Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Schneier: Focus on training obscures the failures of security design

Rich Kulawiec rsk at gsp.org
Thu Mar 28 07:55:48 PDT 2013


On Wed, Mar 27, 2013 at 07:45:45PM -0400, Carol Waters wrote:
> At the risk of igniting an inbox-exploding smackdown thread [...]

You say that like it's a bad thing. ;-)


I'll quote Marcus Ranum on the subject of "educating users", from his essay:

	The Six Dumbest Ideas in Computer Security
	http://www.ranum.com/security/computer_security/editorials/dumb/

where "educating users" shows up as #5.  Ranum writes:

	"Penetrate and Patch" can be applied to human beings, as well as
	software, in the form of user education. On the surface of things,
	the idea of "Educating Users" seems less than dumb: education
	is always good. On the other hand, like "Penetrate and Patch"
	if it was going to work, it would have worked by now. There
	have been numerous interesting studies that indicate that a
	significant percentage of users will trade their password for a
	candy bar, and the Anna Kournikova worm showed us that nearly 1/2
	of humanity will click on anything purporting to contain nude
	pictures of semi-famous females. If "Educating Users" is the
	strategy you plan to embark upon, you should expect to have to
	"patch" your users every week. That's dumb.

It's worth reading the whole thing to understand the context.

( BTW: that document/rant/essay is one of the very best things
I've ever read about security.	Many, MANY people running networks
and systems would benefit greatly by the following algorithm:

1. Read it.
2. For the next week, try very hard not to do any of those things.
3. Go to step 1.

That may sound simplistic...and it is.	But I invite you to read Ranum's
rant, and then peruse any handy listing of intrusion/attack/dataloss
incidents, such as http://www.databreaches.net/ with his points in mind.
You will find, as I have, that it almost *invariably* the root cause of
the incident in question is that somebody made one of those six mistakes,
or one of the lesser ones he enumerates.  Sometimes they've made two or
three. )

---rsk



More information about the liberationtech mailing list