Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: The home user problem returns (Paul Melson)
2. RE: The home user problem returns (Tina Bird)
3. Re: The home user problem returns (R. DuFresne)
4. RE: The home user problem returns (Marcus J. Ranum)
5. RE: The home user problem returns (Brian Loe)
6. Re: The home user problem returns (Mason Schmitt)
7. Re: The home user problem returns (Paul D. Robertson)
8. Re: The home user problem returns (Mason Schmitt)
--__--__--
Message: 1
From: "Paul Melson" <pmelson@gmail.com>
To: "'Paul D. Robertson'" <paul@compuwar.net>,
"'Marcus J. Ranum'" <mjr@ranum.com>
Cc: "'Mason Schmitt'" <mason@schmitt.ca>,
"'Kevin'" <kkadow@gmail.com>, <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 15:01:37 -0400
-----Original Message-----
Subject: Re: [fw-wiz] The home user problem returns
> Anna K. and phishing work(ed) because of the social aspects of their
> delivery- we're still trying to fight a technical battle against a social
problem. We
> have to take this to the social trenches at some point, or we'll be
overrrun.
I totally agree. You can't replace education with other efforts.
Technological solutions to human problems are incapable of succeeding where
human solutions to human problems often do. In fact, it's been my
experience that using technology to solve a human problem is the hallmark of
lazy or ineffective management. (i.e. "I don't have the clout/spine to take
this to HR to get a policy against using streaming audio, so we'll use QoS
at the border to keep audio traffic from drowning inbound web traffic...
again.")
However, Marcus said something in his latest rant (well, the one everyone's
talking about - I picture Marcus ranting on a near-daily basis to someone
somewhere) on this topic that I think is fairly accurate. Some of these
problems will solve themselves in the near future. A new generation of
"kids" is beginning to enter the workforce. These kids grew up with e-mail,
web, IM, p2p and all of the crap that goes with it. Businesses stand to
benefit directly from the new increase in collective understanding about the
user end of technology. This includes many of the things that you would see
in technology or data security awareness training programs that companies
have spent the last decade developing.
I think I agree because I like the idea of some of my slide show spiels
retiring before I do. :)
PaulM
--__--__--
Message: 2
From: "Tina Bird" <tbird@precision-guesswork.com>
To: "'Mason Schmitt'" <mason@schmitt.ca>,
"'R. DuFresne'" <dufresne@sysinfo.com>
Cc: "'Marcus J. Ranum'" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 12:23:33 -0700
> It seems that there are two primary ways in which people=20
> change. Either
> they make a conscious choice to change prior to a problem=20
> getting out of
> hand (requires knowledge that there is an impending problem and
> knowledge of how to avoid the problem) or they endure more=20
> and more pain
> until they are forced to look at the problem and finally make=20
> a choice.
i disagree. i don't know *anyone* who willingly makes a fundamental,
significant change in their behavior without pain as a motivator. for =
every
example of your first category that you can present, i can *probably*
demonstrate that the "apparent" change is really an example of the =
person
behaving consistently with some deeper part of their personality, which
isn't changing.
i think it's human nature to resist change altogether unless some sort =
of
pain - personal, physical, financial - motivates them. it's why carrot =
and
stick works so well as a way to influence behavior.=20
so for me, the question is, how do we influence the *consequences* of =
badly
configured or managed machines - wherever they are, on corporate =
networks or
the internet - in order to create the change we want? how do we create a
beneficial sort of pain?
when i'm dealing with my relatives, i just change the configuration of =
their
computer when i'm visiting. that's not exactly a motivator, but hey, =
their
machines are fully patched :-)
it's why i'm so interested in NAC and NAP and other sorts of enterprise
technologies that let me use network connectivity as the bribe to get
machines configured the way i want them. i'm creating pain for the end =
user
by not letting them get to the web without doing what i want - the =
height of
security admin arrogance, i'm sure, but i try to be reasonable in my
expectations.
cheers - tbird
--__--__--
Message: 3
Date: Tue, 13 Sep 2005 16:01:27 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Mason Schmitt <mason@schmitt.ca>
Cc: Brian Loe <knobdy@stjoelive.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Organization: sysinfo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 12 Sep 2005, Mason Schmitt wrote:
> Brian Loe wrote:
[SNIP]
>
> Here's an example that's not related to Internet access and bandwidth.
> In North America (and starting to become a problem in most developed
> nations), smoking is becoming a huge problem. Smoking is known to be
> linked to many forms of cancer, birth defects, gum disease, many
> respiratory diseases, etc, etc. - it's a really long list. Some people
> consider smoking to be a personal choice, so lets run with that. My
> first argument pertains more to Canada and other countries that have
> public medical systems.
>
> When enough people choose to smoke, they are placing an unnecessary
> burden on the public medical system, thereby degrading it for everyone else.
>
Are they? Will they really? Afterall, considering the above, they are
not likely to live as long and thus not going to be within the system as
long term as the non-smokers.
> You may be one of those militant smokers that feels it is their right to
> smoke wherever they please. If you decide you want to smoke in public,
> you may be smoking next to someone that is an asthmatic. It's well
> known that second hand smoke is just as deadly, if not more so, than the
> smoke you pull through your filter
Are you certain of this, or is it just another version of overhype in this
current time and space? Afterall, think about it a momnet, if I draw
smoke directly into my lungs, and exhale and then you breath in a small
fraction of what residule smoke is left, it is really more of a health
issue for you in a secondary fashion then it was for me in the first
intake?
> - if you and other militant smokers
> get their way, non smokers are now suffering the same health problems
> that are common amongst smokers. Other people may be enjoying the fresh
> air or a good meal and you are denying them that. The effect can even
> be as simple as making someone else's clothes stink. No matter how you
> look at it, this is more than just your problem - you are involving
> other people that may not want to have anything to do with you.
>
We face these 'balances;' in many facets of daily life, anytime a majority
has to allow the minority to have equal rights and protections though no?
>
> I promised I'd give you an example relating to your use of your Internet
> connection. Here's one really good example for you.
>
> Recently a bot found it's way onto a customer's computer. That bot
> setup shop and began to send spam... through our not-so-smart smarthost.
> The bot was also a worm and it started spewing like crazy trying to
> find more hosts - it found some on our network and would have found some
> out on the net if I hadn't put egress filters in place on our router a
> year or two ago.
>
> I got called into work outside normal hours to track down the bot, our
> support people had to call the customer to let them know and they also
> turned of the customer's modem until the infection was cleaned out.
> They then had to start calling other customers and doing the same.
>
> In the short time that the spam was flowing, our mail server managed to
> find it's way onto a couple blacklists. As a result, customers that
> didn't get the worm were still being affected because some of their
> email bounced due to other mail admins using the blacklists that we
> ended up on. This in turn generated support calls.
>
> I then kicked myself for not having implemented rate limiting and really
> basic spam filtering on our outbound smtp relay like I had planned to
> and set about working out how I was going to do that. It turns out that
> it not feasible with our current solution, so this week I'm working on
> building a new mail server that will allow me to do the egress filtering
> I need to do.
>
> All in all, the fact that there weren't more safe guards in place cost
> us time and money and affected a fair number of customers. It has also
> pulled me away from other important work and thus I get further behind.
>
> If that doesn't paint a clear enough picture of why you should not be
> able to have a wide open un-restricted pipe of your own, let me know and
> I'll give you some more examples.
>
That sure seems like a long way about trying to limit the exposures that
got and get you into the fixes you find in your ISP technical position,
so, let me ask here again, would it not be simpler, and likely go pretty
much untocinted to the vast majority of your users to just lont allow
ports 135-139, 455, and 500 and the rest of the windws specifics from
leaving your periniters and even actually eliminate it on your braodcasts
within? Seems that would be far less work and likely with the ingress and
egress filtering eliminate 90% of the issues that hit you and your user
base, would it not? and certainly without the support overhead of the
vast majority of the plans and solutions you are trying to impliment, yes?
My question to the rest of the list remains: how much would an ISP suffer
if they invoked such policies? and invoked such policies with the hitting
those that request to be allowed to avoid those limitaions with a service
expansion and extra hit from the pocketbook? Rather then give it all away
under the basic pricing infrastructure, you make those that wish for the
"addon risks" pay for it.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDJzAbst+vzJSwZikRAry+AJoCKeFo3zyFsww0YwwMVVyTPSTWPACgkGmR
cTVGspq1CNCNmeeaXN8d2aM=
=X/Bq
-----END PGP SIGNATURE-----
--__--__--
Message: 4
Date: Tue, 13 Sep 2005 16:50:48 -0400
To: "Brian Loe" <knobdy@stjoelive.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] The home user problem returns
Cc: <firewall-wizards@honor.icsalabs.com>
Brian Loe wrote:
>Exactly. You may have never seen, used or owned a gun in your life, but you
>are probably able to go buy one. Once you do buy one, how it is handled and
>what you do with it is YOUR responsibility.
You may have never seen, used, or owned a car in your life, but if you have
decent credit you are probably able to go buy or lease one. Once you do buy
one, you are required to be insured against damages that might result from
your negligence or accidents you cause (or suffer) with that car. Prior to taking
that car out onto public roads where you could kill, maim, or damage other
people's cars and property you are required to take a proficiency test. If you
are caught breaking the rules of how you are to operate your car, you may
have your right to use it revoked, or the car itself confiscated. Your use of the
car is YOUR responsibility but society has effectively determined that most
people DO NOT DISCHARGE THAT RESPONSIBILITY WELL and has placed
controls around use of cars.
mjr.
--__--__--
Message: 5
From: "Brian Loe" <knobdy@stjoelive.com>
To: "'Marcus J. Ranum'" <mjr@ranum.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 15:58:22 -0500
To be sure, but between you and I, I'll bet I can go buy a car and get away
without doing any of those things for quite awhile before being caught - IF
I do get caught.
So what's the story here? Government parenting is required in order for the
Internet to continue functioning - to save us from ourselves?
Even if this were true, which its not, it would be impossible to implement.
The UN is, has and always will be worthless and that's about as close as
you're going to get to an international governing body...I'll feel dirty
just thinking about the need for such a thing...
> You may have never seen, used, or owned a car in your life,
> but if you have decent credit you are probably able to go buy
> or lease one. Once you do buy one, you are required to be
> insured against damages that might result from your
> negligence or accidents you cause (or suffer) with that car.
> Prior to taking that car out onto public roads where you
> could kill, maim, or damage other people's cars and property
> you are required to take a proficiency test. If you are
> caught breaking the rules of how you are to operate your car,
> you may have your right to use it revoked, or the car itself
> confiscated. Your use of the car is YOUR responsibility but
> society has effectively determined that most people DO NOT
> DISCHARGE THAT RESPONSIBILITY WELL and has placed controls
> around use of cars.
>
> mjr.
>
>
>
--__--__--
Message: 6
Date: Tue, 13 Sep 2005 14:13:55 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: "Paul D. Robertson" <paul@compuwar.net>,
Kevin <kkadow@gmail.com>, firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>Educating users to fix the problem doesn't work. Educating users there
>>*is* a problem seems to work, just not en-mass.
>
> Nope. Because we're dealing with shared environments - so even if you
> managed to somehow raise the clue level in 50% of the population it winds
> up having almost no effect because the clueless infect the clueful
> second-hand.
I think that was Paul's point. Home users can't be educated to the
point that the problem becomes "fixed". I don't think they need to be
or should be, so if that's where the effort is being expended, then I
agree - it's a waste of breath. I do think that over time education
efforts will result in an increase in clue in the vast majority of
people. If this weren't the case, then there would be no point to
having a public education system... Not everyone is going to get
straight 'A's, some people will fail, others who are living a hand to
mouth existence, or who's country is too backward or too poor will or
for whatever reason doesn't have education available to the masses will
not learn - which leads nicely to your comment below concerning AIDS.
> It's really a problem in epidemiology. Imagine if 50% of
> your population refused to worry about AIDS yet was capable of having
> sex with 1,000,000 different partners a day* - The numbers are all tipped
> the wrong direction, for education to work. Spammers have pretty much
> proved that.
Well, no, the spammers haven't proven that. What the spammers have
shown us is that even if they only sucker a minute percentage of the
people that actually receive their crap, that it's financially
worthwhile. The reason being that the economics of spam allow the
spammers to plunder a public resource (the net) with relative impunity.
Ecological economists such as Herman Daly, have shown that when you
don't factor in the cost of continual withdrawal from a natural
resource, that your books aren't really balancing. This is again an
issue that is only going to be rectified by increasing the spammers
costs which many people are working on.
I also don't think the user education problem is an epidemiological one
either. To suggest that ignorance to a growing and changing computer
security environment is somehow like a rapidly spreading pathogen is a
little bit of a stretch. If ignorance were infectious, you'd probably
be dead or an idiot right now. I remember you ripping apart Dan Geer's
mono culture idea that was such a big deal a little while back. Not
trying to pick a fight here, I just don't get the argument.
> my magic
> 8-ball says "Outlook Not Good" and it's not talking about the
> mail software from Microsoft. (But it'd be right if it was...)
:)
> Trying to point out that it's a social problem brings up this
> immediate surge of knee-jerk "HACKING IS COOL!" reaction.
> After my "Dumb ideas" article got slashdotted yesterday, I
> have an in-box filled with about 250 "u r such a d0rk w3rd"
> emails - all reacting to my observation that we need to decouple
> hacking ideology from internet security if we want to make
> progress. It's not happening and I, for one, am tired of this
> fight.
It's ok to take a break and regroup. It's also ok to retire. You have
made progress. I know that I for one have copies of "Low Carb Security"
and your recent "6 dumbest ideas..." hanging on my wall. I keep them
there (and re-read them every so often) because they are successful
attempts at distilling the millions of little problems into a few simple
concepts that I can hold onto. I have learned a ton from this list and
I'm now passing on the little bit that I have learned (and will continue
to learn) to my co-workers, friends and our customers.
> I came up with a really cool mental hack the other day on this
> topic, but I haven't figured out how best to approach it. But,
> basically, it's the observation that people _HATE_ spammers
> and _HATE_ spam. Yet, people seem to _LOVE_ hackers
> and think hacking is _COOL_. How did this happen??
Hollywood, fiction, dumbass teenagers trying to carve out some sort of
identity for themselves, money... What makes clothing fashions, music,
etc popular? This is all just part of our society's poorly functioning
machinery. The fact that you get a deluge of email as a result sucks,
but don't take it personally.
> Yet, nobody
> (except me and a few of my weird buddies) seem to think
> it's a problem that "security researchers" are overlapping
> pretty seriously with rootkit/malware/trojan writers.
You know, if you hadn't pointed this out some time ago, I wouldn't have
given my nagging doubts too much thought, because I figured that these
people are professionals, they know what they are doing. Silly me.
Again however, I'm going to move a bit closer to the fence on this one,
because despite the undercurrent of money and fame in the security
industry right now, pressure is being applied that is going to force us
to find ways of creating better software.
> (*Did you wince when you read that? I did!)
Yes.. :P
--
Mason
--__--__--
Message: 7
Date: Tue, 13 Sep 2005 17:37:33 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Chris Blask <chris@blask.org>
Cc: Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] The home user problem returns
On Tue, 13 Sep 2005, Chris Blask wrote:
>
> Hey Paul!
>
> > > The problem is that, without any sort of identity (and there is
> > > exactly 0.0000% of net traffic using anything worth calling
> > > identity), it is impossible to treat Identified traffic and Anonymous
> > > traffic differently, as they logically deserve.
> >
> >Two words: Identity Fraud.
>
> ?! (I'll never see that again without thinking of Scooby Doo -
> thanks, P Melson! ;~)
>
> Not sure where you were going with that, but my point is that I (as a
> network owner) can choose to treat Identified traffic with one (or
> more) level of trust and Un-Identified traffic with another
> (logically much lower) level of trust.
My point is that identification is *hard*- it's a boundary problem, and we
don't have a solid boundary. That means that abuse is easy- an attacker
will just come through as someone else, so everyone will be "identified,"
they just won't necessarily match their identification.
>
> I have to correct my "0.0000%" comment, as well. There is actually
> quite a lot of practical Identity being used on the net, *we* just
> have not provided much of it. Anyone who buys and sells on eBay or
> orders something online is using Identity to a level that is
> acceptable to the other party. As long as the level of fraud in
> these transactions is similar-to or lower-than the level of fraud in
> non-net transactions, then the methods they are using are correct.
>
> > > Decentralized, distributed responsibility. If I own an auth server
> > > then I am responsible for the activities of those who use it. If I
> >
> >You're willing to be responsible for your user's behavior? After they're
> >Trojaned?
>
> Sorry, incorrectly stated: I'm willing to be responsible for knowing
> who the real human is who has used my Identity service.
But you don't- you know who's credentials were used, and that's it.
That's pretty far from knowing who the user is.
> >Just like the encryption boundary problem that is the reason SSL is
> >severely broken as a concept, the use of identity can't be done in a
> >system that's not closed, and we don't have the methods, technologies or
> >wherewithall to close the software, transport and physical endpoints
> >everywhere.
>
> We use identity in the physical world in a way that allows us to
> function, with all sorts of weaknesses in that identity process
> (sure, put a picture on my credit card, no-one will look at it; my
> Mother's Maiden Name, are you serious!?!)).
>
> IMHO, the reaons we have no success as an industry in providing
> Identity on the net is that we search for a "DNA-Sample" level of
> verification. We don't do this in the real world but succeed in
No, I'm not advocating doing nothing if it's not perfect, I'm saying that
the proposal is lost because it has flaws that will surface more quickly
than they can be fixed. Trojans have rendered that not workable until we
tone down the Trojan problem, which is why this thread is important.
> moving trillions of dollars in assets back and forth every day. In
> my own Living With Chaos view of the world, complex problems are
> solved by dividing them into chunks until the pieces can be
> digested. If there aren't huge chunks of this problem that can be
> digested easily (look at eBay), then the beer is on me... :~)
>
The beer's on you anyway!
Paul "I can identify a beer donor a mile away" Robertson
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 8
Date: Tue, 13 Sep 2005 14:43:46 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: Brian Loe <knobdy@stjoelive.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>> PLEASE explain to me how my P2P app is going to affect you - my ISP -
>>> or my
>>> neighbor?
>>>
>>>
>
> In a shared bandwidth scenario, the pron surfing kid and your p2p
> connections are not mutually exclusive, they both have exactly the same
> impact.
I should point out; it's true that the ISP game is an over subscription
game. It has to be in order for the home user to pay as little as they
do. If you want a dsl or cable modem's worth of bandwidth absolutely
guaranteed to you at all hours of the day AND you want to be able to
shovel all the data you can through that pipe, then you can get it, it
just costs more - a lot more. Try pricing out a measly T1 some time.
But, over subscription problems and p2p are not what I'm talking about
here at all. Those are just network and bandwidth management issues
that I'm not attempting to bring to this list. My concern is with
people that want a wide open, unrestricted,
give-me-all-my-bad-stuff-it-mine kind of connection and don't think
about the impact that attitude has with others sharing the same ISP, or
for that matter, those behind other ISPs.
I think I've made my point clear that ISPs need to get involved in
protecting those that are ignorant and laying fully exposed. This is a
network security/firewall sort of issue and one that I'd hoped would be
considered relevant to this list (it appears to be so far).
> On another note to this thread as a whole;
>
> beside ingress and egress filtering, how much might ISP's suffer for
> correcting some of the windows network protocol errors by not passing
> ports 135-139, 445 and 5000 etc across perimiters? Or even allowing
> them to braodcast witin the ISP's realm? Certainly would work to neuter
> the M$ issues to a low noise level would it not?
>
This is exactly the kind of ingress and egress filtering I'm talking
about. We've avoided, by having these filters in place, some fairly
nasty worm epidemics that wreaked havoc at other ISPs. None of the
traffic typically associated with those ports has any business
whatsoever moving beyond the confines of the home user's local network
or any LAN for that matter.
Again, for most networks, this is absolutely the wrong way to approach
the problem, but for an ISP, those filters and anti spoofing filters
have taken a big chunk out of the low hanging fruit.
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment