How much knowledge is enough? (was RE: [LINK] Broadband)

[Chirgwin, Richard]

> you know, that attitude really annoys me.  every time i see 
> it, it aggravates
> the hell out of me.

I wasn't trying to trigger a rant. Craig,  you do contradict yourself. In
another post, you said security was too complex to put in a 'black box';
that even the engineers are getting it wrong. Now you say it's not too
complex for Joe Sixpack.

> whenever anyone suggests that it is a good thing for people 
> to learn something
> about how the technology that they use works, or encourages 
> someone to learn,
> it is dismissed as some sort of attack on newbies.

And every time I get straw-manned so you can attack what you think I would
have said if the aliens had sucked my brain out overnight through little
straws, I get aggrevated.

I don't deny the value of learning. I do deny that "use the Internet"
imposes an open-ended escalating duty of acquiring technical knowledge.
There's a difference. If I want to get e-mail quick, work from home, but
spend my free time learning the Pathetique or how to bake a better
croissant, why should that matter? 

> assuming that people 
> aren't capable of
> learning, that computers are too hard and that people are 
> just too dumb.

RTFM. I didn't assume that. I said it's fair enough for someone to have
priorities that don't include learning enough about security to run a
firewall. God, if I wanted to spend hours every Saturday night running
patches ... I would rather watch movies with the kids, that's all. Boring
and mundane, I know, but a sight more interesting than watching files
decompress.

Securing a connection is definitely non-trivial. Just at the high level, the
starting point is a lot of effort. You have to learn how IP works. What your
applications >should< be doing (for eg; just starting my desktop opens a
bunch of connections as listeners. I can't figure out what more than half of
them are for.). What seemingly useless traffic is meaningful and normal.
Which pings, scans or connection attempts are problems. And so on. 

Is this knowledge valuable? Sure. But mandatory? "Do not enter until you
have mastered the mysteries?" Here, we diverge: I believe since commercial
interests are willing enough to profit from users, they can assume the
responsibility for providing a product which is 'fit for purpose'; a
broadband connection that's reasonably free of malicious traffic. 

> you don't expect your word processor (or type-writer) to 
> write your articles
> and letters for you, nor do you expect your car to drive you 
> all by itself, so
> why do you expect any other function of a computer to just 
> happen by magic?

Again, RTFM. Save the false dichotemy for first-year university students and
religious debate. There is a continuum between "happen by magic" and D.I.Y. 

> more to the point, securing their machine is the duty and 
> responsibility of
> anyone who connects to the net.

Since you enjoy your outrage so much (ever tried working in the tabloids?
right attitude...), here's a statement to get outraged over: since time
immemorial, people with knowledge have put barriers around their domains to
keep out the hoipolloi. The <straw-man> nethead meritocrat </straw-man> is
no different from, no more enlightened than, and just as exclusivist as
whichever ancient Chinese architect first decided to wrap up architectural
practise in mumbo jumbo (feng shui) to try and make himself indispensible.

