Everhart, Glenn
From:	Russ [Russ.Cooper@RC.ON.CA]
Sent:	Monday, March 29, 1999 10:09 PM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Re: Features versus Security versus User Education
None of us can say with certainty whether "users", in general, are
clueless or not. There are simply too many "users" out there and too
many things for them to be tested on for anyone to know for sure. Anyone
who does has a major gold mine that they are not likely going to share
with us.

As I said to someone else earlier this evening, the problem is far more
complex than whether MS should or shouldn't set something by default.

MS, IMO, is culpable for this problem (lack of security due to features
enabled by default) because it is at the basis of their business.
Customers, 3rd party vendors, and media critics complain bitterly when
something isn't simple, or more importantly, results in increased
support costs. From a corporate perspective, most companies expect their
IS departments to represent their user's requirements to the vendors. As
such, the expected wave of increased support calls that some complex
feature (read: more than 3 clicks or tab selections) might evoke often
gets a very high priority in feedback.

Add to this the issue of 3rd party companies or livings. If MS hinders a
company by making a feature more complex, or obvious via a pop-up
warning about insecurities, those 3rd parties are often left dealing
with calls from their customers complaining that their product, not MS',
doesn't work properly. No doubt all 3rd party vendors have had calls
from customers with secured workstations complaining about some aspect
of their product that doesn't work, all the while the problem rests with
the consumer's administrator who deftly, but quietly, disabled that
functionality "in their best interests".

In the case of Viruses, the issue is even more difficult. An entire
industry has grown around the presence, and expected long-life, of
viruses. If not, there'd be no reason to provide pattern signatures for
every virus ever discovered. This isn't a slam against the anti-virus
vendors, but the fact of the matter is that some serious capital would
be lost if large classes of viruses could be eliminated from the face of
the earth. We can all probably accept the reality that they will
continue to survive, in one form or another, for longer than any of us
would like, thereby ensuring the long-term viability of a given
anti-virus program.

Given the penchant for people to sue Microsoft for altering, removing,
or adding functionality to their products, the issue of the way features
are implemented in their products is one fraught with legal risks. This
doesn't even mention the idea that some class action suit gets initiated
against them for not "taking the bull by the horns" and simply making it
impossible for macro viruses to continue to exist (on the very real
assumption that it is possible, albeit difficult and maybe
feature-disabling, to actually do so).

So we're left with;

- Administrators generally believe they must take pro-active steps to
limit their user's ability to, um, hurt themselves or others. After all,
that's what they do for a living. If their job was to educate users they
wouldn't be Administrators, they'd be Trainers.

- Profit making entities rely on the features that Microsoft provides
(including ones that break systems or degrade functionality) to earn
their livelihood. They, having marketing dollars to spend on studies and
such, are very influential in convincing MS (and others) that their
requirements will sell MS product. Since MS is, after all, in the
business of selling their product, such arguments can be, and have been,
very persuasive in giving us what we've got.

- Large customers with large license budgets often spend a great deal of
their money implementing a customized cadre of MS products. These
customizations are often based on the wonderfully complex features MS
makes available. They also represent an investment that those customers
do not want to see voided by the next version from MS, or the version
after that, or after that...etc... Such arguments are also persuasive to
a company wanting to upgrade users (MS) to minimize their own support
costs. Updates with down-level compatibility are the way to avoid having
to support a 10 year old version of your software. Of course that means
you have 10 year old technology in your latest version...and security
gets in the way...

Some would like to think that the solution is in user education. My
Security-related web-portal idea was, in part, based on the premise that
users need a place to get answers. Answers at varying levels of
sophistication to allow them to learn more.

Fact is, the computer is a tool, and if I need to become an expert with
every aspect of a tool in order to do my job, the tool is broken. A
carpenter's job is to build a house with hammer and saw. Most aren't
likely going to be able to tell you the torsional tolerance of their
hammer or the expected number of sawcuts their saw still has in it. When
it breaks they'll throw it away and get another, the tool was flawed,
not how they used it.

A Sales Rep's job is to sell whatever, with whatever it takes to get the
stuff sold. If a computer helps him/her sell, its good, if it hinders
h/h, throw it in the garbage. If you give h/h a computer and tell h/h to
go away and learn how to use it, you're a geek, not a boss. If its not
intuitive, you're asking h/h to take valuable time away from the job of
selling and devote it to the job of learning a computer (or program, or
whatever).

All too many developers have the opinion that if their users would
simply spend a little bit of time with their product they'd be able to
see the blissful joy it can bring into their lives. Of course the
developer isn't trying to do the job of the person using their software,
they're writing their program and trying to sell it. The user, otoh, has
numerous programs to learn together with keeping abreast of their job
itself (like learning about new products to sell, what the current
market thinks about their products, where to take the big client to
lunch, etc...).

Much of today's software is about getting the user to customize it to
suit their own needs. 10,000 customers, 1,000 functions, so 10,000,000
possible configurations. What's the phase, each man is his own
island...;-]

We, in the security community, suffer from the same ailments as
developers. To us, all this stuff about signatures and permissions and
such are all just necessary things that every user needs to know for us
all to survive.

So while user education is something that will have to be done, no
matter what else happens, its not going to happen in a timely fashion.
We've been trying for more than 30 years and this is where we're at. The
rate at which new, insecure, functionality is introduced versus the rate
at which users are learning *anything* about computers is tangential. If
MS didn't release beta versions of their products in as much advance as
they do, many large customers wouldn't get one version deployed before
the release of another (and more often than not, they skip versions to
accommodate the users learning cycle).

The features that get included in products generally attempt to address
this issue. Anyone who sells software knows that you'll be the most
profitable if you can get your customers to upgrade to each version you
release. Each new version attempts to make some previous support issue
disappear, or be minimized, while throwing in the new neato-wow features
marketing insists are needed to make the product sell.

The problems that have culminated in the Melissa virus, to me, have
clearly demonstrated that the idea of relying on users to protect
themselves (and relying on users to protect a corporation's ability to
function) is "before its time". We're not there yet, we cannot base our
businesses on our user's knowledge of computers (risks or
functionality). Most of you reading this do not even get sufficient time
from your superiors to properly investigate the issues raised here, let
alone spend sufficient time coming up with secure and functional
deployment strategies for any given product. Even if you do get some
time and/or resources, consider what part of your IT budget you
represent and you'll see what I mean.

Business is in business to do business...;-]...not train/expect all
users to become as aware of computers as vendors may like them to
become. Yet to keep users happy, vendors supply products with
functionality at the expense of security (and even if there is a switch
to enable security, if its not on by default, the functionality comes at
the expense of security).

The bottom line is, as long as users (not Administrators, but the users
themselves) continue to ask for functionality without insisting on it
being "secure by default", vendors will continue to satisfy their
customers demands.

Marcus Ranum, famed author of the Firwall Toolkit, made the bold
suggestion to (para-phased) "break everything on a given date and then
we'll have to replace it". When "most systems stop working", due to an
exploit on steroids lurking around the corner, users may be receptive to
our message. Until then, only Microsoft holds the power, has the user
base, and the depth of pockets, required to mandate a more secure
computing environment. Given their fear of being left behind in the next
big wave of whatever, I doubt the MS shareholders would ever let them,
even if they wanted to.

In the meantime, maybe everyone should write a little letter to the
President of their company which simply says;

"You realize that at some point in the future our entire computing
environment is going to crash down around our ears for several weeks. I
just want it to be clear that I am not responsible for this, nor can I
prevent it. We could, however, ask Microsoft to make it impossible, but
that would mean deferring deployment of <insert presidential favorite
project here> for 18 months."

Doesn't make you any more secure, but since we, as infosec
professionals, are the only ones likely to be found liable in such an
event, you'll be legally protected...;-]

Cheers,
Russ - NTBugtraq moderator

p.s. We hear about usability testing and folks being polled as to what
they need to do their job more efficiently quite a bit. The story goes
that security is not, generally, a high priority to most users. The
implication is that the user has had the security implications of a
feature fully explained to them prior to them giving their feedback. I
defy any marketing organization to show me such a survey and let me quiz
the participants as to what they did, or didn't, know about the security
implications they tossed in favor of functionality.

In my mind, this makes all user feedback misleading. If only someone out
there had the funds to do a proper Gallop poll to find out what users
really believe about the security of the software they own. I bet the
results would be that users just expect their software to be secure
without asking for it and are baffled when they're presented with a
prompt attempting to explain some risk, but that's just my opinion...;-]