Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: The home user problem returns (Chris Blask)
2. RE: The home user problem returns (Jim Seymour)
3. Re: The home user problem returns (Michael Cassidy)
4. Home user problem (PG)
5. RE: The home user problem returns (StefanDorn@bankcib.com)
6. RE: The home user problem returns (Brian Loe)
7. RE: The home user problem returns (Paul Melson)
--__--__--
Message: 1
Date: Tue, 13 Sep 2005 21:59:43 -0400
To: Mason Schmitt <mason@schmitt.ca>,
Tina Bird <tbird@precision-guesswork.com>
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] The home user problem returns
Cc: "'R. DuFresne'" <dufresne@sysinfo.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
--=====================_319619359==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 06:01 PM 9/13/2005, Mason Schmitt wrote:
> > TBird opined:
Hey folks (hullo TBird! :)!
.d.
> > so for me, the question is, how do we influence the *consequences* of
> > badly configured or managed machines - wherever they are, on
> > corporate networks or the internet - in order to create the change we
> > want? how do we create a beneficial sort of pain?
>
>It's already happening, we don't have to do anything to cause further
>pain. What we need to do is to have solutions and answers ready for
>when people start looking for them. That's why I said earlier that we
>need to keep pushing forward, while still reaching out to see if anyone
>is ready to listen yet.
I think I agree with the spirit of your position.
We as a group have a lot of roles to play and scaring the pants off
of people is, sometimes, appropriate, so I don't gainsay those who
fulfill that need.
However, I think another more common role we need to play is the
damping rod. There is an often frenetic cloud of activity, emotion
and motivation in many of the stressful rooms we walk into. We also
need to spend a lot of time bringing people down out of the rafters
(where they tend to lobby for insane and self destructive
legislation) and making them believe that they will be All Right so
long as they Stay Calm and Do At Least These Things. Military
leadership has lived with this forever and been able to keep a
straight face while knowing the subtext ("and some of you will die,
but we might win the war").
> > when i'm dealing with my relatives, i just change the configuration of
> > their computer when i'm visiting. that's not exactly a motivator,
> but hey, their
> > machines are fully patched :-)
>
>I do the same thing. I usually also follow up by telling my mom or dad
>why I did it and take that as an opportunity to tell them a bit about
>what other things they may want to think about to help protect themselves.
My mom and her husband are here now and I just gave them another
little edu bit. It's very very interesting to work over a long
period of time with very bright but Generationally-Challenged folks,
trying to get the basic memes into their heads so they can understand
what they can do (much less what the risks are). The Mom Test has
*always* been my litmus for the underlying state of the Great
Unwashed. Currently it is "better than before but still a long way
to go", and so my postion on all this remains consistent...
> > it's why i'm so interested in NAC and NAP and other sorts of enterprise
> > technologies that let me use network connectivity as the bribe to get
> > machines configured the way i want them. .d.
>
>Arrogant maybe. Intrusive probably. However, I still think it's a
>great idea. That's kind of what I've been looking at except that I have
>to be more reactive than proactive, so I'm planning to go with the leper
>colony or penalty box idea.
Exactly what Tina said: "use network connectivity as the
bribe". It's not even so much a bribe, it's Resonsibility coming
home to Roost. There are (and will be) ways to push responsibility
(in phases, perhaps) out to the endpoint, which will make a lot of
problems solvable...
-cheers!
-chris
Real courage is risking something you have to keep on living with,
real courage is risking something that might force you to rethink
your thoughts and suffer change and stretch consciousness. Real
courage is risking one's cliches.
-Tom Robbins
Chris Blask
chris@blask.org
http://blaskworks.blogspot.com
+1 416 358 9885
--=====================_319619359==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
<body>
At 06:01 PM 9/13/2005, Mason Schmitt wrote:<br>
<blockquote type=cite class=cite cite="">> TBird
opined:</blockquote><br>
Hey folks (hullo TBird! :)!<br><br>
.d.<br>
<blockquote type=cite class=cite cite="">> so for me, the question is,
how do we influence the *consequences* of<br>
> badly configured or managed machines - wherever they are, on <br>
> corporate networks or the internet - in order to create the change
we <br>
> want? how do we create a beneficial sort of pain?<br><br>
It's already happening, we don't have to do anything to cause
further<br>
pain. What we need to do is to have solutions and answers ready
for<br>
when people start looking for them. That's why I said earlier that
we<br>
need to keep pushing forward, while still reaching out to see if
anyone<br>
is ready to listen yet.</blockquote><br>
I think I agree with the spirit of your position. <br><br>
We as a group have a lot of roles to play and scaring the pants off of
people is, sometimes, appropriate, so I don't gainsay those who fulfill
that need.<br><br>
However, I think another more common role we need to play is the damping
rod. There is an often frenetic cloud of activity, emotion and
motivation in many of the stressful rooms we walk into. We also
need to spend a lot of time bringing people down out of the rafters
(where they tend to lobby for insane and self destructive legislation)
and making them believe that they will be All Right so long as they Stay
Calm and Do At Least These Things. Military leadership has lived
with this forever and been able to keep a straight face while knowing the
subtext ("and some of you will die, but we might win the
war").<br><br>
<blockquote type=cite class=cite cite="">> when i'm dealing with my
relatives, i just change the configuration of<br>
> their computer when i'm visiting. that's not exactly a motivator,
but hey, their<br>
> machines are fully patched :-)<br><br>
I do the same thing. I usually also follow up by telling my mom or
dad<br>
why I did it and take that as an opportunity to tell them a bit
about<br>
what other things they may want to think about to help protect
themselves.</blockquote><br>
My mom and her husband are here now and I just gave them another little
edu bit. It's very very interesting to work over a long period of
time with very bright but Generationally-Challenged folks, trying to get
the basic memes into their heads so they can understand what they can do
(much less what the risks are). The Mom Test has *always* been my
litmus for the underlying state of the Great Unwashed. Currently it
is "better than before but still a long way to go", and so my
postion on all this remains consistent...<br><br>
<blockquote type=cite class=cite cite="">> it's why i'm so interested
in NAC and NAP and other sorts of enterprise<br>
> technologies that let me use network connectivity as the bribe to
get<br>
> machines configured the way i want them. .d.<br><br>
Arrogant maybe. Intrusive probably. However, I still think
it's a<br>
great idea. That's kind of what I've been looking at except that I
have<br>
to be more reactive than proactive, so I'm planning to go with the
leper<br>
colony or penalty box idea.</blockquote><br>
Exactly what Tina said: "use network connectivity as the
bribe". It's not even so much a bribe, it's Resonsibility
coming home to Roost. There are (and will be) ways to push
responsibility (in phases, perhaps) out to the endpoint, which will make
a lot of problems solvable...<br><br>
-cheers!<br><br>
-chris<br><br>
<br>
<x-sigsep><p></x-sigsep>
<font size=2>Real courage is risking something you have to keep on living
with, real courage is risking something that might force you to rethink
your thoughts and suffer change and stretch consciousness. Real courage
is risking one's cliches.<br><br>
-Tom Robbins <br><br>
</font>Chris Blask<br>
chris@blask.org<br>
<a href="http://blaskworks.blogspot.com" eudora="autourl">
http://blaskworks.blogspot.com</a> <br><br>
+1 416 358 9885 </body>
</html>
--=====================_319619359==.ALT--
--__--__--
Message: 2
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Wed, 14 Sep 2005 07:44:30 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
"Bill Royds" <bill@royds.net> wrote:
>
> One of the main problems with MS Operating Systems is that one must run
> as root (administrator) to make it useful since a local user can't even
> use things like USB ports since they require admin privileges to
> connect.
[snip]
Yes, I know. We've tried, at work, to limit users to non-admin
privileges and often found ourselves having to give 'em admin privs in
the end :/.
<rant>
What in the Wide, Wide World of Sports is freakin' *wrong* with those
people over at Microsoft? After all these years, they *still* can't
seem to get it right. It's almost as if they looked at all the good,
sane practices implemented by other operating systems, applications,
and IT professionals and said "We'll do it the other way."
</rant>
Even if MS did get its head out of its posterior (I'm not holding my
breath), I still maintain that a general purpose operating system is
not appropriate for an appliance--which is what MS, in this instance,
is marketing their product as to the general public. For an appliance,
you have to think "something nor more involved than a refrigerator,
kitchen stove, washing machine or automobile."
When Wintel PeeCees first started replacing X-Terminals in my
workplace, people thought my objection was anti-MS/anti-Windows bias.
"No," I explained, "I'd be little happier if what was replacing the
X-terms was desktop Linux or Solaris boxes. A general purpose OS on
every desktop decreases reliability, decreases security, and increases
maintenance and expense."
Jim
--__--__--
Message: 3
From: Michael Cassidy <cassidy@panix.com>
Subject: Re: [fw-wiz] The home user problem returns
Date: Wed, 14 Sep 2005 08:57:04 -0400
To: firewall-wizards@honor.icsalabs.com
On Sep 14, 2005, at 12:03 AM, David Lang wrote:
> On Tue, 13 Sep 2005, Paul D. Robertson wrote:
>>
>> For about a week- maybe two. Look at the password-for-pens studies
>> and
>> the password traininng retention studies. While lots of users *do*
>> want
>> to do the right thing, you're ignoring the silent majority who just
>> don't
>> care.
>
> one problem that this shows is that people are not held accountable
> for the stupid things that they do. (this aldo applies to the user who
> clicked the attachement to 'see what it would do'). so we feel the
> pain, but they just get a break from work while the IT guy messes with
> their machine (and probably for a while afterwords becouse they can
> blame the IT guy re-imaging the machine for all sorts of things for a
> week or so).
>
> we need to change this from the win-win for the bad user to a
> loose-loose, As Tina said, being able to reward the good users with
> net access while denying it to others is a much better approach.
Not practical when the bad user owns the joint or is the big chief.
Not practical if the bad user's job requires net access; they may be
stupid on their computer but very good at their job that only uses a
computer; researchers at magazines, newspapers, Wall Street etc.
The reason we have so many windows machines out there is the IT people
recommend: they are cheaper the MACs; easier to use the Linux.
I think the real reason is that the more Windows machines out there the
larger the IT department is giving them support larger budget and head
count for the CIO/CTO. There are compelling reasons for a CIO/CTO to
push Windows:
1. Cheaper to buy so the bottom line looks good at the initial buying
2. Requires more support therefore larger budget and larger head count
3. You can blame all of this on the 'bad/stupid users'
____________________________________
"Sometimes I wonder whether the world is being
run by smart people who are putting us on or by
imbeciles who really mean it." - Mark Twain
--__--__--
Message: 4
From: PG <pgs@defensor.se>
To: firewall-wizards@honor.icsalabs.com
Date: Wed, 14 Sep 2005 14:06:40 +0200
Subject: [fw-wiz] Home user problem
As a former citizen of northern Sweden, known to be=20
pessimistic by nature I find Marcus sceptisism healthy.
The home user thread has been entertaining to read but
really does not cover any new ground. The ISP situation
is one doomed to fail no matter which way you turn. The
problem lies elsewhere in my opinion.
First, the legal aspect. From my perspective, the ISP
entity needs to be better defined from a legal standpoint.
Certain things you SHOULD or MUST do. I have not
considered all aspects of this but would suggest for
example that egress filtering to increase traceability be
one mandatory point. I.e. there should be clear rules as
to what is and is not within ISPs responsibilities and
the end users rights.
Second, user education. I used to believe in this. After=20
teaching network security to everything from sysadmins to=20
board of directors I have reached the same conclusion as
Marcus. It will, at best, allow us to take another breath=20
or two before drowing but will not solve the problem, nor
even make much of a dent in it.
This brings us to the core of the problem, if we are not
supposed to educate the users then we must make sure they
cannot do harm. Think for a minute on what default deny
means when it comes to a firewall. This is where we want
our users to be. As long as we are running on fundamentally
broken equipment and protocols, this is nearly impossible.
The decision that we suffer from today, were taken decades
ago.=20
The analogies for cars and guns and so on all have some
merit. However, I find it flawed when compared to the user
problem from the point of view that the user does in
general not intend to cause harm. It is a byproduct of
their ineptitude of using the net. Now, if you look at
a modern car, you do not need to be a technical person to=20
drive it, in fact you are in every way discouraged from=20
doing anything to the car at all. If the car thinks it=20
needs service, it will tell you so and without very specific
knowledge and the right tools, you cannot do anything on
your own. Now, this is where the computer and Internet
needs to be. The OS of today is basically a car where you
are sitting with the engine in the front seat, the break
fluid running in open conduits and so on. Make one wrong
or uninformed move and it breaks. This is to various
degrees true for every OS out there, be it the latest bloat
from Microsoft or any default installed Linux client.
In addition, most of the protocols used today are inherently
flawed and Marcus idea of a Y2K scrap of it all would have
been lovely. We are currently throwing good money after bad
in an effort of postponing the inevitable by buying security
appliance XYZ to protect ourselves. I fear that we will end
up with several commercial internets in the future where the
structure is sound but the "freedom" gone.
Just to try a constructive thought, this is a loose idea of
how I would tackle the home user problem if ever working at
an ISP.
As for the ISP filtering certain ports. Again, default deny.=20
Enumerating a certain number of ports and block these leaves=20
you trailing after the bad stuff. The default connection a=20
user gets on day one of subscription SHOULD block all incoming=20
ports. Now, before every user leaves this imaginary ISP of mine,=20
make it configurable by the user him-/herself. The thing you=20
now regulate is the level of the users access to the=20
configuration. If they open up everything and get infected,=20
they get a warning. If they do it again, they get everything=20
closed and lose the right to configure it. This leaves it up=20
to the individual user on the risks to take BUT they are per
default protected. At least in the sense of protected we can
achieve with easy access restrictions. This coupled with good
documents and tutorials for the use and penalties of the system
could make a good carrot-on-a-stick.
It all comes down to choosing what evil you want to live with.
-- PG
--=20
P=E5l G=F6ran Stensson, Security Consultant, CTO
E-mail: pgs@defensor.se
Mobile: +46 (0) 708 - 92 80 93
Defensor Sweden AB
http://www.defensor.se
-- Computers have enabled people to make more mistakes faster than
almost any invention in history, with the possible exception of
tequila and hand guns. /Mitch Ratcliffe --
--__--__--
Message: 5
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
From: StefanDorn@bankcib.com
Date: Wed, 14 Sep 2005 09:04:52 -0500
Let me get this straight,
You 'secured' your wife's PC by removing a few pieces of software, put
Mozilla on it, slapped on some freeware spyware detection and just let 'er
rip?
Rule #1: Don't let a system access the internet unless you've secured the
access, and know exactly what's allowed inbound and outbound through your
network.
Rule #2: Don't let people who don't know what they are doing run with
administrative permissions, or full access to your network services.
Rule #3: If you run Windows, get an antivirus and configure it to scan
everything that comes in and out of the system, be it a read/write
operation or network traffic. It's not the ideal solution, but until
Microsoft makes their OS a little smarter, you need it.
I think user education is important. However, there needs to be a control
for those people who simply refuse to learn it. Using Marcus' car buying
analogy, you could take it a step further by looking at people getting
licensed to drive. Driving without a license can land you a fine or in
jail for a night, or if you were to get in an accident, you can encounter
some serious legal repercussions.
People who refuse to learn the rules of the road don't get licenses, and
if someone who is licensed breaks the rules too many times, their license
and record can be marked and/or revoked.
ISPs could adopt this model by either classifying users based on testing
them on their knowledge (take a few web based tests about web security or
something, and the ISP will open up more ports/access for you?), or
perhaps by basing it on limiting or locking out repeat offenders.
Stefan Dorn
firewall-wizards-admin@honor.icsalabs.com wrote on 09-13-2005 07:39:53 PM:
> hermit921 <hermit921@yahoo.com> wrote:
> >
> [snip]
> >
> > On the good side, I have a friend who is almost totally computer
> > illiterate, but has never had a virus or spyware or any other malware.
> > Rule #1: never double click any attachment. If you have to open it,
choose
> > a program that should open that type of file and do a File -> Open.
> > Blindly following these rules has kept her safe for over 10 years. So
I
> > know people can learn, at least by rote, regardless of understanding.
> > Rule #2: never use Microsoft software. This probably helps an immense
> > amount, too.
> [snip]
>
> Your friend could be my wife. WinXP (home edition) for some three
> years or so. (She *insisted* on having a 'doze PeeCee.) OE was
> *immediately* removed from the desktop and replaced with Pegasus. IE
> was *immediately* de-fanged (turned off all the ActiveTrojan stuff),
> then used to fetch Mozilla. Wife was told "Use this. Use the other
> only if this doesn't work.") Computer's behind a "firewall router"
> (configured by your's truly, naturally). Same aggressive mail server
> filtering rules as at work. I only a week or two ago finally broke
> down and put AV software on it, because one of her correspondents
> insisted my wife was sending her infected JPEGs. (She wasn't.) She
> has had SpyBot S&D for some time, and uses it religiously.
>
> It can be done. I've seen it with my own eyes.
>
> Jim
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 6
From: "Brian Loe" <knobdy@stjoelive.com>
To: "'Scott Pinzon'" <Scott.Pinzon@watchguard.com>,
"'Paul D. Robertson'" <paul@compuwar.net>,
"'Chris Blask'" <chris@blask.org>
Cc: "'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Wed, 14 Sep 2005 09:34:39 -0500
> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing
> emails, and more, have been quantitatively and demonstrably
> reduced at companies that institute end-user security training.
I'm pretty sure I recently saw a GAO report showing NO improvement in at
least one government agency - with SEVERE security issues.
>
> -- And how do you know "it" (educating end users) is not
> working? We have no before/after comparison on what the
> Internet would be like if all of us who preach security had
> stopped five years ago.
We have a before and after picture in as much as we EVER will be able to.
You have to look at it like a statistician - you can't query the world
(though some of us have seemed to of forgotten that we ARE talking about a
GLOBAL community) but you can look at smaller cross-sections of the world.
Your company, his ISP, and the like.
> Am I really the only one on this list who thinks so? Or
> Marcus, did I misinterpret you?
I think education still deserves a chance, but lets make it REAL education.
When you are told to do something you may forget, but when you are told to
do something, shown how and given the TOOLS to do it with it becomes much
more difficult to forget.
As discussed in a previous message, why doesn't my cable or dsl modem come
with a firewall built into it - and why isn't there documentation on how to
configure it along with strict settings configured by default? If you REALLY
want to get proactive, and you're in a position to do so (ISP), that's how
you make a difference.
In my view, there's been plenty of education in the preaching variety, what
we need is teaching.
--__--__--
Message: 7
From: "Paul Melson" <pmelson@gmail.com>
To: "'Marcus J. Ranum'" <mjr@ranum.com>,
"'Paul D. Robertson'" <paul@compuwar.net>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Wed, 14 Sep 2005 11:12:10 -0400
-----Original Message-----
Subject: Re: [fw-wiz] The home user problem returns
> I came up with a really cool mental hack the other day on this topic, but
I haven't
> figured out how best to approach it. But, basically, it's the observation
that people
> _HATE_ spammers and _HATE_ spam. Yet, people seem to _LOVE_ hackers and
think hacking
> is _COOL_. How did this happen??
The hacker stereotype is mythology based largely in 20 years of media and
entertainment hype. Face it, War Games was a sweet movie. Fictional, but
sweet. You can demystify individual hackers on an individual basis, but
cultural paradigms like this won't just change overnight, especially not
when there is a symbiotic relationship between journalists and hackers or
"security researchers" who stand to make real money selling fake accounts of
whitehat/blackhat/duncecap exploits (and 'sploits).
PaulM
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment