[Dshield] "Personal Firewalls" are mostly snake-oil"

Evans, TJ tjevans at kpmg.com
Mon Jul 22 16:27:28 GMT 2002

Parts of this discussion fall into the "four stages of learning" ... 
(read these somewhere .. also - "incompetent" is not being used in an
insulting manner, just factual>

Stage 1	Unconscious Incompetent
		You don't even realize how much you don't know
		(at this point you are a danger to yourself and others :))

Stage 2	Conscious Incompetent
		You know enough to know that there are details you don't
		(you are now only dangerous to yourself :) )

Stage 3	Conscious competent
		You know (think you know) all that you need to know
		(at this point you are capable of being productive!)
		(also - no longer quite as dangerous :))

Stage 4	Unconscious competent
		You know it so well you don't even need to think about it.
		(You are now highly proficient; and "expert" in the field)

I think as long as users as aware that Zone/Tiny/etc. are not magic bullets
which come along and auto-magically (not to mention FREE) stop all of the
bad guys, but that they instead comprise one of many layers in forming a
relatively secure computing environment, they are a critical piece.

Especially given that <quoting some news source> 60% of all InfoSec
violations are internal, you do indeed need to protect Joe User from Jane


-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com] 
Sent: Monday, July 22, 2002 11:13 AM
To: 'list at dshield.org'
Subject: RE: Re[2]: [Dshield] "Personal Firewalls" are mostly snake-oil"

Re this:

> Now, you're being completely unfaire here. First, you can't expect the Joe
Average to learn about IP services and the like. Home users are NOT
specialists and, while most of them have enough sense to read and follow
simple manuals, there is simply too much to know before you can configure a
firewal properly. <

I think the point is that to configure and use a firewall properly, you DO
have to know this stuff, and if you DON'T then you're deceiving yourself the
moment you tell yourself you know all you have to.

The problem with many software products is that in deference to a lack of
end-user expertise, they are designed to give the user the sense that
something is being done properly when in fact it is not.  The user then
turns around and starts questioning whether the "experts" know more than
they (the users) do and invariably assume that those experts don't
(something about all uf us being equal, same, whatever).  You see this in
fields all over the place that involve skilled labor-- IT, electricians,
auto repair, yadda yadda.  So Joe User decides that he knows just as much as
"those security expert guys" and merrily throws some doodad that says "you
can protect yourself, you don't need those other (expensive) products and
you don't need to know anything new" onto his system.  Then he thumbs his
nose, least importantly at the folks who do know something, but most
importantly, at the very notion that he is at risk of compromise at ALL.

Because there is "too much to know" that Joe User doesn't know, he now
thinks he's Superman and that in fact there isn't any such thing as
Kryptonite either, so he's got a leg up on the situation.  Sitting duck.
Quack quack. :)

Yes, I know Joe User can't be expected to know the guts of TCP/IP.  But with
that in mind, I wouldn't hand a Joe User client *any* product that
facilitated their sense that NOBODY, himself included, needs to know this
stuff to offer them adequate protection.  The word "deception" comes to

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         

More information about the list mailing list