Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (Jim Seymour)
2. RE: The home user problem returns (Jim Seymour)
3. Re: The home user problem returns (R. DuFresne)
4. Re: The home user problem returns (Jim Seymour)
5. RE: The home user problem returns (Hawkins, Michael)
6. RE: The home user problem returns (Jim Seymour)
7. Re: The home user problem returns (Mason Schmitt)
8. Re: The home user problem returns (Chris Blask)
9. RE: The home user problem returns (Tina Bird)
--__--__--
Message: 1
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:27:22 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Chris Blask <chris@blask.org> wrote:
>
> At 03:59 PM 9/12/2005, Mason Schmitt wrote:
> .d.
[snip]
>
> > > Lucy: "You can't subtract five from three!"
> >
> > > Linus: "You can if you're stupid!"
> >
> >I hadn't heard that exchange before. That's a good one :)
>
> I got a Peanuts book when I was four for Christmas with that cartoon
> in it. A few months later my dad taught me about negative numbers,
> and the fact that something so obviously impossible could turn out to
> be so completely wrong so quickly has always stuck with me. All
> sorts of sh*t is possible if you just do it...
Along those lines...
A Garfield comic, IIRC. Opie (the dog) sitting in a tree. Jon
exclaims "Dogs can't climb trees!" "It's amazing what you can do when
you don't know you can't," replies Garfield.
(Or something like that.)
Jim
--__--__--
Message: 2
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:39:53 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
hermit921 <hermit921@yahoo.com> wrote:
>
[snip]
>
> On the good side, I have a friend who is almost totally computer
> illiterate, but has never had a virus or spyware or any other malware.
> Rule #1: never double click any attachment. If you have to open it, choose
> a program that should open that type of file and do a File -> Open.
> Blindly following these rules has kept her safe for over 10 years. So I
> know people can learn, at least by rote, regardless of understanding.
> Rule #2: never use Microsoft software. This probably helps an immense
> amount, too.
[snip]
Your friend could be my wife. WinXP (home edition) for some three
years or so. (She *insisted* on having a 'doze PeeCee.) OE was
*immediately* removed from the desktop and replaced with Pegasus. IE
was *immediately* de-fanged (turned off all the ActiveTrojan stuff),
then used to fetch Mozilla. Wife was told "Use this. Use the other
only if this doesn't work.") Computer's behind a "firewall router"
(configured by your's truly, naturally). Same aggressive mail server
filtering rules as at work. I only a week or two ago finally broke
down and put AV software on it, because one of her correspondents
insisted my wife was sending her infected JPEGs. (She wasn't.) She
has had SpyBot S&D for some time, and uses it religiously.
It can be done. I've seen it with my own eyes.
Jim
--__--__--
Message: 3
Date: Tue, 13 Sep 2005 20:43:21 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Mason Schmitt <mason@schmitt.ca>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
"Paul D. Robertson" <paul@compuwar.net>, Kevin <kkadow@gmail.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Organization: sysinfo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 13 Sep 2005, Mason Schmitt wrote:
>>> Educating users to fix the problem doesn't work. Educating users there
>>> *is* a problem seems to work, just not en-mass.
>>
>> Nope. Because we're dealing with shared environments - so even if you
>> managed to somehow raise the clue level in 50% of the population it winds
>> up having almost no effect because the clueless infect the clueful
>> second-hand.
>
> I think that was Paul's point. Home users can't be educated to the
> point that the problem becomes "fixed". I don't think they need to be
> or should be, so if that's where the effort is being expended, then I
> agree - it's a waste of breath. I do think that over time education
> efforts will result in an increase in clue in the vast majority of
> people. If this weren't the case, then there would be no point to
> having a public education system... Not everyone is going to get
> straight 'A's, some people will fail, others who are living a hand to
> mouth existence, or who's country is too backward or too poor will or
> for whatever reason doesn't have education available to the masses will
> not learn - which leads nicely to your comment below concerning AIDS.
>
>> It's really a problem in epidemiology. Imagine if 50% of
>> your population refused to worry about AIDS yet was capable of having
>> sex with 1,000,000 different partners a day* - The numbers are all tipped
>> the wrong direction, for education to work. Spammers have pretty much
>> proved that.
>
> Well, no, the spammers haven't proven that. What the spammers have
> shown us is that even if they only sucker a minute percentage of the
> people that actually receive their crap, that it's financially
> worthwhile. The reason being that the economics of spam allow the
> spammers to plunder a public resource (the net) with relative impunity.
> Ecological economists such as Herman Daly, have shown that when you
> don't factor in the cost of continual withdrawal from a natural
> resource, that your books aren't really balancing. This is again an
> issue that is only going to be rectified by increasing the spammers
> costs which many people are working on.
>
> I also don't think the user education problem is an epidemiological one
> either. To suggest that ignorance to a growing and changing computer
> security environment is somehow like a rapidly spreading pathogen is a
> little bit of a stretch. If ignorance were infectious, you'd probably
> be dead or an idiot right now. I remember you ripping apart Dan Geer's
> mono culture idea that was such a big deal a little while back. Not
> trying to pick a fight here, I just don't get the argument.
>
Raise a teen or two and you learn, epidemiological/pathogen covers alot of
issues in development and edcuation! Ignorance *is* infectious, and one
bad apple can...two bad apples, damn, life would be grand if one was just
hearding cats...
Passive education, observational learning has it's limits and is tested to
the extreeme in the world o parenting. It can be both intriging andf
frustrating to see how many times the same kid<s> has<ve> to grab the same
hot wire before they learn that the shock it distributes is *not*
enjoyable. My 3 pups on the otherhand learned within a day that the
invisible fencing bounds the limits of their explorations.
But I digress some from the topic at hand, sorry...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDJ3Isst+vzJSwZikRAvCAAKCWrcJ5baBSulE7pFDipmzfLbzJ7wCeNU8Q
sBEiayQXYuprjmQ9l0OvM3s=
=mEdC
-----END PGP SIGNATURE-----
--__--__--
Message: 4
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:50:38 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Mason Schmitt <mason@schmitt.ca> wrote:
>
[snip]
>
> I don't think people should have to know much about computer security,
> "security apps" like anti-virus, firewalls, etc. I think that computers
> should be ubiquitous, non intrusive and largely trustworthy. The
> problem is that this is so far from current reality as to be easily
> confused with fantasy.
[snip]
As long a companies like Microsoft continue to sell a general purpose
operating system to the public, much of it poorly thought-out and/or
poorly designed and/or poorly coded, complete with applications that
are "designed" with a fine disregard for what those of us with more
sense regard as "security boundaries," representing it all as an easy,
user-friendly, maintenance-free "experience," this will not change.
Jim
--__--__--
Message: 5
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 20:51:14 -0400
From: "Hawkins, Michael" <MHawkins@TULLIB.COM>
To: "Bill Royds" <bill@royds.net>, "Brian Loe" <knobdy@stjoelive.com>
Cc: "Firewal Wizards" <firewall-wizards@honor.icsalabs.com>
Mountains grow new "features" very slowly.
Mike Hawkins
Office: 212-208-3888
Mobile: 917-887-3614
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Bill
Royds
Sent: Tuesday, September 13, 2005 7:35 PM
To: 'Brian Loe'
Cc: 'Firewal Wizards'
Subject: RE: [fw-wiz] The home user problem returns
Interesting. When St. Joseph, Missouri gets levelled again by a massive
earthquake like in 1867, will you suggest that the government just
ignore
everyone who chose to live there?
You are living in an area with one of the worst earthquake histories of
the U.S.
Are there not building code rules to strengthen buildings against
earthquakes?
The same should apply to Internet connections. If you connect, you need
to have
a "building code" for your connections to prevent it damaging my system
when it
fails.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Brian
Loe
Sent: Monday, September 12, 2005 5:47 PM
To: 'Mason Schmitt'; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
<snip>
I think you're wrong. I don't think an ISP should baby-sit anymore than
I
think the government should. We are all responsible for our own actions.
That's life. Its called personal responsibility and I support it
wholeheartedly.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
-------------------------------
The information contained in this email is confidential and may also =
contain privileged information. Sender does not waive confidentiality or =
legal privilege. If you are not the intended recipient please notify the =
sender immediately; you should not retain this message or disclose its =
content to anyone.
Internet communications are not secure or error free and the sender does =
not accept any liability for the content of the email. Although emails =
are routinely screened for viruses, the sender does not accept =
responsibility for any damage caused. Replies to this email may be =
monitored.
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
-------------------------------
--__--__--
Message: 6
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:55:18 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
"Hawkins, Michael" <MHawkins@TULLIB.COM> wrote:
>
> Look what was said some time ago:
>
> "The superior man, when resting in safety, does not forget that danger
> may come. When in a state of security he does not forget the possibility
> of ruin. When all is orderly, he does not forget that disorder may come.
