Re: The home user problem returns

[Chris Blask <chris () blask org>]

At 03:42 PM 9/8/2005, Mason Schmitt wrote:
.d.
> > Wow... Am I that bad? Am I that predictable?  ;)
> >
> I think you've been at this a really long time and you're fed up with
> the bull. I've only been in computers for a few years and the current
> state of things drives me nuts too.  The fact that you keep speaking out
> is admirable. :)

That is the value - take what opinion you like but DON'T GIVE UP!

.d.
> > If you want to push
> > things back far enough, intellectually, the problem is that anonymous
> > Internet access is being offered. That's the underlying problem.
>
> YES!!!  And the fact that there are groups that are working hard at
> maintaining that anonymity bothers me.  I know that there's always the
> concern about Big Brother, or worse and far more plausible, abuse of any
> large scale trust/authentication systems that get setup in the future.

The problem is that, without any sort of identity (and there is 
exactly 0.0000% of net traffic using anything worth calling 
identity), it is impossible to treat Identified traffic and Anonymous 
traffic differently, as they logically deserve.

.d.
> I see trust and authentication systems as critical to the future of the
> net, therefore I want to see it happen, but I'm deathly afraid of the
> piece of *$^! system that could be put in place.  I can tell you right
> now that centralized systems such as microsoft's passport are extremely
> scary and have no place in in the future trust/auth systems that need to
> exist.  Unfortunately I don't have a crystal ball (or any technical
> background) to tell you what such systems should look like.

Decentralized, distributed responsibility.  If I own an auth server 
then I am responsible for the activities of those who use it.  If I 
can say: "Yes, this is a person, I know who it is, and I'm not 
telling you who that person is short of a court order legal in my 
jurisdiction", then the system works.

.d.
> On bad days and good days I fully agree.  The problem is that it can't
> stay like this, so movement has to occur somewhere.  Perhaps you're
> right that we're wasting our breath.

Marcus is right to keep people on their toes: no-one should expect to 
fire off ill-conceived comments or solutions and not get their lungs 
ripped out - this is all too important.  Any actual good ideas can 
stand harsh comment - bullshit disintegrates.

> Here's another favourite Einstein
> quote of mine that fits this situation.

>    "The definition of insanity is doing the same thing over and
>     over again and expecting a different result."

My favorite Albert is this (I like it so much it's been my standard 
sig for a while):

"Make things as simple as possible but no simpler. " - Albert Einstein

THIS is where things in our world get f**ked up IMSO:  "We'll get a 
million angles to dance on the head of a pin, take the square root of 
their average size and use the results as Private Keys (sold by 
Verisinge and distributed by Microsloth)!"

> While I think that user ed is still a critical piece to the puzzle, I
> think that the way that we go about attempting to educate needs to
> change.  That's what I was trying to get across in my last email.  It
> takes one on one interaction with people.

Education is a slippery topic.  In short, we will achieve the edu 
goal with about 18 trillion hours of dedicated training and a factor 
of 1000 more in informal training.  IOW - it ain't getting done 
tomorrow, but every little bit of effort gets us closer.

The other side of edu is that vendors/providers need to get educated 
about what is a good idea and what is crap.  Having (or not having) 
actual Customers doing actual Things with your product is the only 
education that counts, but vendors/providers usually miss the 
pertinent lessons even then.

.d.
> I'm well aware that I'm stuck in the middle of an arms race.  That's why
> we outsourced spam control - that was just too messy an arms race to
> continue to contend with in house.

Spam control = Identity

Identity is owned by the worst of our industry (both the "how to 
screw your customer in Three Easy Steps" business folks and the 
"no-one should use a computer if they can't carve one out of soap" engineers).

At JamSpam we had all the stakeholders in one place, and the best we 
could do was AMY.  I chaired the damn coalition so I take the blame, 
but it didn't surprise me at all (and I *am* an optimist!).

.d.
> Very good points.  See my point above concerning changing approaches.
> To be realistic, I'm not expecting mass religious conversion to happen.
>  I'm hoping to keep finding those people that have an inkling that
> something isn't right and just need some info to point them in the right
> direction.  These people, once they get it, will tell others.  For
> everyone else, I just want to get them to jump through the hoops of
> turning on windows update, getting a firewall... yada yada yada.

Education works, it is just a much much much bigger job than we 
think, with many different branches.

o  Much of the end-user education that needs to be done is social 
("talk amongst yourselves") and we can never directly provide that, 
though we can tune the debate.

o  There is no quantity of end-user education that can shorten the 
amount of time it will take to "finish" that effort, but it is 
possible to have so little that it takes longer...

.d.
> In my last email, this was one of the things that I stressed (or I hope
> I did).  People need to learn to question.  My generation is doing a
> good job in this area, but my parent's generation is as trusting as an
> unspoiled child when it comes to the net.  I think the biggest problem
> with the older crowd is that they don't really know what the net is -
> I'm still working on my parents.  That's what I want to try to teach people.

That right there is my point.  The quantity of exposure that the 
average Joe needs to understand the issues being discussed is "N", 
where N is a very large number (particularly if Joe is 50+).  We are 
currently about 1/N into the process...

> > [...other good stuff, deleted...]
> > You're still an optimist, aren't you? It's always nice to find an optimist
> > in Internet security. I feel like a birdwatcher who has seen the last of
> > some vanishing breed whenever I run across one of you guys. ;)

chirp!  ;~)

.d.
> Whenever I fall into that sort of situation, I recognize it as
> unworkable and realise there must be another way to look at the problem.

Precisely!

"The fact that two people have different opinions on a topic does not 
mean that either is correct."

> I'll keep trying to find new ways of approaching this and I'll make
> headway, even if it is just, as you said, "reduce the surge of noise to
> manageable levels".  I think you have to be incredibly persistent and
> optimistic, or naive to make any meaningful headway in computer security
> - not sure which one I am, maybe both.

Lucy: "You can't subtract five from three!"

Linus: "You can if you're stupid!"

Never underestimate the power of naive optimism.

> Anyway, it's still fun and challenging, so why not keep at it.

Beats pumping gas...

-cheers!

-chris



It is not worth an intelligent man's time to be in the majority. By 
definition, there are already enough people to do that.

 - G. H. Hardy

Chris Blask
chris () blask org
http://blaskworks.blogspot.com

+1 416 358 9885