[liberationtech] Schneier: Focus on training obscures the failures of security design
Rich Kulawiec
rsk at gsp.org
Thu Mar 28 07:55:48 PDT 2013
On Wed, Mar 27, 2013 at 07:45:45PM -0400, Carol Waters wrote:
> At the risk of igniting an inbox-exploding smackdown thread [...]
You say that like it's a bad thing. ;-)
I'll quote Marcus Ranum on the subject of "educating users", from his essay:
The Six Dumbest Ideas in Computer Security
http://www.ranum.com/security/computer_security/editorials/dumb/
where "educating users" shows up as #5. Ranum writes:
"Penetrate and Patch" can be applied to human beings, as well as
software, in the form of user education. On the surface of things,
the idea of "Educating Users" seems less than dumb: education
is always good. On the other hand, like "Penetrate and Patch"
if it was going to work, it would have worked by now. There
have been numerous interesting studies that indicate that a
significant percentage of users will trade their password for a
candy bar, and the Anna Kournikova worm showed us that nearly 1/2
of humanity will click on anything purporting to contain nude
pictures of semi-famous females. If "Educating Users" is the
strategy you plan to embark upon, you should expect to have to
"patch" your users every week. That's dumb.
It's worth reading the whole thing to understand the context.
( BTW: that document/rant/essay is one of the very best things
I've ever read about security. Many, MANY people running networks
and systems would benefit greatly by the following algorithm:
1. Read it.
2. For the next week, try very hard not to do any of those things.
3. Go to step 1.
That may sound simplistic...and it is. But I invite you to read Ranum's
rant, and then peruse any handy listing of intrusion/attack/dataloss
incidents, such as http://www.databreaches.net/ with his points in mind.
You will find, as I have, that it almost *invariably* the root cause of
the incident in question is that somebody made one of those six mistakes,
or one of the lesser ones he enumerates. Sometimes they've made two or
three. )
---rsk
More information about the liberationtech
mailing list