RC

> -----Original Message-----
> From: Craig Sanders [mailto:cas at taz.net.au]
> Sent: Wednesday, 30 April 2003 12:47
> To: Chirgwin, Richard
> Cc: 'Link '
> Subject: Re: How much knowledge is enough? (was RE: [LINK] Broadband)
> 
> 
> On Wed, Apr 30, 2003 at 07:24:29AM +1000, Chirgwin, Richard wrote:
> > Craig - it's all too easy to dismiss the newbie, and say 
> "it's up to the user
> > to learn about security". But in broadband, which is a 
> vastly different
> > proposition to dial-up, I think it's putting too much on 
> the average user.
> 
> you know, that attitude really annoys me.  every time i see 
> it, it aggravates
> the hell out of me.
> 
> whenever anyone suggests that it is a good thing for people 
> to learn something
> about how the technology that they use works, or encourages 
> someone to learn,
> it is dismissed as some sort of attack on newbies.
> 
> i really don't understand that at all.  nothing could be 
> further from the
> truth.
> 
> if i was dismissing newbies as you state then i wouldn't even 
> bother suggesting
> that they attempt to learn something....instead, i'd write 
> them off as a waste
> of time, not worth the effort of even trying to teach.
> 
> attempting to teach, attempting to disseminate knowledge, 
> encouraging curiosity
> and learning is not dismissing newbies.  to the contrary, 
> what IS dismissive
> and contemptuous and patronising is assuming that people 
> aren't capable of
> learning, that computers are too hard and that people are 
> just too dumb.
> 
> people are NOT too dumb to learn, it is NOT too hard.
> 
> 
> (btw, from a security POV, broadband ISN'T a vastly different 
> proposition to
> dialup.  the only real difference is the speed at which a 
> compromised machine
> can attack other machines)
> 
> > I made a joke about the piano being more interesting than 
> the PC, but that's
> > not just flippancy. There's a life out there, and while I 
> spend time at the
> > PC, and work with it, and check the e-mail many times daily, I don't
> > particularly want the thing to eat into my time. It's an 
> appliance, not a
> > hobby.
> 
> sorry, a computer is no more an appliance than a car is.  it 
> requires some
> knowledge and skill to operate.  marketing people like to 
> claim that a computer
> is an appliance, but they are the kind of people who also 
> like to claim that
> some magic herbal supplement is, all by itself, a fabulous 
> weight-loss program.
> 
> both claims are equally valid.  there is no magic weight-loss 
> pill that works
> without a healthy diet and exercise, and there is no computer 
> that operates
> itself without any skill required.
> 
> you don't expect your word processor (or type-writer) to 
> write your articles
> and letters for you, nor do you expect your car to drive you 
> all by itself, so
> why do you expect any other function of a computer to just 
> happen by magic?
> 
> we don't yet have artificial intelligence, we don't have 
> computers like HAL in
> 2001 that can operate themselves in response to conversation 
> english, we have
> very fast but fundamentally simple general purpose computing 
> devices which
> require a fair amount of real human intelligence and skill to operate.
> 
> > Broadband seems to demand that the user turn the PC and the 
> connection into
> > a hobby. To what end? What's the benefit to the user? - 
> 
> if the user isn't that interested, then perhaps the user 
> doesn't actually need
> broadband.  the whole point of a broadband connection IS its 
> "always on"
> nature, and the relatively high speeds.  if the user doesn't 
> use the net often
> enough to warrant that, then why are they buying BB in the 
> first place?
> 
> > if the answer is "to be secure when you're online" then the 
> payoff comes into
> > question. It's saying "you can get a little bit more 
> functionality (ie the
> > broadband connection) for a lot more work", which isn't 
> rational unless you
> > WANT the hobby.
> 
> it's the other way around - a lot more functionality (plus a 
> lot more safety) 
> for a little more work.
> 
> more to the point, securing their machine is the duty and 
> responsibility of
> anyone who connects to the net.
> 
> anyone who connects a machine to the internet without having 
> adequate security
> is a danger to themselves and a menace to the rest of the 
> internet-using world.
> they *WILL*, without any doubt, be hacked and compromised 
> withing days or hours
> if their internet-connected machine is not secure.  this will 
> cause problems
> for themselves and for many others who will be attacked via 
> their compromised
> machine.
> 
> failing to secure an internet-connected machine is 
> negligence, of the same
> nature (but greatly lesser order) as failing to adequately 
> secure firearms in a
> house.  "i didn't bother to think about security" is not an 
> acceptable excuse
> if a child (or a thief) gets their hands on a firearm in the 
> home, nor is it an
> acceptable excuse when an unsecured computer gets hijacked by 
> script-kiddies or
> whatever the latest microsoft worm is.
> 
> 
> 
> > I'm not going to run up a Linux firewall on a second box, 
> because while I
> > endorse the aims and purposes of Linux, why bother? "You 
> can spend months
> > learning a new OS, just to do what you're doing now a bit 
> quicker" - sorry,
> > but I have other hobbies, interests and obsessions. I'm 
> not, not, not
> > devaluing those skills among the experts - I admire them - 
> 
> if you can secure your internet connection without using 
> linux then good for
> you.  nobody's saying that you, or anyone, must use linux (or 
> freebsd or any
> particular OS).
> 
> BUT, and this is a big "but", if you fail to secure your 
> connection then you
> are directly contributing to the security mess on the 
> internet today.  YOU,
> personally, are responsible for your negligence....and one 
> day, i hope, you
> will also be partially liable for any damage caused by your 
> negligence.
> 
> unfortunately, legal liability is what it's going to take to 
> fix up the
> security mess.  updated technology by itself is no solution, 
> not unless people
> actually use it correctly.  on the one hand, software 
> manufacturers like
> microsoft and hardware manufacturers like dlink or smc or 
> netcomm must be
> liable for the flaws in their products.  on the other hand, 
> users of those
> products must be liable if they fail to operate them 
> proplerly, fail to
> configure them securely, and/or fail to apply relevant 
> security patches in a
> timely manner.
> 
> until that happens, the internet is going to continue being 
> the security mess
> that it is now.
> 
> > but why >should< I learn more about my broadband connection 
> than I know about
> > my washing machine?
> 
> duh.  because the internet and computers are just a little 
> bit more complicated
> than a washing machine.  there's a lot more than just a timer 
> and wash-cycle
> dial and an on/off button.
> 
> craig
>