Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (Mason Schmitt)
2. RE: The home user problem returns (R. DuFresne)
3. Mitigating MS risks [Was: home users] (Tina Bird)
4. Re: The home user problem returns (George Capehart)
5. RE: The home user problem returns (Bill Royds)
6. Re: The home user problem returns (David Lang)
7. RE: The home user problem returns (David Lang)
8. Re: The home user problem returns (mason@schmitt.ca)
9. Re: The home user problem returns (mason@schmitt.ca)
--__--__--
Message: 1
Date: Tue, 13 Sep 2005 18:58:27 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: "Paul D. Robertson" <paul@compuwar.net>,
Kevin <kkadow@gmail.com>, firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
>>I also don't think the user education problem is an epidemiological one
>>either. To suggest that ignorance to a growing and changing computer
>>security environment is somehow like a rapidly spreading pathogen is a
>>little bit of a stretch.
>
> I'm sorry, I really screwed up my explanation. Can I have another throw?
You may :)
> Don't look at the problem from a "successfulness of prevention" standpoint,
> look at it from a "propagation of failure" standpoint. With something like AIDS,
> if you can make a significant percentage of the population aware of the problem,
> you've made it possible for the "aware people" to enclave, meet, and breed, and
> isolate the "unaware people" or those who have decided to argue in favor of
> natural selection by taking risks anyhow. So, in an area where you can educate
> 50% of the population about something like AIDS you've got a fair chance that
> the 50% you educated will survive.
>
> Now, look at Internet security. If I educate 50% of the population about the
> need to worry about security, I still lose - horribly - because the other 50% of
> my population fails and their machines are used to attack the educated 50%!!
Up to this point, I think that the basic education I'm suggesting works
well in the home user's favour. If the newly educated home user is now
chanting our mantra, they are going to have a reasonable level of
protection from most of the automated attacks which is a big win.
> That wouldn't be a problem except for transitive trust(*)
I was only introduced to transitive trust when you started up a thread a
while back concerning the CardSystems problem, so I'm obviously new to
the details of the problem. So, a quick question if I may. Do spoofing
attacks such as phishing fall under transitive trust? I'm fairly
confident that pharming does.
- a big chunk, I have
> no idea how big, of the educated 50% would find themselves vulnerable to
> attacks from trusted parties and would be vulnerable, and then you'd very
> quickly be left with the only survivors being those who didn't trust anyone.
If I'm reading this right( and I doubt I am, because I can't imagine you
saying such a thing), you're suggesting that our newly minted
residential security guru is going to have some sort of trust
relationship with other home users on the net or even the same ISP?
There is no trust relationship.
The trusted parties that I can see actually being exploited themselves
and thus being involved in attacking our home user (via the pre-existing
trust relationship) are going to be the user's ISP's DNS servers and
maybe mail servers, windows update site, anti-virus update site, maybe
some others like that. Or if they are attached to work via a VPN -
problems at work.
Now, stepping outside of actual network attacks, you start to get into
identity theft through the home user's interaction with e-commerce
sites, their bank, their government... yada yada yada.
Is this the scope of the transitive trust issue? If it is, then I'd say
that we made some great headway by getting home users to do a modicum of
host hardening on their home pc, this will deal reasonably well with
automated attacks and even some social engineering ones such as Anna K.
If I'm missing something please help educate me.
> Another factor is that the environment would become poisoned after a certain
> point. I am on a satellite internet hookup (pity me!) and when there's a new
> worm out there doing a lot of scanning I can pretty much rest assured that
> I will have no internet access for 2 or 3 days.
> I call this "adaptive packet
> clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner
> hears about it.
ROFL!!
>
> So, that's a lot of why I am so hard on the topic of user education. Unlike
> other problem areas where education is effective, user education in
> computer security is of questionable value because the propagation
> effect of one user making a mistake can overwhelm the results of your
> educational programme instantly. We've ALL heard the stories of the
> dweeboid executive who brings his laptop into the corporate WAN and
> plugs it in and releases something awful behind the firewall, right? Well,
> in 1/4 second, the entire educational programme at that organization
> was utterly mooted. When you're fighting AIDS or illiteracy, local
> failures do not propagate into massive system-wide failures.
>
> Please - don't get me wrong: education is great. But if corporations want
> to improve their security, it's not a particularly effective investment
Right, but the rogue laptop user connecting to the soft underbelly of a
corporate network is very different than our single home user scenario.
Very different. Perhaps you are correct that user education in
corporations is a lost cause, but I still don't think I have sufficient
reason to doubt that home users are a lost cause. They're the ones that
we're so worried about aren't they? Isn't that what we've been talking
about, or have we moved on to user education in general rather in a
specific context?
> [Below I will use the term "Mechanism" here to abstractly mean
> "technological enforcement system" - firewalls, AV, attachment stripping,
> IPS, APCIP, whatever. Loosely, you can think of it as "something that protects
> the user whether they want it to or not"]
>
> I guess there's a matrix we'd want to explore:
> #1 - No Security Mechanism, No Security Education
> #2 - No Security Mechanism, Security Education for users
> #3 - Security Mechanisms in place, No Security Education
> #4 - Security Mechanisms in place, Security Education for users
>
> I predict that of those 4, the security differences between #3 and #4 would be
> minor.
> I further predict that the difference between #1 and #2 would be minor.
> I would also predict that the largest difference would be between #4 and #1.
> Put more simply: my guess is that the measurable impact of education
> versus mechanism is minor. Add some cost factors in and you could
> make a WAG at an ROI for security education. Then you'd take your
> education programme out and shoot it.
>
Very good argument. Again, in the context of an enterprise environment,
I agree. Actually, I take that back. In the home user context I fully
agree too. If a home user is completely clueless but has the basic
protections in place, then they are effectively at #4 on your matrix.
That's where most of the "Security Education" needs to be with home
users. That's why I keep bringing up the "mantra". If we can just get
that far, then we've made a huge win.
--
Mason
--__--__--
Message: 2
Date: Tue, 13 Sep 2005 22:01:05 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: "Hawkins, Michael" <MHawkins@TULLIB.COM>
Cc: Bill Royds <bill@royds.net>, Brian Loe <knobdy@stjoelive.com>,
Firewal Wizards <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Organization: sysinfo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 13 Sep 2005, Hawkins, Michael wrote:
> Mountains grow new "features" very slowly.
>
unless you happen to be in oregon:
http://www.cnn.com/2005/TECH/science/09/13/oregon.bulge.reut/index.html
Thanks,
Ron DuFresne--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDJ4Rkst+vzJSwZikRAux2AKCYDWRi8iwYR1hYk2c2qH4aQC2afwCeLvha
KN1vGuTTwHw5JTvUxQq/Qi8=
=au8W
-----END PGP SIGNATURE-----
--__--__--
Message: 3
From: "Tina Bird" <tbird@precision-guesswork.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 13 Sep 2005 19:03:01 -0700
Subject: [fw-wiz] Mitigating MS risks [Was: home users]
> It can be done. I've seen it with my own eyes.
it may have gotten lost in the flurry of messages, but i'll post it =
again:
another thing i should add to that short list. if you're a home user and =
you
don't use MS networking for file or printer sharing -- which i'd still =
like
to think is the case in most places -- you can disable the windoze =
"client
for MS networks" and completely avoid an awful lot of the mindless =
ravening
crap on the net.
even during the height of blaster and sasser, just turning off the =
client --
without using ANY firewall, and with a public routable IP address -- =
makes
it safe to hit windows update. i did it several times, just to prove to
myself that it worked, during the blaster rampage.
this has become yet another of my favorite things to do.
--__--__--
Message: 4
Date: Tue, 13 Sep 2005 22:11:15 -0400
From: George Capehart <capegeo@opengroup.org>
To: Chris Blask <chris@blask.org>
Cc: Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Chris Blask wrote:
<snip>
> violently and tear off their arms, for that matter. They are
> effectively Australopithicenes and we need to bring them up to at least
> Victorian standards so they don't beat the computer with a stick to kill
> the demons inside.
Maybe so for the Brits, but I'm afraid that here in the US, we haven't
quite gotten that far . . . See
http://www.logoschristian.org/exorcism.html
for the preferred methodology. :>
Cheers,
/g
P.S. That was a /*great*/ quote, though . . . worthy of a .sig
--__--__--
Message: 5
From: "Bill Royds" <bill@royds.net>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 23:11:21 -0400
One of the main problems with MS Operating Systems is that one must run as root
(administrator) to make it useful since a local user can't even use things like
USB ports since they require admin privileges to connect. Supposedly Microsoft
Vista will run as local user by default, but 90% or more of Windows home users
now run with admin privileges.
Anyone who has ever administered a Unix shop would shiver if all users were
running as root be default. Yet that is what most home users are doing.
Funny enough, Mac OSX does not run as root be default yet people can install
software.
If Microsoft simply added a patch to XP SP2 to force a password dialogue when
something was installed or registry changed, we would reduce the virus threat
considerably.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jim Seymour
Sent: Tuesday, September 13, 2005 8:51 PM
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Mason Schmitt <mason@schmitt.ca> wrote:
>
[snip]
>
> I don't think people should have to know much about computer security,
> "security apps" like anti-virus, firewalls, etc. I think that computers
> should be ubiquitous, non intrusive and largely trustworthy. The
> problem is that this is so far from current reality as to be easily
> confused with fantasy.
[snip]
As long a companies like Microsoft continue to sell a general purpose
operating system to the public, much of it poorly thought-out and/or
poorly designed and/or poorly coded, complete with applications that
are "designed" with a fine disregard for what those of us with more
sense regard as "security boundaries," representing it all as an easy,
user-friendly, maintenance-free "experience," this will not change.
Jim
--__--__--
Message: 6
From: David Lang <david.lang@digitalinsight.com>
To: Mason Schmitt <mason@schmitt.ca>
Cc: "R. DuFresne" <dufresne@sysinfo.com>,
Brian Loe <knobdy@stjoelive.com>, firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:40:43 -0700 (PDT)
Subject: Re: [fw-wiz] The home user problem returns
On Tue, 13 Sep 2005, Mason Schmitt wrote:
>> beside ingress and egress filtering, how much might ISP's suffer for
>> correcting some of the windows network protocol errors by not passing
>> ports 135-139, 445 and 5000 etc across perimiters? Or even allowing
>> them to braodcast witin the ISP's realm? Certainly would work to neuter
>> the M$ issues to a low noise level would it not?
>>
>
> This is exactly the kind of ingress and egress filtering I'm talking
> about. We've avoided, by having these filters in place, some fairly
> nasty worm epidemics that wreaked havoc at other ISPs. None of the
> traffic typically associated with those ports has any business
> whatsoever moving beyond the confines of the home user's local network
> or any LAN for that matter.
>
> Again, for most networks, this is absolutely the wrong way to approach
> the problem, but for an ISP, those filters and anti spoofing filters
> have taken a big chunk out of the low hanging fruit.
there is a fundamental problem with the idea that the ISP should be
responsible for protecting the end-user. namely real protection would mean
that they only allow specific 'known good' things to work, but if you
limit ALL users to just those existing known-good things you will block
development of new things (both good and bad).
having filtering like this as an option (even as a default option) is a
good thing, but deciding that it should be the ONLY option and that I
shouldn't be able to get an unfiltred connection if I want one is
something VERY different.
an unfiltered connection should cost less then a filtered one from a
technical point of view, but I can see that this would just encourage
everyone to get the unfiltered connection so I'm willing to pay the same
rate as those who get filtered, what I'm not willing to do is have a
$29/month cablemodem connection turn into a $89/month connection just
becouse I don't want the filtering and therefor have to buy a 'business'
version of the same service.
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 7
Date: Tue, 13 Sep 2005 21:03:48 -0700 (PDT)
From: David Lang <dlang@digitalinsight.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: Scott Pinzon <Scott.Pinzon@watchguard.com>,
Chris Blask <chris@blask.org>, Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
On Tue, 13 Sep 2005, Paul D. Robertson wrote:
>
> For about a week- maybe two. Look at the password-for-pens studies and
> the password traininng retention studies. While lots of users *do* want
> to do the right thing, you're ignoring the silent majority who just don't
> care.
one problem that this shows is that people are not held accountable for
the stupid things that they do. (this aldo applies to the user who clicked
the attachement to 'see what it would do'). so we feel the pain, but they
just get a break from work while the IT guy messes with their machine (and
probably for a while afterwords becouse they can blame the IT guy
re-imaging the machine for all sorts of things for a week or so).
we need to change this from the win-win for the bad user to a loose-loose,
As Tina said, being able to reward the good users with net access while
denying it to others is a much better approach.
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 8
Date: Tue, 13 Sep 2005 23:28:12 -0700 (PDT)
Subject: Re: [fw-wiz] The home user problem returns
From: mason@schmitt.ca
To: "Chris Blask" <chris@blask.org>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
"Paul D. Robertson" <paul@compuwar.net>, "Kevin " <kkadow@gmail.com>,
firewall-wizards@honor.icsalabs.com
> Where this is pertinent to the thread is that the epidemiology aspect
> of network reality at present is part of the "education"
> process. "Evolution" may be a better term since some of the sick
> won't survive to benefit from the lesson they play out, but the
> survivors and medical community learn a practical lesson.
> o Education certainly isn't *the* fix to The Problem, it's just a
> thread in the Gortex. Anyone relying too heavily on that one thread
> will look silly trying to plug the bullet hole with training slides.
>
> o Edu is not any one thing: it's a conglomeration of learning
> cycles, only some of which we here can directly impact.
>
> o When in the course of daily activities we have the oppotunity to
> directly impact the education Folks get, *how* we use that
> opportunity will greatly influence the effectiveness of our efforts.
>
> o IMHO Folks need a healthy combination of Good Cop/Bad Cop (or
> "reassure" and "startle") from Us to effectively deliver what
> education we can. Which is why I would never imply that Marcus or
> anyone else leaven their delivery, even though I myself prefer to use
> the Voice of Clear Reason approach... ;~)
> o Business-driven opportunities to educate stakeholders are very
> useful: "See, Pat the Androgynous Network Owner, this blacking out of
> chunks of your infrastructure that we are watching is due to your not
> paying attention to those important fundamental points I made
> earlier. Let's review..."
>
> o Mass-consumed mediable "pieces" can sometimes strike a common
> chord and ratchet mass understanding. When the mass social
> environment is right, the right clip can be repeated and referenced
> enough that a huge chunk of the population has an "aha!" moment and
> all the bits that have drifted into their brainstems condense into a
> coherent understanding of a pertinent point.
>
> o Just doing our jobs and patiently explaining stuff to our Subjects
> - um - "Customers/coworkers" adds up, too.
You're right on all points. All of these elements are part of user
education, the fact that a few significant ones are "naturally occuring"
means that we actually have less work to do than we thought.
--
Mason
--__--__--
Message: 9
Date: Wed, 14 Sep 2005 00:28:58 -0700 (PDT)
Subject: Re: [fw-wiz] The home user problem returns
From: mason@schmitt.ca
To: "David Lang" <david.lang@digitalinsight.com>
Cc: "R. DuFresne" <dufresne@sysinfo.com>,
"Brian Loe " <knobdy@stjoelive.com>,
firewall-wizards@honor.icsalabs.com
>> This is exactly the kind of ingress and egress filtering I'm talking
>> about. We've avoided, by having these filters in place, some fairly
>> nasty worm epidemics that wreaked havoc at other ISPs. None of the
>> traffic typically associated with those ports has any business
>> whatsoever moving beyond the confines of the home user's local network
>> or any LAN for that matter.
>>
>> Again, for most networks, this is absolutely the wrong way to approach
>> the problem, but for an ISP, those filters and anti spoofing filters
>> have taken a big chunk out of the low hanging fruit.
>
> there is a fundamental problem with the idea that the ISP should be
> responsible for protecting the end-user. namely real protection would mean
> that they only allow specific 'known good' things to work, but if you
> limit ALL users to just those existing known-good things you will block
> development of new things (both good and bad).
What is "real protection" is that a brand name? As was said earlier, ISPs
are not the same sort of beast as a corporation - they cannot / should not
provide a default deny security policy for all customers. I think we've
also basically shown that if this were offered, so few people would take
the offer that there's really no point in trying in the first place. So,
lets scrap the idea that ISPs should completely shield their customers
from all harm - that is completely unrealistic for several reasons, not
the least of which are the fact that ISPs are inherently default allow and
that the ISP has no real control over the home user's PC at all. This is
not how a corporate environment should be run. Have we cleared that all
up now? The two are very different. The approaches to managing each are
different.
So, getting back to whether ISPs should be involved in the security stack
at all? As is obvious from this thread, even some security people are
unsure whether ISPs should be anything but a transparent pipe to the net.
I'm still rather surprised and a little disappointed to hear this. Why is
there concern over blocking really basic automated crap that has no
business being on any network? Especially considering that most of the
home users that security people always complain about are the ones sitting
on the ISP's network. Is there some assumption that clueful security folk
make up a large percentage of an ISP's customer base? Is that why ISPs
should just let all the crap through? Because if that's the case, if all
the users out there really know how to defend themselves, then Marcus is
right, we are wasting our breath - everyone knows this stuff. So, the
reason we are seeing all these massive worm infections and bot nets
sending spam is because we let them do it - it keeps us all employed.
All sarcasm aside, why do people keep clinging to the idea of a completely
transparent pipe? I don't get it. Does is have something to do with some
badly twisted idea of free speech? Why do you think that just because
.0001% of the user population knows how to defend themselves, that
everyone else should be made to suffer? I'm appologize in advance for
being accusatory, but that's selfish and self centered.
> having filtering like this as an option (even as a default option) is a
> good thing, but deciding that it should be the ONLY option and that I
> shouldn't be able to get an unfiltred connection if I want one is
> something VERY different.
You know what. Given that you really are only .0001% of the ISP customer
base, if you were to phone me up and say that you were really into
computer security and wanted to setup a honey net or something like that
so that you could watch and learn and I got the impression that you were
for real, I'd make an exception in my ruleset for you. I'd also tell you
that if I got a single complaint regarding traffic from your IP, you'd be
right back to where you started.
I don't think I'm pulling the arrogant, control freak sysadmin / BOFH role
here. The basic filters that are in place right now should be in place on
every ISP on the planet. They do not impede any legitimate traffic at all
and offer very real benefits to our customers and us. It is my strong
opinion that ISPs can and should be doing more to help, "reduce the noise
to manageable levels." I know that this is not a list for ISP network
admins, so perhaps I'm "wasting my breath", but perhaps this rant can be
construed as more user education. You're sharing the net with people that
are practically helpless, please ease up a bit and understand that some
simple actions on the part of the ISP are going to help everyone.
I enjoy this list and don't want to alienate myself by lashing out at
anyone (I know you're in the To field David and I was responding to your
email, but this wasn't directed at you), so I appologize if I've rubbed
anyone the wrong way.
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment