Sean Donelan wrote:
Selling people barn doors and barn door audits is easier than figuring
out how the rustlers are getting the horses. The problem is the horses
aren't being rustled(?) through the barn doors. If they were, you would
expect to see a difference between barns with doors and barns without
doors. But in practice, we see people with and without firewalls with
infected computers. Network level controls aren't as effective as
some people hope at stopping many things. ISPs should stop porn, ISPs
should stop music sharing, ISPs should stop viruses, ISPs should
stop <insert here>. Yet somehow users manage to find a way around
all of them.
So what makes some users more likely or less likely to have infected
computers? How do they become infected, but other users don't? What's
different between the two groups?
Skill, Desire and Luck - not always in that order.
I usually set out my stall on this one by making a the following assumptions -
1) any protective measure that relies on users having common sense will inevitably lead to astonishment at how uncommon common sense is (core rule)
2)Warning messages are now so common users don't read them, and web popup boxes even more so. By simple extension therefore, no warning message is of any value - users will read just enough to discover how to make it go away, and if the obvious way of doing so works, won't trouble themselves further. (case in point - "how did that porn dialler get there? I only visited a website or two. Yeah, there was some sort of popup box but I closed it")
3) not all machines will be vulnerable - either by skill, initial design, patching dilligence or obsolescence, some machines will be inherently protected against any given outbreak. Downside there is - said users will invariably decide they don't *need* to take protective measures because this one attack couldn't affect them (case in point - most linux users do not have AV software of any type, despite at least one being free and open source)
4) any scheme that relies on blocking users from what they want to do will be bypassed by at least some of those users; once some of the users know how to do it, the blackhats won't be far behind teaching their creations how to do it too, and the greyhats in writing little pretty gui tools to do it automagically - relying that users knowing how to bypass lockdowns being skilled enough to look after their own security therefore violates rule 1
5) anything that relies on convincing the users (or better yet their machine) that the action *is* what they want to do is onto a winner; see rule 3 and indeed rule 1 for details.
so back to your list.
> ISPs should stop porn,
not going to work - prohibition just makes it harder to regulate stuff, even leaving aside the moral issues of trying to block online what can be bought in most newsagents.
> ISPs should stop music sharing,
why? users obviously want to do it, and in many places it is not a criminal act (copyright violations being civil not criminal in most countries)
ISPs should of course co-operate with any lawful warrant or court order, and (for practical purposes) try to limit their own expenses in having to deal with copyright violations on websites and so forth but in the UK (Not sure about elsewhere) the real problem is commercial pirates selling dodgy copies from stalls or car boots, and that predates the web (and indeed the CD)
> ISPs should stop viruses,
Sure. I don't think that should be free though - plenty of services out there offer filtered, reactive web access to remove all those nasty worms, email viruses and so forth as fast as is possible. Doing that work *costs* and has little or nothing to do with the business of pushing bits down wires. Yey the free market....
> ISPs should stop <insert here>.
damn right. <insert here> has always bugged me