",
where N is a very large number (particularly if Joe is 50+). We are
currently about 1/N into the process...
> > [...other good stuff, deleted...]
> > You're still an optimist, aren't you? It's always nice to find an optimist
> > in Internet security. I feel like a birdwatcher who has seen the last of
> > some vanishing breed whenever I run across one of you guys. ;)
chirp! ;~)
.d.
>Whenever I fall into that sort of situation, I recognize it as
>unworkable and realise there must be another way to look at the problem.
Precisely!
"The fact that two people have different opinions on a topic does not
mean that either is correct."
>I'll keep trying to find new ways of approaching this and I'll make
>headway, even if it is just, as you said, "reduce the surge of noise to
>manageable levels". I think you have to be incredibly persistent and
>optimistic, or naive to make any meaningful headway in computer security
>- not sure which one I am, maybe both.
Lucy: "You can't subtract five from three!"
Linus: "You can if you're stupid!"
Never underestimate the power of naive optimism.
>Anyway, it's still fun and challenging, so why not keep at it.
Beats pumping gas...
-cheers!
-chris
It is not worth an intelligent man's time to be in the majority. By
definition, there are already enough people to do that.
- G. H. Hardy
Chris Blask
chris@blask.org
http://blaskworks.blogspot.com
+1 416 358 9885
--=====================_193206781==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
<body>
At 03:42 PM 9/8/2005, Mason Schmitt wrote:<br>
.d.<br>
<blockquote type=cite class=cite cite="">> Wow... Am I that bad? Am I
that predictable? ;)<br>
> <br>
I think you've been at this a really long time and you're fed up
with<br>
the bull. I've only been in computers for a few years and the
current<br>
state of things drives me nuts too. The fact that you keep speaking
out<br>
is admirable. :)</blockquote><br>
That is the value - take what opinion you like but DON'T GIVE
UP!<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">> If you want to push<br>
> things back far enough, intellectually, the problem is that
anonymous<br>
> Internet access is being offered. That's the underlying
problem.<br><br>
YES!!! And the fact that there are groups that are working hard
at<br>
maintaining that anonymity bothers me. I know that there's always
the<br>
concern about Big Brother, or worse and far more plausible, abuse of
any<br>
large scale trust/authentication systems that get setup in the
future.</blockquote><br>
The problem is that, without any sort of identity (and there is exactly
0.0000% of net traffic using anything worth calling identity), it is
impossible to treat Identified traffic and Anonymous traffic differently,
as they logically deserve.<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">I see trust and authentication
systems as critical to the future of the<br>
net, therefore I want to see it happen, but I'm deathly afraid of
the<br>
piece of *$^! system that could be put in place. I can tell you
right<br>
now that centralized systems such as microsoft's passport are
extremely<br>
scary and have no place in in the future trust/auth systems that need
to<br>
exist. Unfortunately I don't have a crystal ball (or any
technical<br>
background) to tell you what such systems should look
like.</blockquote><br>
Decentralized, distributed responsibility. If I own an auth server
then I am responsible for the activities of those who use it. If I
can say: "Yes, this is a person, I know who it is, and I'm not
telling you who that person is short of a court order legal in my
jurisdiction", then the system works.<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">On bad days and good days I
fully agree. The problem is that it can't<br>
stay like this, so movement has to occur somewhere. Perhaps
you're<br>
right that we're wasting our breath. </blockquote><br>
Marcus is right to keep people on their toes: no-one should expect to
fire off ill-conceived comments or solutions and not get their lungs
ripped out - this is all too important. Any actual good ideas can
stand harsh comment - bullshit disintegrates.<br><br>
<blockquote type=cite class=cite cite="">Here's another favourite
Einstein<br>
quote of mine that fits this situation.</blockquote><br>
<blockquote type=cite class=cite cite=""> �The definition of
insanity is doing the same thing over and<br>
over again and expecting a different
result.�</blockquote><br>
My favorite Albert is this (I like it so much it's been my standard sig
for a while):<br><br>
<font size=2>"Make things as simple as possible but no simpler.
" - Albert Einstein</font> <br><br>
THIS is where things in our world get f**ked up IMSO: "We'll
get a million angles to dance on the head of a pin, take the square root
of their average size and use the results as Private Keys (sold by
Verisinge and distributed by Microsloth)!"<br><br>
<blockquote type=cite class=cite cite="">While I think that user ed is
still a critical piece to the puzzle, I<br>
think that the way that we go about attempting to educate needs to<br>
change. That's what I was trying to get across in my last
email. It<br>
takes one on one interaction with people.</blockquote><br>
Education is a slippery topic. In short, we will achieve the edu
goal with about 18 trillion hours of dedicated training and a factor of
1000 more in informal training. IOW - it ain't getting done
tomorrow, but every little bit of effort gets us closer.<br><br>
The other side of edu is that vendors/providers need to get educated
about what is a good idea and what is crap. Having (or not having)
actual Customers doing actual Things with your product is the only
education that counts, but vendors/providers usually miss the pertinent
lessons even then.<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">I'm well aware that I'm stuck in
the middle of an arms race. That's why<br>
we outsourced spam control - that was just too messy an arms race to<br>
continue to contend with in house.</blockquote><br>
Spam control = Identity<br><br>
Identity is owned by the worst of our industry (both the "how to
screw your customer in Three Easy Steps" business folks and the
"no-one should use a computer if they can't carve one out of
soap" engineers).<br><br>
At JamSpam we had all the stakeholders in one place, and the best we
could do was AMY. I chaired the damn coalition so I take the blame,
but it didn't surprise me at all (and I *am* an optimist!).<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">Very good points. See my
point above concerning changing approaches.<br>
To be realistic, I'm not expecting mass religious conversion to
happen.<br>
I'm hoping to keep finding those people that have an inkling
that<br>
something isn't right and just need some info to point them in the
right<br>
direction. These people, once they get it, will tell others.
For<br>
everyone else, I just want to get them to jump through the hoops of<br>
turning on windows update, getting a firewall... yada yada
yada.</blockquote><br>
Education works, it is just a much much much bigger job than we think,
with many different branches. <br><br>
o Much of the end-user education that needs to be done is social
("talk amongst yourselves") and we can never directly provide
that, though we can tune the debate. <br><br>
o There is no quantity of end-user education that can shorten the
amount of time it will take to "finish" that effort, but it is
possible to have so little that it takes longer...<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">In my last email, this was one
of the things that I stressed (or I hope<br>
I did). People need to learn to question. My generation is
doing a<br>
good job in this area, but my parent's generation is as trusting as
an<br>
unspoiled child when it comes to the net. I think the biggest
problem<br>
with the older crowd is that they don't really know what the net is
-<br>
I'm still working on my parents. That's what I want to try to teach
people.</blockquote><br>
That right there is my point. The quantity of exposure that the
average Joe needs to understand the issues being discussed is
"N", where N is a very large number (particularly if Joe is
50+). We are currently about 1/N into the process...<br><br>
<blockquote type=cite class=cite cite="">> [...other good stuff,
deleted...]<br>
> You're still an optimist, aren't you? It's always nice to find an
optimist<br>
> in Internet security. I feel like a birdwatcher who has seen the
last of<br>
> some vanishing breed whenever I run across one of you guys.
;)</blockquote><br>
chirp! ;~)<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">Whenever I fall into that sort
of situation, I recognize it as<br>
unworkable and realise there must be another way to look at the
problem.</blockquote><br>
Precisely!<br><br>
"The fact that two people have different opinions on a topic does
not mean that either is correct."<br><br>
<blockquote type=cite class=cite cite="">I'll keep trying to find new
ways of approaching this and I'll make<br>
headway, even if it is just, as you said, "reduce the surge of noise
to<br>
manageable levels". I think you have to be incredibly
persistent and<br>
optimistic, or naive to make any meaningful headway in computer
security<br>
- not sure which one I am, maybe both.</blockquote><br>
Lucy: "You can't subtract five from three!"<br><br>
Linus: "You can if you're stupid!"<br><br>
Never underestimate the power of naive optimism.<br><br>
<blockquote type=cite class=cite cite="">Anyway, it's still fun and
challenging, so why not keep at it.</blockquote><br>
Beats pumping gas...<br><br>
-cheers!<br><br>
-chris<br><br>
<br>
<x-sigsep><p></x-sigsep>
<font size=2>It is not worth an intelligent man's time to be in the
majority. By definition, there are already enough people to do
that.<br><br>
- G. H. Hardy <br><br>
</font>Chris Blask<br>
chris@blask.org<br>
<a href="http://blaskworks.blogspot.com" eudora="autourl">
http://blaskworks.blogspot.com</a> <br><br>
+1 416 358 9885 </body>
</html>
--=====================_193206781==.ALT--
--__--__--
Message: 3
From: "Paul Melson" <pmelson@gmail.com>
To: "'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Mon, 12 Sep 2005 11:26:18 -0400
-----Original Message-----
Subject: Re: [fw-wiz] The home user problem returns
> > With the current state of Internet software, it's pointless. It'd be
> > meaningful to encourage ISPs to filter traffic if there were
> > end-to-end authenticated links going on, and nothing else. If you want
> > to push things back far enough, intellectually, the problem is that
> > anonymous Internet access is being offered. That's the underlying
problem.
>
> YES!!! And the fact that there are groups that are working hard at
maintaining that
> anonymity bothers me. I know that there's always the concern about Big
Brother, or
> worse and far more plausible, abuse of any large scale
trust/authentication systems
> that get setup in the future.
