Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (R. DuFresne)
2. Re: The home user problem returns (R. DuFresne)
3. Re: The home user problem returns (Mason Schmitt)
4. Re: The home user problem returns (Marcus J. Ranum)
5. Re: The home user problem returns (Mason Schmitt)
6. Re: The home user problem returns (Mason Schmitt)
7. Re: The home user problem returns (Mason Schmitt)
--__--__--
Message: 1
Date: Mon, 12 Sep 2005 15:09:06 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Mason Schmitt <mason@schmitt.ca>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Organization: sysinfo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 8 Sep 2005, Mason Schmitt wrote:
> Marcus J. Ranum wrote:
>> ISPs have a completely different place in the security stack - your
>> job is to carry goodness and badness;
>
> I agree that the ISP's place in the security stack is different than
> that of businesses and government. However, I don't think our job is to
> carry badness. As a major choke point between thousands (in our case)
> or millions (the big ones) of home users and the rest of the net, I
> think ISPs absolutely should be doing whatever possible to restrict
> badness on their networks. They have the visibility necessary to do the
> job and they have the means to at least offer some basic protection.
>
> The fact that ISPs are now seeing enough pressure (from customers, RBLs,
> and worm/bot load on their networks) that they are starting to react, is
> encouraging. Comcast, once the worlds greatest source of spam is now
> working toward a full outbound port 25 block and has just made
> available, to all of their customers, a McAfee software bundle that has
> an antivirus app and personal firewall.
>
> I don't think it's a great solution (probably marketing driven), but
> certainly far better than what they had before.
>
> as you point out, your end
>> users (who are idiots) will resent your attempts to make things
>> better for them.
>
> I see my job as trying to provide as consistent and unencumbered an
> experience as possible for our customers. Right now, spam, bots, and
> #!$%ing spyware are getting in my way of doing that. I don't like the
> fact that at the onset of each new worm, that I still have to contact
> people and shut them down. I don't like the fact that customers phone
> complaining that our service is slow and when they bring their computer
> into our shop we find a massive spyware infestation (the current record
> btw is 5300). As a result, we are willing to try anything that is
> likely to gain us some ground. Right now one of the projects that we
> have that is working really well is having customers bring in their
> computer when they sign up. We give the PC a thorough enema and send it
> back out with free antivirus and antispyware, windows updates turned on
> and the XP firewall enabled. Twice a year we run a spring cleanup and a
> fall tune-up which again goes through the enema process for $29. We're
> fairly confident that this program is making a big dent in the number of
> really vulnerable systems out there.
>
> Our goal is to severely reduce the number of infections on our network
> so that our customers can have a consistent and hassle free experience
> on the net. I'd like to see all ISPs adopt that stance.
>
> Sorry. Just realised this looks a whole lot like a sales pitch...
>
> --
Mason, I do not think Marcus was beating up on you personally, and I don;t
think anyone else here would or has either. You have a tough world to
work from, that of a tech within an ISP. But the best that an ISP can do
is perhaps limited, and since the corp industry is still unable to beat
the problems that abound, and since gov sites both federal and state and
local are still up to their collective necks in internet-do-do, any
efforts from the ISP realms is welcomed though perhaps not to have too
drmatic of an effect. But, if each and every ISP forced into their
routers ingress as well as egress filtering, we;d have eleiminted a large
number of attack vectors and issues with the anonymity that many rely upon
for their nasty deeds.
As for the new value-adds of firewalls and spam filters offered by some
ISP's they aren;t going to sell well even now. Afterall, what are folks
seeking; a connection plain and simple and since education has not made
them really aware of the pitfalls they face, why are they going to pay
more for a service they don;t really seek let alone feel they need? There
is afterall more serious concerns for their wallets in gas prices
rising.... Now, if frewalls and spam filters were part of the base
offering, folks might or might not notice or be concerned and still
signon, though that's not a given either. Folks tends to in both the home
user realm as well as the corporate realm do these silly "full installs"
afterall, thinking if they do any less they are somhow limiting their
capabilities.
