On Mon, 19 Sep 2005, Andy Linton wrote:
David Robb wrote:
Perhaps the correct response is some (more) user education and then allow evolution to take over
There was a paper linked off Slashdot the other day about "The Six Dumbest Ideas in Computer Security". Well up there was "User Education". Most people just don't want to know about computers. They want it to work, and trying to teach them not to do stupid things is like trying to teach a pig to talk - it's a waste of your time, and it annoys the pig.
They will learn when it bites them on the arse. Until then, we're better off trying to be a little proactive and stop them getting bitten in the first place. By that I mean keeping the dog in a cage, not trying to teach them not to bend over in front of the snarling rottie.
I think theres a compromise to be had... somewhere between protection and education. I agree that for every idiot who gets educated, another idiot (or more?) steps up. And that ISPs wear this in the back pocket in terms of tech support. (Then again, some IT contracting companies use this as a moneyspinner... ) Thing is, you can't stop educating people. If you do, the number of 'idiots' grows... You educate, more step up, but at least the number isn't as big as it would be if we simply stopped. The ISPs that create decent knowledge bases / keep references to decent online knowledge bases so that customers can be referred to them 'for education' are, IMHO, on the right track. Gives people a resource they can choose to read. Some 'net users enjoy it enough to want to learn more - to expand their skills, to help them do things faster, or so they can proactively protect themselves from $RISK - be it a virus, a phishing scam, or whatever. Some don't care. If the Carrier is absolutely-100% certain that their block will cause no harm, and much good, then I don't disagree with it. As long as they formally notify all their customers who're impacted. Likewise the ISP, if theyre fairly certain theres no harm and no good, then no harm in a block there too. Difference is that at the ISP level, theres usually something in there that says 'This is, in the end, our network, we can block if we like' - so the liability is internal. (Customer complaining to ISP because they cant reach $SITE is one thing. ISP having to say 'oh, sorry, its a policy filter upstream of us' is something else. At the same time user education has to happen, because neither of the above is going to be 100% effective. If the ISP has a good attitude about doing 'the right thing' (but only when deemed appropriate; the odd Bank Phishing Scam is feasible but we're not talking about dedicating an entire task force to the detection and blocking of these things) - and if the user has had the _opportunity_ to read up on the problem.. and still chooses to be ignorant? Then the ISP has indemnified themselves, and it really does become the users problem, and responsibility, at that point. I don't think theres any harm in doing the 'responsible' thing. At the same time I don't think a user should expect us to protect them... or they won't learn to do it themselves. Mark.