Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (Mason Schmitt)
2. RE: The home user problem returns (Marcus J. Ranum)
3. RE: The home user problem returns (Paul D. Robertson)
4. RE: The home user problem returns (Bill Royds)
5. RE: The home user problem returns (Marcus J. Ranum)
6. RE: The home user problem returns (Paul Melson)
7. RE: The home user problem returns (Paul Melson)
8. Re: The home user problem returns (Mason Schmitt)
--__--__--
Message: 1
Date: Tue, 13 Sep 2005 16:05:44 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "Behm, Jeffrey L." <BehmJL@bvsg.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Behm, Jeffrey L. wrote:
>>Exactly. You may have never seen, used or owned a gun in your life, but
>
> you
>
>>are probably able to go buy one. Once you do buy one, how it is handled
>
> and
>
>>what you do with it is YOUR responsibility. The training is widely
>
> available
>
>>to you, it is YOUR responsibility to get that training. YOU are
>
> accountable
>
>>for what YOU do with that gun.
>>
>>Same as your computer.
>
>
> Correct. *You* are responsible for what *You* do with the gun(computer).
> That shouldn't be extrapolated into what *others* do with your
> gun(computer) without your consent.
>
> Are you held responsible for robbery if someone steals your gun and then
> commits a robbery with it, just because you left it lying on your desk
> inside your house? What about a BOT running on your computer
> participating in a DDoS (or as a keylogger gathering your personal
> information)? It's a gray area when it's not *you* explicity doing
> something.
>
Yes! Again, bang on. This is not an issue with the user's actions on
the computer (well, it is, but not directly) it's what happens when that
computer gets 0wn3d that's the real problem. You'd be surprised how
often this happens! (he says sarcastically)
--
Mason
--__--__--
Message: 2
Date: Tue, 13 Sep 2005 19:21:11 -0400
To: "Scott Pinzon" <Scott.Pinzon@watchguard.com>,
"Paul D. Robertson" <paul@compuwar.net>,
"Chris Blask" <chris@blask.org>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] The home user problem returns
Cc: "Mason Schmitt" <mason@schmitt.ca>,
<firewall-wizards@honor.icsalabs.com>
Scott Pinzon wrote:
>Marcus [...] I can't help feeling, in my
>pipsqueak opinion, that on this one you're way off base.
For years and years I have been longing for someone to come along
and convince me that I'm wrong. I'd love to be wrong about this stuff,
because it'd mean the world was a whole lot better place than I think
it is. So - bring it:
>-- Ignorance is never better than knowledge in any realm. But particular
>to network security, my experience is that most clueless users are also
>people of good will who will cease dangerous behaviors once they
>understand those behaviors ARE dangerous.
I think you must be a smart person. Smart people tend to value knowledge
because, well, it's something that happens to you as you're smart. It's
your coinage, if you will. It's always a shock when you realize that
most people don't. (*)
>-- Educating users is another layer in "Defense in depth." If 10 out of
>100 users click evil email attachments, and through education you reduce
>that to 3 out of 100, you've improved that layer.
You've improved it, but does it matter? That's my question.
1 idiot clicking attachments can infect 10,000 other idiots a day
if you reduce the idiot count from 10%, as you say, to 3% in an
organization of 1000 people, you've dropped from 100 idiots who
click attachments to 30. And those 30 will still send 300,000
emails a day and your mail server will still detonate. And, since
one of those idiots is probably your CTO, all of your execs in
h* management chain will probably get infected, too....
>-- Educating users has been proven to work at company after company.
>Help desk calls, viral infections, falling victim to phishing emails,
>and more, have been quantitatively and demonstrably reduced at companies
>that institute end-user security training.
The problem with such measures is that you can't really tell
how much of that is a result of the training and how much is a
result of normal "aversive experience." For example, my mom
has never had any computer security training but after the first
time her machine got wiped by her IT guy (that's me) now
she's a lot more careful about spyware.
>-- And how do you know "it" (educating end users) is not working? We
>have no before/after comparison on what the Internet would be like if
>all of us who preach security had stopped five years ago.
You can ask the exact same question in reverse, though, right?
"If it was working, how come we still have Internet security problems?"
Surely everyone has heard of them, by now. Surely everyone in the
US has heard of Identity Theft by now, etc.
This is one of those nasty intractables because you can't really
get a grip on the effectiveness of solutions because there's no
control group - we're working with entire populations.
I like to think of this problem as being similar to patching a leaky
roof. Well, you OBVIOUSLY are getting less water in the holes
that you've patched but it's hard to reason accurately about
whether you're much better off anyhow. In fact, patching your
roof may distract you from replacing your roof entirely. That's
how I conceptualize it, anyhow. I know it's a analogy and I hate
them but that's how that problem fits in Marcus-land.
