Thu 4 Feb 2010
Are we being irresponsible?
Posted by andyitguy under information security, user awareness
[5] Comments
I’m listening to the Panda Security Blogger Summit 2010 right now. Last year I was privileged to be a panelist in the first Security Blogger Summit and thoroughly enjoyed my trip to Madrid and the summit. Right now they are in the middle of a heated debate regarding the responsibility of the end user in security. We had this same debate last year and it has gone on and on in many other venues as well. You all know that I feel strongly that the user has a responsibility to act in a safe manner and that we, as security professionals, have a responsibility to help them learn what they need to learn.
One of the panelist said that the user has no responsibility and that we should no expect them to be responsible. In my opinion this is a irresponsible comment and attitude on his part and the part of anyone who feels the same way. Now before you all get mad at me let me give you an analogy.
I’m Joe Enduser and I have a PC that is connected to the internet via DSL. I have let my 30 day trial of Panda Internet Security 2010 expire. (I decided to use them since they are the ones that “fueled” the discussion) I also partake in risky behavior such as visiting porn sites, downloading movies from these sites and install the video codec that they say I need. I’ve got a friend who tries to give me “security” advice but I ignore him since we all know that security is a bother. Especially when we are trying to be productive at work. Let’s not forget the fact that I love to click on links in spam email because some of them take me to some very interesting sites.
Of course with all of this risky behavior I have picked up a few pieces of malware (that I’m not aware of since my AV is expired and even got disabled by one of them) and there is a keystroke logger on my system. I’m pretty well off and my bank accounts are pretty tempting to criminals. So one day I discover that several thousand dollars have “disappeared” out of my accounts. Then a few days later I am paid a visit by the FBI because they have found child porn on a computer that was downloaded from my PC and to top things off my PC was part of a botnet that DDoS’d the NSA web site yesterday.
You see my PC is connected to the internet and by default it is connected to every other PC, router, server, and switch on the internet. My PC is NOT an island and my irresponsible actions have enabled scum to view child porn, funded international crime and attacked the US Government. Yet I’m not expected to be held responsible for any of this because after all I’m just a “stupid user”.
If I am driving on a unfamiliar road in another city and don’t see the speed limit sign that told me that I had to quit traveling 45 mph and now must travel 25 mph I’m still held responsible when I get pulled over. If I’m in a town that has a law against spitting on the sidewalk and I spit on it I’m still held responsible if I get caught. Even though I’m not familiar with the town and it’s laws I still am responsible for my actions. I am expected to conduct myself in a manner that lines up with the laws of that town.
If I leave a loaded gun on my front porch and you pick it up and shoot someone with it you and I will be held responsible for our actions. Yet when it comes to using a PC that can be used to ruin someones life, attack a corporation or government, spread malicious content, etc I’m expected to remain completely ignorant and that’s OK. I can’t agree with that. If we expect our users to be stupid then they will be. If we expect them to learn how to reasonably act on their systems then most of them will.
If we want a voice in security then we need to ensure that our voice is not spouting irresponsible comments and encouraging irresponsible actions. We will never stop all stupid users and won’t even stop all users from doing some stupid things but that doesn’t mean that we shouldn’t do all that we can. It sure doesn’t mean that we can excuse their behavior and not expect them to do their part and make a change for the better.
I agree there needs to be a level of responsibility assigned when folks act (or fail to act) according to generally accepted rules. I think the rub comes when, for no reason other than they were connected to the internet, people get pwned. For example, my parents don’t surf porn (as best I know and I’m not asking questions), have anti-virus up to date, and generally follow the steps we tell general users to do. Even with all that “bad things happen”. Can we hold them solely responsible?
I don’t think so. I think there’s enough responsibility (versus “blame” – which is a different conversation entirely) to go around. How we sort this out? I don’t know. But I’m puzzling it out…
Armorguy, I agree that in cases where the user gets pwned just because that is different. My concern is that there is a growing number of security pros who are saying “give up on the user and let them do as they will”. That takes ALL responsibility from them and allows them to do as the please while the rest of us suffer for their actions. Sounds like a lot of government programs doesn’t it.
I just think that if we expect little we will get little and if we expect responsibility we will get a good deal more of it than we currently are. I’m also not advocating that we “make them pay” so much as we teach them and expect them to act in a responsible manner.
This sounds like a great conversation for a podcast sometime.
I agree with the responsibility of the user like you said, in the manner that user have to conduct their self in a good way like in a car etc.
But there is also the responsibility of the company that makes software should be held responsible exactly like the car manufacturer (lets take the Toyota example of these days) if there is a problem with the car, Toyota gets the responsibilities not the user!
Responsibility of the user AND company should be involved in your post.
The users do have some responsibility. There is no doubt about that, in my mind. The question is whether they get the burden of ALL of the responsibility or not.
As Pat was saying, the real world analogy requires that the developers/vendors take some responsibility for their products, like car manufacturers. In my state, you cannot buy a car and take possession of it without first providing proof you are a licensed and insured driver. To put a PC on the Internet, it could be as simple as getting an old laptop with a wifi card and going to McDonald’s.
Pat and Brian, I agree that the developers and vendors have a level of responsibility in this but that is another subject for another post.
Thanks for your input!