You can't teach a dumb dog new tricks:
"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"
In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.
I understand when a random phishing expidition works because I have received some very convincing emails from phishers that nearly had even the email headers right. However, there is no excuse for people to just keep clicking on any link without even stopping to think about where it might take them. That's about as dumb as giving out your credit card number to everyone who calls you claiming to be from a charity (especially those ones claiming to be police charities).
No, people really aren't going to ever learn until the laws start to change to hold them accountable for when they don't even try to user their heads. We expect people to have a clue with how they drive their cars, how they keep their homes and many other things. Why should computers be any different? If you keep ignoring IT and spreading email worms, you should be fired as an incorrigible employee. If you keep falling victim to phishing scams, then you should have to pay the bank back.
Let's apply this standard to keeping yourself safe. It's precisely how the average feminist sees a woman's role in preventing violence against her. She shouldn't have to worry about the intentions and nature of a strange man she just met. She should be able to go wherever she wants without worrying. Well, that's great. Really great. Too bad security doesn't exist even in theory with this general attitude. The only solution is to create a culture of personal responsibility with respect to security.
So, does that mean we can't expect to be safe?
I'm shocked!
You can't actually mean that people commit crimes?!
This is just ludicrous, and I don't have to take it!
I wonder if I could sue because I feel violated by this post?
- Did I sound sincere enough? I just don't understand why people think everyone is perfect when they aren't either. Oh well, maybe I should go phishing, I mean fishing. ;)
Heh, you should send out an email saying that you are the last in the line of House Atreides, the recent victims of a coup launched by partisans against your father, who is a loyal duke overseeing a vast desert kingdom full of natural wealth. I bet that you'd actually get people who would fall for that.
I think what he's saying is that users, while they use this technology (the same as people use cars), have no idea of how it actually works.
To explain this to the degree that the majority will understand it probably is impossible. The computer isn't an IT system to them its more like a toaster or microwave -- i.e. an appliance that does useful things for them.
"users" kill and maim themselves in droves every year misusing common consumer appliances and tools.
Yea, educating will get through to some minority of them, but the bulk will never "get it".
There's still a lot we can to to protect the naive and stupid that isn't being done. URL's in emails could be checked against a known "safe list", forcing people to go to an administrator for something odd. That would eliminate a lot of the pishing victims (home users still lose though).
I'm a little more draconian tham most about this. I think we should program the backbone and edge routers to eliminate known bad servers. When some ISP's world falls into the black hole they'll clean their shit up real quick.
The problem with that, Purple Avenger, is that the governments would get in on that act very quickly. I could see the SCOTUS upholding a ruling stating that local routers have to conform to local decency standards where a "fair and reasonable request" is made by the local government. I don't want that, especially since I have had sites that I have done in the past get labeled as porn through guilt by association (everything on Tripod.com was listed as porn by my high school's filter in the late 90s/2000).
The issue I see with using a white list is that you invariably create a massive registry that is unwieldy and time-consuming to use. See, I don't know what's so hard to tell a typical office worker "if you keep clicking on links in non-business-related emails and spreading worms, you'll be fired." I can understand people getting confused by internal emails, but there is no reason to be checking anything but your work email and harmless webmail like GMail at lunch or something.
Yeah, it is just like an appliance to them, but the problem is that people don't even follow the simplest safety guidelines. As one IT security person said, many people giggle about being "computer illiterate" after they've hosed a PC, but how many people would giggle about being "car illiterate" after they wrapped their car around a tree?