By the way, Marcus, love yer 10 list! spreading it all about the place
now. I had hesitated in replying to the user training side of the thread
as folks tend to view me as a pessimist, rather then a realist.
ingress and egress is the strong begining move to make. Marcus has many
tales to tell on how well that matter goes through the corp world, and has
I'm sure only related a few of those tales here...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDJdJVst+vzJSwZikRAvZmAJ9q7aAczxKWBA4K6ErX9ox8UnrsTQCcD/LX
u04zsbiJWkrj8pKWYnnjkOs=
=Yrsl
-----END PGP SIGNATURE-----
--__--__--
Message: 2
Date: Mon, 12 Sep 2005 15:19:49 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Mason Schmitt <mason@schmitt.ca>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Organization: sysinfo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[SNIP]
>> From your article in the #5 dumbest idea section:
>
> "Why are users expecting to get E-mails from banks where they don't have
> accounts?
See the pessimist in my replies that it's cause more folks are
anticipating their wealth and fortune being tied to some gross error of an
employee of such and institution granting them full access to some
millions that appears to have laid dormant for a few years time. I'n
otherwords most folks have a bit of the take it and run ethics
builtin...it explains to my mind quite well why the 911 scams never seem
to be slowed in the slightest...
User education often runs counter to fighting human greed...
Of course, I have not fixed my speticles in about 10 years so the
prescription through which I view the world is likely warped...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDJdTYst+vzJSwZikRAonaAKC6O9Yz8NcjZXtOQTu7krivIIJ/gQCeI/sl
CIkoF+NsCbq6VOaixPl1krA=
=q3Wf
-----END PGP SIGNATURE-----
--__--__--
Message: 3
Date: Mon, 12 Sep 2005 12:59:51 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Chris Blask <chris@blask.org>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>> On bad days and good days I fully agree. The problem is that it can't
>> stay like this, so movement has to occur somewhere. Perhaps you're
>> right that we're wasting our breath.
>
>
> Marcus is right to keep people on their toes: no-one should expect to
> fire off ill-conceived comments or solutions and not get their lungs
> ripped out - this is all too important. Any actual good ideas can stand
> harsh comment - bullshit disintegrates.
>
Are my ideas ill-conceived? I shouldn't even call them mine, because
they are not unique to me - there are no unique ideas; just people that
get to claim discovery, because they were the first to publicly announce
an idea or act upon it. As to whether or not they will disintegrate, I
still don't know whether they will or not. I'm not going to know until
I try them or someone points out some specific areas in which they will
fail.
What specifically do you think is bullshit? Or is it just my approach
in general? The better I understand this problem the better off I'm
going to be.
>> In my last email, this was one of the things that I stressed (or I hope
>> I did). People need to learn to question. My generation is doing a
>> good job in this area, but my parent's generation is as trusting as an
>> unspoiled child when it comes to the net. I think the biggest problem
>> with the older crowd is that they don't really know what the net is -
>> I'm still working on my parents. That's what I want to try to teach
>> people.
>
>
> That right there is my point. The quantity of exposure that the average
> Joe needs to understand the issues being discussed is "N", where N is a
> very large number (particularly if Joe is 50+). We are currently about
> 1/N into the process...
>
I disagree. I don't think that N need be that large. Even now with the
huge mess we have, N is manageable if it is presented properly and
*people want to listen*. N can be reduced considerably if those
providing PCs, network access, etc can improve the security of their
offerings. This of course being a much longer term look at the problem.
Here are two ways of looking at N. The first one applies to the present
state of things, the second is longer term.
N in a positive reinforcement scenario (short term)
----------------------------------------------------
If as a group, we like to preach least privilege, why do we keep trying
to tell home users what they _shouldn't_ be doing? That sounds like
default allow. Why not tell them what they should be doing? It's going
to be a much shorter list.
N as seen from within a mature utility model (long term)
---------------------------------------------------------
Here's another way of looking at the long term size of N. In one of the
emails in this thread, someone mentioned that Internet access should be
like a utility. I'd like to take that analogy (because that's what it
is) and expand upon it.
Look at the electrical utilities (I'm going to assume North America).
Access to electricity is available to anyone that wants it - from large
massively energy intensive operations such as aluminium smelters right
down to your average home owner.
Electricity is provided to home users in a very well controlled fashion.
The utility puts out a very consistent 60Hz and the power is expected
to be within clearly defined limits of the amount of distortion, amount
of voltage fluctuation etc. The utility also provides automated systems
that are designed to protect their infrastructure as well as anyone
attached to it.
When the connection is made from the pole to the home, it must meet
strict electrical codes and certain parts of the installation (such as
your panel) must be done by an electrician. The only interface
presented to the home user that would allow them to actually touch what
they are paying for is a three prong outlet. Or if you are in the
bathroom, hopefully a GFI as well. (Well light sockets too, but I'm
trying to keep this simple.)
What do home users plug into these three prong outlets? The vast
majority of home users will plug in lamps, kitchen appliances, clocks,
computers, etc. *ALL* of which must be inspected and approved for
safety before being allowed to go to market. If a home user wants to
play and decides to stick a fork in an outlet, the rest of us are
protected by the fact that there is "egress" protection mandated at the
home - the breaker is going to blow. At this point, user education is
pretty simple:
Don't stick your finger in a light socket.
Don't let your kid stick a finger (or anything else) in an outlet (there
are even plastic outlet plugs for this purpose)
Don't blow-dry your hair in the bathtub.
These are not complicated rules. This is a very small value of N. The
reason that the rules are not complicated is due to the steps that
industry/government has taken to regulate the utility and to protect the
home user.
Getting back to computers and the Internet... If these sorts of controls
and industry maturity were in place, home users wouldn't be such a
problem. The big problem is that the Internet right now is very much
like the "Wild West" - it's young, immature, un-controlled and much
about how it should work is still unknown. It just needs to mature.
> Lucy: "You can't subtract five from three!"
>
> Linus: "You can if you're stupid!"
>
> Never underestimate the power of naive optimism.
>
I hadn't heard that exchange before. That's a good one :)
--
Mason
--__--__--
Message: 4
Date: Mon, 12 Sep 2005 16:07:06 -0400
To: Mason Schmitt <mason@schmitt.ca>, Chris Blask <chris@blask.org>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] The home user problem returns
Cc: firewall-wizards@honor.icsalabs.com
Mason Schmitt wrote:
>> Lucy: "You can't subtract five from three!"
>>
>> Linus: "You can if you're stupid!"
...and thus, a new slogan for the Linux community was born!
mjr.
--__--__--
Message: 5
Date: Mon, 12 Sep 2005 14:07:47 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
R. DuFresne wrote:
> Mason, I do not think Marcus was beating up on you personally, and I
> don;t think anyone else here would or has either.
Uh oh. I didn't know I was coming across that way. I don't feel the
least bit like anyone has been beating on me. I'm enjoying the
opportunity to discuss my thoughts with such a group of informed people.
If someone does get genuinely upset with me, I'm quite willing to
hear what they have to say and see whether I think it's valid.
It's true that I'm not in complete agreement with all the replies I have
received (much but not all), but if I were, there would be no point to
all this... We'd just be a group of elitists all agreeing with each
other over how smart we are and how stupid everyone else is ;)
/me ducks
I honestly don't mean that :)
> You have a tough
> world to work from, that of a tech within an ISP. But the best that an
> ISP can do is perhaps limited, and since the corp industry is still
> unable to beat the problems that abound, and since gov sites both
> federal and state and local are still up to their collective necks in
> internet-do-do, any efforts from the ISP realms is welcomed though
> perhaps not to have too drmatic of an effect. But, if each and every
> ISP forced into their routers ingress as well as egress filtering, we;d
> have eleiminted a large number of attack vectors and issues with the
> anonymity that many rely upon for their nasty deeds.
That's one of the things that I really want to see happen. I want to
see ISPs, right across the board, at least do some basics like
ingress/egress filtering for the really common ports and anti-spoofing.
I don't have any idea how many of the large ones do this, but I know
that a ton of the small ones don't.
> Afterall, what are folks
> seeking; a connection plain and simple and since education has not made
> them really aware of the pitfalls they face, why are they going to pay
> more for a service they don;t really seek let alone feel they need?
It seems that there are two primary ways in which people change. Either
they make a conscious choice to change prior to a problem getting out of
hand (requires knowledge that there is an impending problem and
knowledge of how to avoid the problem) or they endure more and more pain
until they are forced to look at the problem and finally make a choice.
It seems to me that majority of home users fall into the second
category. So, education needs to target the few that are looking for
info, but don't know what to look for because there is too much out
there. The media is helping to freak people out, but it's not doing
much to offer solutions. In fact the media will eventually desensitize
people to the problems which will make the job of helping people
understand, even harder.
The other problem is that you can never expect or force a person to
change. So if your solution to a problem involves changing someone that
you have no control over, your solution is doomed to failure. The path
that is more likely to succeed involves moving forward with what you
have control over and those that are cooperating, all the while making
efforts to recruit more from the ranks of the uncooperative or ignorant,
but not requiring it.
Working from that philosophy; that means that the workable solutions
should be easier to spot. Here are a couple really basic examples:
What you have control over
-----------------------------
Governments put laws (sox is a good example) into place that force those
they have control over (businesses) to comply or face penalties.
Cooperation
-------------
Organizations and their members agree to address a problem as a group
and everyone voluntarily enacts what the group decided on. The
standards process is a decent example of this. I'd like to see one of
the large ISP associations hammer out some suggested best practises and
get their members on board.
> Now, if frewalls and spam filters were part of the base
> offering, folks might or might not notice or be concerned and still
> signon, though that's not a given either.
I'd love to see that, but according to those with the business reins,
competition doesn't allow for that...
> I had hesitated in replying to the user training side of the
> thread as folks tend to view me as a pessimist, rather then a realist.
>
It really is hard to be an optimist sometimes... Thanks for your thoughts.
> ingress and egress is the strong begining move to make.
I completely agree.
--
Mason
--__--__--
Message: 6
Date: Mon, 12 Sep 2005 14:13:39 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>> "Why are users expecting to get E-mails from banks where they don't have
>>> accounts?
>
> See the pessimist in my replies that it's cause more folks are
> anticipating their wealth and fortune being tied to some gross error of
> an employee of such and institution granting them full access to some
> millions that appears to have laid dormant for a few years time. I'n
> otherwords most folks have a bit of the take it and run ethics
> builtin...it explains to my mind quite well why the 911 scams never seem
> to be slowed in the slightest...
>
> User education often runs counter to fighting human greed...
>
In my previous email, I said that there are two ways in which a person
changes. In my opinion, the people to whom you refer are going to have
to endure a lot of pain before they decide to change. That's one of the
great things about pain - for those that want it, it's never in short
supply. Pain can be a great teacher.
--
Mason
--__--__--
Message: 7
Date: Mon, 12 Sep 2005 14:26:32 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Brian Loe <knobdy@stjoelive.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Brian Loe wrote:
> I'm not sure I follow the purpose. The customer is being sold a certain
> amount of bandwidth and you are providing it. The customer isn't entitled to
> more than the contracted bandwidth and you're not entitled to restrict the
> customer's bandwidth below the contracted rate - right?
>
> I mean, here at home the local cable provider throttles down your connection
> if they notice you using something like Shareaza. Their excuses start with
> the bandwidth argument, but that doesn't hold if I'm paying for 3mb, I
> should get it or they shouldn't sell it. Their next excuse is security, and
> being the security minded guy that I am, I can almost relate. BUT... no,
> they're a utility company. I'm BUYING my bandwidth from them and therefore
> MY safety is MY problem - I expect them to provide me with bandwidth (and
> that's all) and to protect themselves on their own time and dime.
>
> Am I wrong here? If so, let me know.
I think you're wrong.
When you have irate customers on the phone saying that the fact their
computer is infected is your fault, or that they are getting all this
spam and we should be doing something about it, or that their connection
is horribly slow and we explain that it's because their computer is
filled to the gills with spyware and the customer has accidentally left
a p2p app running that allows un-restricted uploads, then I do think
that the ISP should be doing something about it. If enough customers
demand something of a business, it's generally within that business's
best interest to listen to their customers. If you happen to be in the
minority that doesn't want or need this sort of service, then perhaps
the ISP can find a way to give you access to your crap, but if it's
going to affect the other users that have expressed that they don't want
that crap, then you're probably going to find yourself hunting for
another ISP. I expect and hope that this is exactly what more and more
ISPs will begin to do, now that the problems are getting so bad.
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment