As the party who wrote: "Mandatory computer classes? As a former student from..." I state that I am not the person who wrote:

"I know who the misguided idiot is."

*sigh* I'm going to have to start publishing temporary GPG keys with anonymous posts to keep my anonymous separate from other anonymous. Too late here though, I can't *prove* I'm a separate party to anyone reading this.

That stated, the other anonymous guy is right--you can't solve all these problems with just technology (although I was able to solve my problems that way--I didn't run the campus network--just subverted its rules to get my system online--good enough for me). My port was pulled *once*--before I knew they "didn't allow linux on the residential network." Never again. Not that I stopped running it...

This tool *sounds* like a great thing but it will still only be as good as the admins running it. The backdoor authors are getting more clever--I've heard rumors that one kit now operates on port-knocking.

Erik, you're right about not blaming users without educating them--the only point I really wanted to make is that mandatory education in such things is quite candidly--inappropriate. I know that myself and numerous people like me would go out of our way to make such classes ineffective because they're candidly--insulting, derogatory and a waste of our time. I'll "grow up" as soon as the world around me does and stops making me waste my time on...pointless things. I assure you--I am much more in need of an ethics class than anything on computers. (I dare say that's a waste of my time too, as I don't agree with the basic premises..but at least I might learn something from it anyway) But more to the point about the rest of the world...

I believe I misspoke/wrote on the zoneAlarm issue--it isn't a question of education (although that comes into play) it's a question of convenience. 9/10 of the users I ever worked with hit 'okay' to whatever came up first in practice regardless of education or training--because it was convenient and required no thought. At some level it's an SE issue--people really should be designing programs so "okay" or "yes" always defaults to the most restrictive action. People hit "yes" in ZoneAlarm not because nobody told them how to decide...but because they didn't immediately know if a program should be using the internet or not, and didn't want to take the time to decide, find out, or ask someone.

I can't tell you how many times I saw one criminology professor cancel an AV update because the only time the computer got turned on was when he used it in class--and obviously he could not afford to wait the thirty seconds for it to fetch the dat's from the central Uni. server. IT set it up wrong--those computers should have received a PUSH at 3 in the morning. Users do not *care* about the network, and shouldn't have to--it is a tool to them that they expect to be running with a little initial configuration and virtually no maintenance.

All the people in the IT rooms and professors all think they know better. I watched a networking professor jam a PCI card through the back of a case without opening the box up and wonder it broke... I have seen the chair of computer sciences complain about a broken computer because of an unplugged keyboard, I have seen system-admins enable rlogin because it was convenient. Having seen this, I again plead the question of *why* I (or anyone else) should have to take some trite course in computer maintenance/well-being. Need I state that "opening attachments you don't expect" while good practice hardly applies in a college network where sneaker-net over email is sadly common?

What does this say? People everywhere screw up (even my SSH was vulnerable once... sigh)--even the supposedly competent admins. User education will not replace the fact that users care more about convenience than security (and this is really the way it should be). Perhaps on a corporate network you can enforce this--but not on campus, unless and until you require students to sign an AUP. And I'll be the first one in line to file suit with the ACLU if someone requires that without notifying me of this policy prior to my acceptance and arrival on campus. The real, *key* difference is students are being treated like children when we are in fact consumers, paying several grand a year more than we should for a service-- I see no reason why we do not have every right to expect this service to be robust, reliable... and available regardless of our choice of medium. If the network admins can't keep the system up and running...it is their fault. As you mentioned--it's a trivial task to segment a user off from a network.

To this extent you're right about giving IT the power to say "we warned you" so that there are no repercussions for them disallowing service--but I have to disagree about a user being "clever enough to disable a virus scanner." Most users are not clever--they're people who want to get their job done. It just takes one "clever" user to show a whole slew of them bad practices.

The software sounds like a great idea as long as the admins using it are up to par...but...I have to vehemently protest the notion of classes. Sorry, but another 101 is just...an insult to any reasonably intelligent human being. Defend the network at the gate--your users will never be well trained enough to do so.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/267/28521#28521