>Maybe I'm misunderstanding you, but my take-away from your blog article
>is that you are so discouraged by end-user ignorance, you think we
>should all stop wasting our breath on them.
Would you like to ghost-write for me? That's a GREAT way of putting it.
>Your recommendation is that
>we set up an environment through quarantining and what-not where users
>have no opportunity to hurt themselves.
Sort of, yeah. I think I'd say that it's probably more cost-effective to
simply keep users from hurting themselves than to teach them how
not to hurt themselves.
I.e: "Sit the F down. Shut the F up. Don't ask any questions.
This is your browser. It's called 'Zen4' and it only knows how to render
GIF, PNG, JPEG, CSS, and HTML. If you go to a website and it doesn't
display properly, you went to a bad website. This is your Email client.
It uses Zen4 to render anything you get. Anything it can't render, you
won't see because the spam blocker will have already junked it for you.
Have fun and thanks for working for Marcus-Land, where the user
comes last and the customer comes first!"
> In rebuttal, I cite the crusty
>old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
>(through technology) create an environment where clueless users can't
>hurt themselves.
My, that's a depressing thought. :(
>To keep a network secure, we need users on our side. We
>can get them there if we try.
My, that's an even more depressing thought. As an ex-sysadmin, I can
assure you that I've spent many years filled with the awareness that my
users are not only stupid, they're actively out to get me any chance they
can. They are not on my side. Even when they pretend to be on my side,
I know that the cookies they leave on my desk are loaded with rat-poison
so I'll die _after_ I restore the file they deleted but not a minute before.
And they all want root.
>Am I really the only one on this list who thinks so? Or Marcus, did I
>misinterpret you?
You didn't misinterpret me.
Sounds like you're another one of those "optimist" things I keep
hearing about. Maybe we should preserve you in a big jar of
formaldehyde so that all the firewall-wizards can point you out
to the newly-minted CISSPs, "Look... This is a computer security
optimist that we found. We think he somehow survived the big
asteroid strike... There are rumors there may be others, still living
in the deep jungles..."
mjr.
---
(* I read some scary stats in this month's LensWork that I found hard
to believe but ..
1/3 of high school students never read another book in their lives
42% of college graduates never read another book after college
80% of US families did not buy or read a book last year
70% of US adults have not ben in a bookstore in the last 5 years
57% of new books bought are never read to completion
Claimed source: Harold Jenkins www.jenkinsgroup.com)
--__--__--
Message: 3
Date: Tue, 13 Sep 2005 19:23:41 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Scott Pinzon <Scott.Pinzon@watchguard.com>
Cc: Chris Blask <chris@blask.org>, Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
On Tue, 13 Sep 2005, Scott Pinzon wrote:
> I've been watching with a certain morbid fascination as Marcus has
> ranted in his own blog and in FW-WIZ (and who knows where else) that
> educating users about security is one of the "dumbest ideas" and "if it
> was ever going to work, it would have by now." I have tremendous respect
> for you, Marcus (epecially since you have, I dunno, six times the years
> in computer security that I do). But I can't help feeling, in my
> pipsqueak opinion, that on this one you're way off base.
Well, statistics would probably bear him out. Anna Kournikova was big
enough and fast enough that it *should* have been all the wake-up call we
needed. I remember talking to someone who recounted an end-user
experience-
Admin: "Why did you click on the virus, didn't you see all the press coverage?"
User: "Yes, I wanted to see what it would do!"
> -- Ignorance is never better than knowledge in any realm. But particular
My experiences don't run that way- there's lots of stuff I'm perfectly
happy not knowing a thing about. Ignorance is bliss.
> to network security, my experience is that most clueless users are also
> people of good will who will cease dangerous behaviors once they
> understand those behaviors ARE dangerous.
For about a week- maybe two. Look at the password-for-pens studies and
the password traininng retention studies. While lots of users *do* want
to do the right thing, you're ignoring the silent majority who just don't
care.
> -- Educating users is another layer in "Defense in depth." If 10 out of
> 100 users click evil email attachments, and through education you reduce
> that to 3 out of 100, you've improved that layer.
This is important for click-to-run stuff, where most people don't
understand the level of not clicking that will make a piece of malware not
global. We need (last time I saw numbers I almsot agreed with) about a
35% non-click improvement to have a good gain.
> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing emails,
> and more, have been quantitatively and demonstrably reduced at companies
> that institute end-user security training.
For how long? Got any long-term citations?
>
> -- And how do you know "it" (educating end users) is not working? We
> have no before/after comparison on what the Internet would be like if
> all of us who preach security had stopped five years ago.
>
Because they're still getting infected with click-to-run malware.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 4
From: "Bill Royds" <bill@royds.net>
To: "'Brian Loe'" <knobdy@stjoelive.com>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 19:34:42 -0400
Interesting. When St. Joseph, Missouri gets levelled again by a massive
earthquake like in 1867, will you suggest that the government just ignore
everyone who chose to live there?
You are living in an area with one of the worst earthquake histories of the U.S.
Are there not building code rules to strengthen buildings against earthquakes?
The same should apply to Internet connections. If you connect, you need to have
a "building code" for your connections to prevent it damaging my system when it
fails.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Brian Loe
Sent: Monday, September 12, 2005 5:47 PM
To: 'Mason Schmitt'; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
<snip>
I think you're wrong. I don't think an ISP should baby-sit anymore than I
think the government should. We are all responsible for our own actions.
That's life. Its called personal responsibility and I support it
wholeheartedly.
--__--__--
Message: 5
Date: Mon, 12 Sep 2005 12:24:42 -0400
To: "Paul Melson" <pmelson@gmail.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] The home user problem returns
Cc: <firewall-wizards@honor.icsalabs.com>
Paul Melson wrote:
>I fear that you and Marcus have mistaken privacy for anonymity.
No, no, no.... Privacy, anonymity, and digital rights management
are all inextricably entertwined parts of the same problem, but they
don't necessarily equate or conflict.
("DRM?" you ask...
As Dan Geer likes to point out, privacy technologies ideally let the
owner of a piece of information control its disclosure, copying, duration
of disclosure, and frequency/count of disclosure. That's also the
laundry list for an ideal digital rights management system.)
mjr.
--__--__--
Message: 6
From: "Paul Melson" <pmelson@gmail.com>
To: "'Marcus J. Ranum'" <mjr@ranum.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Mon, 12 Sep 2005 13:22:26 -0400
-----Original Message-----
Subject: RE: [fw-wiz] The home user problem returns
> No, no, no.... Privacy, anonymity, and digital rights management are all
inextricably
> entertwined parts of the same problem, but they don't necessarily equate
or conflict.
I guess I object to my privacy being rebadged as 'anonymity' and therefore a
problem. I'm not anonymous, and neither is anybody else on the Internet,
despite some claims to the contrary (remember, they raided anon.penet.fi).
I'm just unknown to you because your vantage point is incomplete.
> ("DRM?" you ask...
> As Dan Geer likes to point out, privacy technologies ideally let the owner
of a piece
> of information control its disclosure, copying, duration of disclosure,
and
> frequency/count of disclosure. That's also the laundry list for an ideal
digital
> rights management system.)
Unfortunately, that ship has sailed. American consumerism trumped American
liberty and privacy in that arena years ago. We'll be lucky to have the
ability to find out what personal information of ours is being stored and
traded by the organizations that have it, let alone have the power to take
it away from them. Sadly, I am confident that if it does happen, it will be
as a reaction to a major info-disaster that has serious negative fall-out
for a large portion of American citizens.
PaulM
--__--__--
Message: 7
From: "Paul Melson" <pmelson@gmail.com>
To: "'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Mon, 12 Sep 2005 13:22:26 -0400
-----Original Message-----
Subject: Re: [fw-wiz] The home user problem returns
> > With the current state of Internet software, it's pointless. It'd be
> > meaningful to encourage ISPs to filter traffic if there were
> > end-to-end authenticated links going on, and nothing else. If you want
> > to push things back far enough, intellectually, the problem is that
> > anonymous Internet access is being offered. That's the underlying
problem.
>
> YES!!! And the fact that there are groups that are working hard at
maintaining that
> anonymity bothers me. I know that there's always the concern about Big
Brother, or
> worse and far more plausible, abuse of any large scale
trust/authentication systems
> that get setup in the future.
?! <Paul makes Scooby Doo noise> ?!
I fear that you and Marcus have mistaken privacy for anonymity. Just
because something isn't transparent end-to-end, doesn't mean it's anonymous.
The disparate bureaucratic systems that possess the information necessary to
track an action back to an individual over the Internet are representative
of the way we decentralize control of commodities and assets in general. I
don't know that that's a bad thing.*
Also, I find it a little presumptuous that you should be trusted to know my
information because I somehow show up on your radar. I think it should be
up to me as to whether or not I'm willing to trade my information for access
to something you have in the name of accountability. I want to decide when
I'm willing to make that trade.
Imagine the fallout if anybody had everybody's information available just by
asking the right questions. Look at how directories like whois databases
have been abused by spammers and hackers over the past 15 years. I doubt
that ubiquitous "accountability" on the Internet is a path to improved
security at all, but I definitely have concerns about how it would be abused
and exploited.
PaulM
* There is a whole different rant about the assumption of the need for
unfettered connectivity between organizations (even ISPs) and the rest of
the Internet that is underlying to this discussion. It has been my
experience that networks are often attacked from other networks that they
had literally no business communicating with.
The connection back to what I said above is that if you can define and
document the traffic that traverses a network, you can establish
accountability in a much more effective manner. You don't even necessarily
need to establish the identity of an individual if you can establish
responsibility for that traffic before it's even allowed.
Imagine with me for a moment a magical land of unicorns and faeries where
businesses and their network admins are so effectively cooperative that
simple router ACLs are reflective of business communication and nothing
else. Imagine some businesses turning off their Internet connection
altogether. Now imagine shrinking the scope of all of your network security
efforts down to that scale, that traffic, and those applications that are
core to business processes only. Now imagine half of us infosec vendors and
proselytizers being out of a job and having to find work herding trolls.
Seriously, I would gladly herd trolls if it meant never having to hear about
how my bank got hacked by Russian teenagers.
--__--__--
Message: 8
Date: Mon, 12 Sep 2005 10:49:47 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Paul Melson <pmelson@gmail.com>
Cc: "'Marcus J. Ranum'" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
> You know what I find highly ironic in all of this -- and I don't mean to
> pick on you or your ISP -- is that there is a single symptom, a common
> thread that ties together all of these problems you're attempting to combat.
> And that common thread is required or at least preferred by all of the major
> ISPs, and that is Windows desktops. In other words, ISPs everywhere are
> complicit in their own security and performance headaches.
>
The irony is not lost on me at all. In my department, we pick on our
level 1 tech support guys all the time. One of our digs is that if we
could just get all our customers to buy Macs, they would be out of a job.
In terms of ISPs preferring windows, that's really related to ease of
support. If you have a single dominant platform and a very limited
number of applications on that platform that you have to support, then
you're miles ahead of a heterogeneous network. With support being one
of the larger costs of running an ISP, every little bit helps.
> The bitter pill for the clueful is that those people that run a firewall
> appliance or build their own Linux/BSD firewall for their home network
> typically get no support from their ISP. (If you have Comcast cable like I
> do, you can't even register your cable modem without a Windows box. That
> was an unpleasant surprise when I moved recently.)
>
I've heard that happens at some of the larger ISPs. That again relates
to the sorry state of tech support at most ISPs.
> It is not lost on me that this is all due to market forces beyond the
> control of even the largest ISPs. But I think we can all agree that this is
> and will continue to be the primary trade-off that those charged (saddled
> with?) network security must live with, at least in the short-term.
I fully agree. If customers are to run windows, I wish that we could at
least get them to run XP SP2. We still have a large percentage of our
customer base running 9x, me, 2000. Aside from that, the issue is of
course, that these are not security people. Which to a certain degree
makes choice of platform less of an issue. I know that the last thing I
want to see is Linux/BSD in the hands of Joe Noob. Which takes me right
back to the point I made in an earlier email about home users needing to
be protected. These people are unlikely to want to learn about computer
security because it doesn't interest them. I also don't think they
should have to. What they really need is a tool that allows them to do
what they want to do, while simultaneously providing a base level of
security that is managed by the provider of that system.
I realize I may be sounding a bit hypocritical at this point. So, I'll
try to clarify.
I don't think people should have to know much about computer security,
"security apps" like anti-virus, firewalls, etc. I think that computers
should be ubiquitous, non intrusive and largely trustworthy. The
problem is that this is so far from current reality as to be easily
confused with fantasy. So, in our current environment, the home user
has to be involved, simply due to the fact that the tool they are using
has so many wheels and cogs exposed and those wheels and cogs need
constant attention. That's why the prevailing wisdom seems to be that
computers need sys admins if they are to be maintained properly.
> At the same time, I don't want special treatment from my ISP (I mean, I
> *do*, but I don't want it institutionalized). I don't want the "secure
> people here, insecure people there" mentality from what is essentially a
> utility. Nothing personal, but the likelihood that an ISP will properly be
> able to correctly and continually analyze the security stance of anyone's
> home network is slim enough that I'd prefer not to pay more per month for
> them to try (and probably fail). I can barely do it myself, and I am one of
> 2 users (that I know of) and I built it.
>
This is where Marcus's comment about reducing the noise to a manageable
level applies. As well, the idea that multiple levels of low to
moderate defences can add up to a fairly decent defence. You're right,
looking at home networks from the outside in a largely automated fashion
is not going to be 100% effective in controlling security problems - not
even close. However, if ISPs implement a number of different defences
they may actually be able to gain some ground without negatively
impacting the vast majority of their customers. An ISP can never hope
to provide as robust a defence as a more controlled environment such as
a business network, that's not the ISP's job. However, I think it is
realistic to expect that an ISP can fall within the 80/20 rule, where
they are able to block 80% of the badness.
I have a plan that I'm working through right now that I can share if
anyone is interested. BTW, does anyone feel I'm going off topic with
this stuff? Paul keeps letting them through, so maybe that means
something...
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment