lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Yes, user education is a lost cause ;-)

Hi Paul,

Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 23:15:
...
> To a certain degree I agree with you, however my viewpoint isn't quite
> as bleak.  I believe there are *some* things we can do to at least
> reduce the number engaged in this type of activity.

That is right. But it isn't reactive behaviour that will save the day.
It is proactive behaviour that will make thing easier for us.

Keeping doors shut by default is one of those proactive measures.
"Opportunities make thieves." is a well known saying in my native
language. Meaning: if you leave doors open then you yourself are
responsible that people start stealing from you.

> > The one thing we can change though is 
> > accepting or not accepting the way vendors ship software.
> >
> What about changing users?

There is nothing wrong with end users. THEY are the customers. The
consumers. Remember? They buy OUR products. WE have to adapt to them,
not they to us.

> You don't allow for any of that at all?

No. Ideally no. If there are ways left to improve products without
forcing end users to get involved then I don't allow "for any of that".
And believe me, there's plenty of things left vendors can change in the
way they ship products to improve things without troubling end users.

> I think it's not only possible but will happen over time.

End users can only be educated when they have to educate themselves in
order to do things. Teaching them Personal Firewall days is the wrong
approach. It's better to disable unneeded services and let those user
educate themselves when they are clueless how to enable a certain
service. If we want people to handle running services in a responsible
way we have to encourage them to find out about how to set them up safe
before they can enable them. In the end they'll be grateful. And the
bigger mass of people not interested in the stuff isn't troubled with
complicated additional security layers on top of their OS.

> Just as people learned the rules of the road for driving (and some seem to never
> learn), I believe many will learn the rules of the road for the
> Internet.

You are actually using an analogy I can reuse :-)

Imagine an MS Windows Xp box as a 18 wheel truck delivered to a 18 year
old with little driving experience. His truck has services running he
doesn't need and understand, he is driving the truck with full
administrator rights "out of the box". The truck even has a lever
installed next to the gas pedal (labeled with "run attachment") which
executes the ejector seat without warning the driver. Shouldn't you
agree that it is wrong to hand such a vehicle to this 18 year old? Isn't
the one to blame who actually permits the 18 year old to get on the data
highway with this thing?

> It just takes time, just as driving rules took time.  (In
> fact, we're still learning, aren't we?)
> 
> I think one of the "security community's" basic responsibilities is to
> educate users and to never give up on educating users.

No. We have to improve products so that they are easier to use and cause
less confusion and cause to exploits due to standard end user behaviour.
We have to alter the products, not the users. Users don't pay us to
educate them, they pay us to deliver usable products.

> After all, one of the most important parts of our job is writing policy, is it not?

Yes, but don't we write it in a way such as the end users in our
organisation never actually recognise their existence? Don't we try to
apply security in a way that blends into the their work-flow without
requiring constant action on their behalf?

> If that's true, and yet we don't believe users can be educated, then why is
> policy writing so important?

You have to regard you user base as a sort of wild river. You can
_force_ a river into a certain direction by altering it's riverbed but
you can never _command_ or _educate_ a river to follow a different path.
The paths rivers take is connected to the simple physical property of
"lowest resistance". Users are the same way. When something seems
easiest to them they do it, good idea or not. Education won't help
unless you want to make system administrators of every single one.

But _I'd_ rather invest _my_ time into making a better, fool-proof
product than trying to make the end users fool-prove. I guess the letter
is science-fiction.

> Obviously it's because we believe that policy can change *most* users.

It doesn't change the users. It changes their available options.

Remove a policy after you had it established for some time. Evaluate if
users still stick to it and you'll have your answer whether users have
changed :-)

> Yes, there will always be some small percentage that are either stupid or combative, but the vast majority
> just need to understand the risks in order to know how to behave in a
> secure manner.

This is science-fiction and in your heart you know it :-)

I have to admit that I dream of this too, but in my heart I know this is
not the way it is going to be. Ever.

kind regards,
Tobias W.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