This week I'm pleased to announce that this weeks guest haxxor, Larry Pesce from PaulDotCom, was able to extract himself from the Matrix for this post.  This is all the more remarkable when you consider the availability of free beer within the matrix (Larry, I'll buy you a beer the day we meet, so long as you promise not to Shmooball me).  My thanks to Larry!  Please leave your comments below...

by Larry Pesce

I've been preaching education for end users for quite some time, knowing that having educated users would help them from getting owned, either at home or at work.

I'm beginning to think that user education is a losing battle.

We've preached to our users about safe internet practices. We tell them to examine SSL certificates. We tell them not to open e-mail attachments from people that they were not expecting.

What do they do? Exactly the opposite of what we say. Why? Human nature I suppose. In 99% of the cases the users we are supporting are not what you call tech savvy. Sure they can set the clock on their VCR nowadays, but they don't know how to use the computer to do much more than the job at hand. They just want that new piece of technology (computer or otherwise) to work. They want to get their job done, communicate with their friends or do something cool.

When we do convince them to click "NO", and it doesn't work or do something cool, they try again and click "YES". Nothing Advanced or terribly Persistent about it. Yes, it is still a threat.

So why doesn't user education work? No matter how many seminars we give, pamphlets we distribute, or posters we hang quite frankly our users don't care.

I used to think that if the education worked for just one person in an organization it was all worth it. The problem is that all of that education is a lot of work to develop and deliver to reach one person out of fifty. With persistent education, maybe we will get three out of those fifty. Scale that up a bit and those aren't very good odds in helping protecting your organization.

Let's draw a parallel to the recent compromises at Google. Not having worked there, I have to make some assumptions about the skill level and caring of the staff there. One has to figure that most of the employees are pretty technical and get the risk. They, for the most part don't need the user education. The problem is there are a whole bunch of people that help that business run that aren't techies. That's who get owned. I'd imagine that Google has a pretty darned good internal user education program. They still got owned.

So, how do we save the users from themselves? Maybe this whole internet fad is out of hand. We can spend metric assloads of money on security technology and the people to appropriately staff them. Or we can change the way people thing about the internet in general in a work environment. Instead of the user education for everyone connected to the internet at the office, how about we make the use of the internet a privilege, not an inalienable right.

Now the user education for the few people in the organization that actually do have access to the internet will hopefully have a little more punch, potentially reduce our costs on some security technology and staffing, as well as potentially changing our overall security posture.

Best of luck on whichever direction you choose. It is just a matter of time before we're all compromised no matter what we do.