?! <Paul makes Scooby Doo noise> ?!
I fear that you and Marcus have mistaken privacy for anonymity. Just
because something isn't transparent end-to-end, doesn't mean it's anonymous.
The disparate bureaucratic systems that possess the information necessary to
track an action back to an individual over the Internet are representative
of the way we decentralize control of commodities and assets in general. I
don't know that that's a bad thing.*
Also, I find it a little presumptuous that you should be trusted to know my
information because I somehow show up on your radar. I think it should be
up to me as to whether or not I'm willing to trade my information for access
to something you have in the name of accountability. I want to decide when
I'm willing to make that trade.
Imagine the fallout if anybody had everybody's information available just by
asking the right questions. Look at how directories like whois databases
have been abused by spammers and hackers over the past 15 years. I doubt
that ubiquitous "accountability" on the Internet is a path to improved
security at all, but I definitely have concerns about how it would be abused
and exploited.
PaulM
* There is a whole different rant about the assumption of the need for
unfettered connectivity between organizations (even ISPs) and the rest of
the Internet that is underlying to this discussion. It has been my
experience that networks are often attacked from other networks that they
had literally no business communicating with.
The connection back to what I said above is that if you can define and
document the traffic that traverses a network, you can establish
accountability in a much more effective manner. You don't even necessarily
need to establish the identity of an individual if you can establish
responsibility for that traffic before it's even allowed.
Imagine with me for a moment a magical land of unicorns and faeries where
businesses and their network admins are so effectively cooperative that
simple router ACLs are reflective of business communication and nothing
else. Imagine some businesses turning off their Internet connection
altogether. Now imagine shrinking the scope of all of your network security
efforts down to that scale, that traffic, and those applications that are
core to business processes only. Now imagine half of us infosec vendors and
proselytizers being out of a job and having to find work herding trolls.
Seriously, I would gladly herd trolls if it meant never having to hear about
how my bank got hacked by Russian teenagers.
--__--__--
Message: 4
From: "Paul Melson" <pmelson@gmail.com>
To: "'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Mon, 12 Sep 2005 11:28:46 -0400
-----Original Message-----
Subject: Re: [fw-wiz] The home user problem returns
> > With the current state of Internet software, it's pointless. It'd be
> > meaningful to encourage ISPs to filter traffic if there were
> > end-to-end authenticated links going on, and nothing else. If you want
> > to push things back far enough, intellectually, the problem is that
> > anonymous Internet access is being offered. That's the underlying
problem.
>
> YES!!! And the fact that there are groups that are working hard at
maintaining that
> anonymity bothers me. I know that there's always the concern about Big
Brother, or
> worse and far more plausible, abuse of any large scale
trust/authentication systems
> that get setup in the future.
?! <Paul makes Scooby Doo noise> ?!
I fear that you and Marcus have mistaken privacy for anonymity. Just
because something isn't transparent end-to-end, doesn't mean it's anonymous.
The disparate bureaucratic systems that possess the information necessary to
track an action back to an individual over the Internet are representative
of the way we decentralize control of commodities and assets in general. I
don't know that that's a bad thing.*
Also, I find it a little presumptuous that you should be trusted to know my
information because I somehow show up on your radar. I think it should be
up to me as to whether or not I'm willing to trade my information for access
to something you have in the name of accountability. I want to decide when
I'm willing to make that trade.
Imagine the fallout if anybody had everybody's information available just by
asking the right questions. Look at how directories like whois databases
have been abused by spammers and hackers over the past 15 years. I doubt
that ubiquitous "accountability" on the Internet is a path to improved
security at all, but I definitely have concerns about how it would be abused
and exploited.
PaulM
* There is a whole different rant about the assumption of the need for
unfettered connectivity between organizations (even ISPs) and the rest of
the Internet that is underlying to this discussion. It has been my
experience that networks are often attacked from other networks that they
had literally no business communicating with.
The connection back to what I said above is that if you can define and
document the traffic that traverses a network, you can establish
accountability in a much more effective manner. You don't even necessarily
need to establish the identity of an individual if you can establish
responsibility for that traffic before it's even allowed.
Imagine with me for a moment a magical land of unicorns and faeries where
businesses and their network admins are so effectively cooperative that
simple router ACLs are reflective of business communication and nothing
else. Imagine some businesses turning off their Internet connection
altogether. Now imagine shrinking the scope of all of your network security
efforts down to that scale, that traffic, and those applications that are
core to business processes only. Now imagine half of us infosec vendors and
proselytizers being out of a job and having to find work herding trolls.
Seriously, I would gladly herd trolls if it meant never having to hear about
how my bank got hacked by Russian teenagers.
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment