On Thu, 2 Jun 2005, Marcus J. Ranum wrote:

> Paul D. Robertson wrote:
> >They understood what they were doing- ordering DSL service.

> You neatly sidestepped answering my important question, which
> is whether or not their product documentation might have included
> information that there was also a wireless access point included
> (and possibly even how to secure it) with the router. By that logic

Because I don't know yet- when I get home, I'll find out for sure.

> someone who chooses to remain ignorant about safe chainsawing
> techniques is not at fault if they cut their foot off because "all
> they needed to know was that they were cutting wood." I think
> that the laws on the books regarding vehicular manslaughter, etc,
> indicate that society has established an expectation of understanding
> and expertise on the part of users of tools that need expertise and
> knowledge.

I've seen the manuals that come with chainsaws, and I've seen the manuals
that come with DSL routers, and I can tell you there's a heap of
difference. Don't forget that self-install is relatively new for DSL, it
wasn't too long ago that the carrier wanted to send someone out to do the

> Perhaps the ISP's lawyers should have included a big red
> sticker on the router that read "BEFORE PLUGGING THIS IN
> YOU MUST HAVE A CLUE." But that's obvious. In fact, it
> probably also came with adminitions to "read the fine manual."
> Just like my chainsaw does.

I'm betting it didn't, but as I said, I'll verify when I'm back in town.
I know that my current cellular telephone didn't come with a bunch of
stuff telling me it was ready to go forth and get done by Bluetooth.

> >Do you honestly think the documentation that comes with a DSL router gives
> >the average consumer without wireless equipment enough information to make
> >a real risk judgment?

> Of course it doesn't. But that's an explanation, not an excuse.

I don't know- if it's not obvious that if you don't have that, it still
applies, then I think it might be a fair excuse.

> >I think there's a happier ground that's somewhere in the middle- and I
> >think that absolving vendors of any of the downfall of their products is
> >just as bad as making them responsible for all of it...

> I agree with that. So does the law. If a vendor sells something based
> on deceptive claims it's against the law and vendors of various products
> (including a few cases involving computer security products) have
> been hauled in by the FTC for deceptive claims or marketing. *
> The only effect of getting lawyers involved in this kind of thing would
> be to have the DSL router come with 30 pages of legal warnings
> written by the providers' lawyers, disclaiming all liability for incorrect
> use of the product and/or service. In fact I bet if we researched this
> particular incident more closely we'd discover that the customers
> *already* had gotten and ignored such warnings. Maybe we could

I'm betting a beer that you're wrong.

> require that the ISP sell the product with a big red sticky WARNING
> label on it for the customer to peel off and ignore.

That works for me.

> In the best of all possible worlds, of course, the product would
> ship with unneccessary everything turned off, and a tight policy
> enabled by default. Requiring the customer to take a deliberate
> action to bring about their downfall is a good approach. I.e.: "Click
> >>HERE<< to install new Spyware." Which, of course, they

> will do.
> If you push this point to the legal system, all products will
> ship with a flourescent sticker that reads "RTFM" on it. And
> that's about it. I think that'd be funny but it won't help.
> >In this case, the product is shipped open so the vendors in question don't
> >have to take the expense of support calls. In that case, I think it's
> >reasonable to have them bear the brunt of the cost of that configuration choice.

> I think neither of us know enough to say. Do you actually know
> that it shipped open for the vendors' convenience? Do you know
> whether the customer received any admonition to read the fine
> manual? For all I know, the customer might have paid $20 extra
> for a DSL router with "wireless" thinking that sounded Very Cool.
> We just don't know enough to say.

We know (a) it wasn't shipped closed, and (b) it wasn't configured for the
customer's security.

> I do know one thing: if CNN covered the story about some family
> of clueless yutzes having their door kicked in by gun-weilding
> law enforcement officers because they had their DSL mis-configured,
> *and* CNN covered the fact that the family had to *pay* for the
> expenses of the SWAT team, and the door, and their legal
> defense and the spackle to fix the bullet holes - - well, I bet a
> few more people would ask their providers, "this hasn't got that
> wireless stuff that attracts SWAT teams, does it? I don't want
> any of that..."

For a week maybe.

> >Ah grasshopper, you miss the point. The *life* of a security admin is to
> >take the high road, but the *job* of a security admin is to get his
> >organization to take the high road. That can only be done by ensuring
> >that the executive level knows when it's doing the right thing.

> I got that. I think we're violently in agreement on this point.
> Security experts should help their constituents understand that
> there is a true path, and help them walk it. Yet, above and
> beyond that is a truer path, still, which is that of telling people
> "the true path is for YOU to understand the path, and stop
> asking ME."
> Put differently: we're too busy trying to explain to lots of
> execs why the front of their trousers are all damp. Option
> #1 is to tell them "unzip before you p*ss" Option #2 is to
> tell them, "you should think before you p*ss" Option #3
> is to tell them, "you should understand what you're doing
> as it affects yourself and others." Which is the true path,
> sensei?

Certainly it's not saying "Look you clueless yutz! You're covered in it!"

We don't expect 2yr olds to understand the hygiene issues dealing with
going to the bathroom- and I think it's probably misplaced to expect IT
execs to understand the hygienic issues dealing with security. Teach them
to go, make a big deal out of how they're acting like big boys and girls,
and let them have some candy. It's less painful if they just learn to do
what we say when we say it. But for that to happen we have to have their
trust, and laughing at them probably isn't the best vector to get there.

In fact, if you go in thinking they're two, you'll understand why they get
distracted by the sparkly stuff

> >I've never been accused of being appeasing, cajoling or stroking by anyone
> >I've ever worked for. I suppose manipulative works when you have to go
> >explain the auditor's conclusions for them in a meeting with the CIO.

> I know you haven't. That's why I'll share beers with you any time.
> >> This whole information security thing is eventually going
> >> to filter into everyone's consciousness as relevant, but
> >> only after there's lots of pain. Unfortunately, it's usually
> >> the innocent who bear the brunt of the cost of the great
> >> "learning experience"

> >
> >Ah, but you've said they're not innocent.

> In that case, I was thinking of the poor suckers who were getting
> spammed as the "innocent"

They should have understood the downsides of e-mail when they asked for

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
firewall-wizards mailing list