Securing home computers (Was: Re: [Dshield] Re: [Full-Disclosure] Port Blocking)

Stephane Grobety security at admin.fulgan.com
Sun Jun 29 09:22:32 GMT 2003


ET> With all due respect, I think we can expect people to exercise due
ET> diligence in running a fairly secure system.

No.  You can't expect so-called "home users" to do so. They haven't,
they don't and they probably never will. Simple statistics about the
number of Zombies out there and a single pass at your firewall logs
will show you that home users, as a rule, do NOT run a secure box.

It's betting better today thanks to the wide availability of NAT
appliance (often used in conjuction with DSL) and with automatic
system update, but the average home user box is still unprotected and
open to several hacks.


ET> We don't require people to
ET> work on their own automobiles: however, we do require that they pass a
ET> safety inspection (and, in some areas, an emissions inspection), and if
ET> the car needs repairs they get done BEFORE it is certified as fit to
ET> operate on the public streets.

And nothing of the same exists with computers. Chances are, nothing
similar will EVER exists for computers for many reasons: high
frequency of the maintenance needed (you'd need an inspection a WEEK
to keep a box reasonably secure), low risk factor (no physical
injuries, insurances don't reimburse anyone due to a poorly secured
boxen, difficulty in enforcing the inspection, etc.)


ET> So, why can't we require people to properly secure their computers?

I just listed a few. It's a nice dream to have only qualified people
using computers but it's neither the situation we have today nor the
direction the industry is heading to.

ET> I,
ET> personally, see this as a differentiator between a "real" ISP and
ET> someone simply providing a toll-booth on the Information Super-Highway.

How come we've jumped to ISPs now ? You where talking about users, not
access point providers.

ET> And, if the mega-ISPs can't afford to provide this for the $9.95/month
ET> they are charging, then they can either raise their fees, or maybe some
ET> of the unemployed ex-dot-commie sysadmins can freelance and really,
ET> honestly use the Internet to earn a generous living (I would have said
ET> "Make $$$$MONEY$$$$$ Fast!", but that probably would have set off a
ET> bunch of spam filters...oops. :-)

So you say the ISP should be the ones "enforcing" this rule ? Well,
that's the logical point to enforce it but it's unrealistic to expect
them  do so. It would cost them a LOT of money (remember: it's one
thing to detect a failure, it's another to FIX it) and theyx would
only loose customers to the next network that simply doesn't put such
requirements to it's users.

ET> Anyway, this is certainly something to think about...  an at-home
ET> business providing support to clueless home PC users... hmmm, getting
ET> paid for what my relatives already expect me to do...  let's see, when
ET> is my company going to have their next layoff?

Everyone would agree that it is a good thing to secure home users
boxen. Sadly, there is simply no practical way to do so on a large
enough scale to make a difference.

Remember one thing: security is a cost for everyone. It's sometimes
hard enough to press the need of computer security to a company no I
can't imagine how you expect to persuade home users to invest money in
that.

Good luck,
Stephane




More information about the list mailing list