> Thus his person is not endangered, and his States and all their clans
> are preserved." -- Confucius
[snip]
Holy smokes! And all these years I thought I was just being paranoid.
Instead, it turns out I was exhibiting the traits of a superior man ;).
Jim
--__--__--
Message: 7
Date: Tue, 13 Sep 2005 18:07:14 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Tina Bird <tbird@precision-guesswork.com>
Cc: "'R. DuFresne'" <dufresne@sysinfo.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>At any rate, I'm glad that you believe change due to pain is possible.
>>Just to be clear, I don't mean pain forced upon someone, I mean pain
>>that people experience as a result of their own action or inaction.
>
>
> if i force the pain upon people based on their actions or inaction, does
> that still count? cos they're mostly not volunteering for it...
They volunteer for it by not patching, downloading cursor enhancements,
etc. The subsequent infection and outlay of cash is their pain. I do
however think this is one of those things that has a fair bit of grey
haze surrounding it. I just hope I don't hear about you and a human
rights tribunal at some point... "you willingly installed banzai buddy!?
Die evil user die! ;)
>>I do the same thing. I usually also follow up by telling my
>>mom or dad
>>why I did it and take that as an opportunity to tell them a bit about
>>what other things they may want to think about to help
>>protect themselves.
>
>
> to some extent, though, that's audience dependent. my dad is always very
> interested in what i've done and what he needs to know himself, because he's
> very curious about computers, and he likes to understand how things work. my
> mom, on the other hand, really *doesn't* want to know.
Yup. I understand. There are people that don't want to know. Those
are the ones that are not going to learn the easy way. In the case of
your mom, she may not have to learn if your dad takes the initiative and
manages the pc for her.
--
Mason
--__--__--
Message: 8
Date: Tue, 13 Sep 2005 21:39:56 -0400
To: "Paul D. Robertson" <paul@compuwar.net>
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] The home user problem returns
Cc: Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
--=====================_318472765==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 05:37 PM 9/13/2005, Paul D. Robertson wrote:
>On Tue, 13 Sep 2005, Chris Blask wrote:
>
> > Hey <again> Paul!
>
>My point is that identification is *hard*- it's a boundary problem, and we
>don't have a solid boundary. That means that abuse is easy- an attacker
>will just come through as someone else, so everyone will be "identified,"
>they just won't necessarily match their identification.
Parts of Identity need not be so hard to manage. I have not heard of
eBay having a huge problem with people stealing other users'
Identity, for example.
"Something you have, something you know." The "have" is the
computer, which you are correct to say can be compromised. The
"know" need not be so easily compromised.
> > Sorry, incorrectly stated: I'm willing to be responsible for knowing
> > who the real human is who has used my Identity service.
>
>But you don't- you know who's credentials were used, and that's it.
>That's pretty far from knowing who the user is.
If someone stores their "know" on the "have" (their computer) then
they have left their keys in the car. Insurance companies already
know how to deal with that - "sorry about the stolen car but it's
your fault therefore you are legally responsible for the loss. Have
a Nice Day."
To follow the analogy, we are the auto industry and we have yet to
tell people how to keep their keys and cars separate (or make it
reasonably possible to do), so it's hard to blame people when their
car is used in a drive-by...
.d.
>No, I'm not advocating doing nothing if it's not perfect, I'm saying that
>the proposal is lost because it has flaws that will surface more quickly
>than they can be fixed. Trojans have rendered that not workable until we
>tone down the Trojan problem, which is why this thread is important.
No doubt there are intertwined problems, here: not only are the cars
and keys kept together, but we've provided houses with no locks so
Folks can't even put their keys in the kitchen and be safe... Time
and experience (and sh*tloads of sweat) will let us fix the things we
need to fix so we can fix the things we want to fix...
I'm locked in Lifelong Reno Hell at home, for example: I put a floor
in one building this year but I needed to level it first, which in
turn required replacing supporting beams, which you can't get to
without ripping off a porch, in the process of which you drop a
backhoe in the septic. :). But there's a new floor there now,
wheelchair access where the porch was and I needed to replace that
bloody septic, anyway...
But if you take too long thinking about it the building just collapses....
.d.
> > If there aren't huge chunks of this problem that can be
> > digested easily (look at eBay), then the beer is on me... :~)
> >
>
>The beer's on you anyway!
>
>Paul "I can identify a beer donor a mile away" Robertson
Didn't that "Sucker" tattoo on my forehead wear off by now...?
-chris "walked into another one" blask
Make things as simple as possible but no simpler.
- Albert Einstein
Chris Blask
chris@blask.org
http://blaskworks.blogspot.com
+1 416 358 9885
--=====================_318472765==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
<body>
At 05:37 PM 9/13/2005, Paul D. Robertson wrote:<br>
<blockquote type=cite class=cite cite="">On Tue, 13 Sep 2005, Chris Blask
wrote:<br><br>
> Hey <again> Paul!<br><br>
My point is that identification is *hard*- it's a boundary problem, and
we <br>
don't have a solid boundary. That means that abuse is easy- an
attacker <br>
will just come through as someone else, so everyone will be
"identified," <br>
they just won't necessarily match their identification.</blockquote><br>
Parts of Identity need not be so hard to manage. I have not heard
of eBay having a huge problem with people stealing other users' Identity,
for example.<br><br>
"Something you have, something you know." The
"have" is the computer, which you are correct to say can be
compromised. The "know" need not be so easily
compromised.<br><br>
<blockquote type=cite class=cite cite="">> Sorry, incorrectly stated:
I'm willing to be responsible for knowing <br>
> who the real human is who has used my Identity service.<br><br>
But you don't- you know who's credentials were used, and that's it.
<br>
That's pretty far from knowing who the user is.</blockquote><br>
If someone stores their "know" on the "have" (their
computer) then they have left their keys in the car. Insurance
companies already know how to deal with that - "sorry about the
stolen car but it's your fault therefore you are legally responsible for
the loss. Have a Nice Day."<br><br>
To follow the analogy, we are the auto industry and we have yet to tell
people how to keep their keys and cars separate (or make it reasonably
possible to do), so it's hard to blame people when their car is used in a
drive-by...<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">No, I'm not advocating doing
nothing if it's not perfect, I'm saying that <br>
the proposal is lost because it has flaws that will surface more quickly
<br>
than they can be fixed. Trojans have rendered that not workable
until we <br>
tone down the Trojan problem, which is why this thread is
important.</blockquote><br>
No doubt there are intertwined problems, here: not only are the cars and
keys kept together, but we've provided houses with no locks so Folks
can't even put their keys in the kitchen and be safe... Time and
experience (and sh*tloads of sweat) will let us fix the things we need to
fix so we can fix the things we want to fix... <br><br>
I'm locked in Lifelong Reno Hell at home, for example: I put a
floor in one building this year but I needed to level it first, which in
turn required replacing supporting beams, which you can't get to without
ripping off a porch, in the process of which you drop a backhoe in the
septic. :). But there's a new floor there now, wheelchair
access where the porch was and I needed to replace that bloody septic,
anyway...<br><br>
But if you take too long thinking about it the building just
collapses....<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">> If there aren't huge chunks
of this problem that can be <br>
> digested easily (look at eBay), then the beer is on me...
:~)<br>
> <br><br>
The beer's on you anyway!<br><br>
Paul "I can identify a beer donor a mile away"
Robertson</blockquote><br>
Didn't that "Sucker" tattoo on my forehead wear off by
now...?<br><br>
-chris "walked into another one" blask<br><br>
<br>
<x-sigsep><p></x-sigsep>
<font size=2>Make things as simple as possible but no simpler. <br><br>
- Albert Einstein</font> <br><br>
Chris Blask<br>
chris@blask.org<br>
<a href="http://blaskworks.blogspot.com" eudora="autourl">
http://blaskworks.blogspot.com</a> <br><br>
+1 416 358 9885 </body>
</html>
--=====================_318472765==.ALT--
--__--__--
Message: 9
From: "Tina Bird" <tbird@precision-guesswork.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 18:51:53 -0700
boy, i can't remember the last time i've been this involved with a fw-wiz
thread. i've been thinking about this stuff ever since blaster...
jim's made a completely brilliant point:
> Some things that've no doubt helped: Relatively small
> company--only 150
> or so desktops.
the reason i keep at this is that i *know* i can make things better on the
network that i run. and so can jim, and paul, and marcus.
if we cut down the size of the target audience enough, it's manageable, and
we can make a difference.
we might not fix the entire problem - hell, i don't know how to define the
*entire* problem. but we'll make our little corners better. and all those
corners being better does help.
to abuse the medical analogy a little further: no one goes into medicine
because they think they can cure *all* the sick people - or at least, that
notion gets drummed out of them pretty early on. but not being able to do a
complete job does NOT make doing the job altogether worthless.
bring on the formaldehyde!
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment