Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Impressing Security Upon End-Users Visually?

Soulskill posted more than 3 years ago | from the shake-your-fist-and-glare dept.

Security 157

get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"

cancel ×

157 comments

Explosions! (3, Funny)

sopssa (1498795) | more than 3 years ago | (#29856859)

Make a video where the user clicks "Run File" in Internet Explorer and then the building explodes.

Security holes (1)

Smegly (1607157) | more than 3 years ago | (#29856939)

Even easier with better impact, just give a simple security message that any wrong action on their part can open a security hole - then flash the g'tse [wikipedia.org] image.
Your users will not dare to violate your security rules after that, and probably not ever again for the rest of their lives.

Re:Security holes (4, Funny)

snowraver1 (1052510) | more than 3 years ago | (#29857081)

Just show them this:

http://www.youtube.com/watch?v=1SNxaJlicEU

Re:Security holes (1)

mysidia (191772) | more than 3 years ago | (#29857555)

Yeah... but the author was asking how to show them visually computer security risks.

Not how to get fired and sued by displaying imagery that would be offensive to the average person.

Re:Security holes (1)

AndGodSed (968378) | more than 3 years ago | (#29857573)

I think you define "average person" very widely...

Re:Security holes (1)

The Archon V2.0 (782634) | more than 3 years ago | (#29857731)

I think you define "average person" very widely...

Doesn't something that's average, by its nature, have to be defined widely...?

Re:Security holes (1)

darkpixel2k (623900) | more than 3 years ago | (#29857735)

Even easier with better impact, just give a simple security message that any wrong action on their part can open a security hole

Didn't Microsoft already try UAC and fail miserably...

Re:Explosions! (3, Funny)

xgadflyx (828530) | more than 3 years ago | (#29856947)

Actually, we've found that "making an example" has been the most effective security measure. Call a meeting - "Tom here has decided to do $INSERT_ENDUSER_STUPIDITY, so we're going to take this time to show you what happens.." Then you just grab a hammer and smash fingers. Some people puke others just turn in disgust - regardless we haven't had a user click a fishing email in over 2 years.

Re:Explosions! (0)

Anonymous Coward | more than 3 years ago | (#29858787)

A) You're messed up. Seek help.

B) You're obviously NOT a computer professional, or you would know the difference between fishing and phishing.

Re:Explosions! (2, Funny)

Anonymous Coward | more than 3 years ago | (#29857267)

There's a freeware program that, when run, starts flashing teh screen, and plays at MAX volume "HEY EVERONE, I'm looking at GAY porno!" ... just send that around, and people will quickly learn not to open programs.

Re:Explosions! (2, Insightful)

pentalive (449155) | more than 3 years ago | (#29857289)

That may have the same sort of effect as "Reefer Madness" = Audience ignores message due to "over the top"ness of the presentation.

Re:Explosions! (0)

Anonymous Coward | more than 3 years ago | (#29857445)

You could make a video using goatse as the ultimate graphic example of what happens when their computers get compromised.

Re:Explosions! (0)

Anonymous Coward | more than 3 years ago | (#29857521)

Or put a gun in their face every time the screw up.

I personally have given up on trying to educate users. They don't care. They won't care. Choke down on your rights as much as you can while allowing them to get their work done, keep good easily restored backups of everything, and assume your users are going to fuck your network up. When they do, restore everything and keep browsing the job boards looking for a field that isn't as repetitive and hopeless as IT, like bringing world peace or something.

Re:Explosions! (2, Insightful)

Runaway1956 (1322357) | more than 3 years ago | (#29857873)

Hmmm. I read the posted question/summary. Started scrolling down, reading comments. Stopped. Go back up and read just the title. Hmmm. Forget everything else, just concentrate on the title.

Could you make some kind of a monitoring app, which displays a graphic?

I don't mean to make a new antivirus. Just some graphic attached to existing antivirus and anti-malware softwares. It monitors the stupid things people do, and displays a ribbon or something across the top of the toolbar. Put a red end on the ribbon, and the red starts filling up the ribbon. When the user does something REALLY stupid, he gets popups, which grow more and more annoying.

For people with a clue, the ribbon just serves as a reminder. For people without a clue, those popups get more and more "In your FACE". Give the thing the ability to log those events and warnings, so the IT guy can bring it up, and show the idiot who refuses to be warned.

Just an idea - but I think it would be helpful to stick something like that on your most obtuse user's desktops.

Re:Explosions! (1)

maxume (22995) | more than 3 years ago | (#29858559)

If stupid user actions were that predictable, it would be a simple matter to just prevent them from doing anything.

Re:Explosions! (2, Interesting)

DiegoBravo (324012) | more than 3 years ago | (#29858715)

> such as not clicking links in the occasional spam email which passes through filters, avoiding suspicious websites,

Just setup a daily CRON job to send an email with a link pointing to a page in your web server that shows:

YOU CLICKED THE BAD LINK. YOU'RE AN IDIOT. NEXT TIME WE'LL CUT YOUR SALARY.

For the email subject, just collect a handful of common spam phrases, like "Tired of seeing disappointed faces on women when they pull down your pants". Problem solved.

Yell at them and make them feel like shit. (0, Insightful)

Anonymous Coward | more than 3 years ago | (#29856871)

Some users will "get it" with just a simple explanation. They're the easy ones to deal with. Give them an example, explain how it'll harm them, and they won't fuck up again.

Other users, however, should probably be treated like children, or in some cases, dogs. It doesn't matter how many times you tell or show them what not to do. They won't understand the harm it's causing.

Your only option is to yell at those idiots. Yell and yell and yell and yell. Make them feel like the shit that they are. They still won't understand why they shouldn't do the things you tell them not to do. They just won't do it to avoid your angry reaction.

Re:Yell at them and make them feel like shit. (1)

Shadow of Eternity (795165) | more than 3 years ago | (#29856907)

Unfortunately, this and worse is pretty much true. There are people out there that no matter what you do will still make stupid mistakes anyway for the dumbest reasons and then they'll be angry with you for not magically protecting them from their own incompetence.

Your only real solution is to either keep cleaning up after them or try and get their internet access revoked somehow.

Re:Yell at them and make them feel like shit. (1)

1s44c (552956) | more than 3 years ago | (#29857035)

There are people out there that no matter what you do will still make stupid mistakes anyway for the dumbest reasons and then they'll be angry with you for not magically protecting them from their own incompetence.

Your only real solution is to either keep cleaning up after them or try and get their internet access revoked somehow.

I have much the same experiences. I find that firewalling everything and forcing users to use a web proxy and mail gateway works pretty well. There is no reason for having office staff able to directly contact the Internet on any port.

Re:Yell at them and make them feel like shit. (1)

m.ducharme (1082683) | more than 3 years ago | (#29857759)

I think you under-estimate how easy it is to train dogs.

Re:Yell at them and make them feel like shit. (1)

maharb (1534501) | more than 3 years ago | (#29857813)

Only after you give them tons of doggy treats which, as far as I can tell, there are no substitutes for in training humans. We are SOL.

Re:Yell at them and make them feel like shit. (1)

MachDelta (704883) | more than 3 years ago | (#29858165)

I think the human treat you may be looking for is a flat rectangular green object that is easily folded and often found in banks.
At least, in my experiences it seems to motivate people pretty well. :P

Re:Yell at them and make them feel like shit. (1)

Shadow of Eternity (795165) | more than 3 years ago | (#29859081)

Bacon's cheaper and works just as well for most gentiles.

Re:Yell at them and make them feel like shit. (0)

Anonymous Coward | more than 3 years ago | (#29857121)

Why not simply announce the company may deduct the cost of fixing the broken security and the damages done by the broken security? Make it specific that it will be for them doing the things cautioned against, and will come from their salaries, and retirement benefits, at a rate of X per month?

Re:Yell at them and make them feel like shit. (1)

Teun (17872) | more than 3 years ago | (#29857351)

And then you have to explain it was the users doing, not your fault supplying leaky tools like, say, Windows.

Our company runs company computers through a proxy, visitors and private laptops can connect directly.

Re:Yell at them and make them feel like shit. (4, Interesting)

DoraLives (622001) | more than 3 years ago | (#29857429)

This actually worked at the small enterprise where I take care of things. A user managed to get their machine mucked up with a bunch of spyware and adware by clicking in a forwarded email. I cleaned the machine and then management called a meeting a day or two later. Had every one of the employees in attendance. I gave the standard presentation about email safety, as well as general internet safety. I sat down. The director stood up and informed everyone in the room that the next time a machine needed to be cleaned as a result of operator error, the bill for my services (not cheap) would be deducted from the relevant employee's next paycheck. A sheet of paper was then passed around, with the same directive written on it, and all employees were instructed to either sign or lose their job. They all signed.

That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time. People now ask me every time they have any doubts about what they're doing, and I've headed off a few potential catastrophes since that started happening.

I'm guessing it's not a coincidence.

Re:Yell at them and make them feel like shit. (4, Interesting)

MachDelta (704883) | more than 3 years ago | (#29857993)

Huh. Where I happen to live in soviet Canuckistan, both having your wages deducted for accidental damages caused on the job AND being forced to sign something under the threat of losing your job are both illegal.

Something vaguely similar happened at where I work. Weekend attendance had been optional for a very very long time, but management felt that too many people were just taking every weekend off because, well, people like their weekends. Anyways, to try and boost attendance they tried to make everyone sign an agreement basically saying that everyone had to work every single weekend unless excused, and excuses had to be given up to three weeks in advance... and this was all under a threat of "or else". A few of the sheeple signed right away for fear of losing their jobs. When it got round to me, I just laughed and threw the paper in the garbage. My boss tried to give me shit (this was infront of a dozen co-workers, so he had to make a stand) but I interrupted him to inform him that he could not unilaterally renegotiate my job description or fire me if I didn't agree to it, and if he ever tried to push me (or any of us) around like that again, that the provincial labour board would come down on the place like a ten thousand pound bag of shit for it and all the other little skeletons-in-the-closet that I knew about. The next day their little piece of paper disappeared without a trace.

YMMV.

The real answer is ... (1)

NotBornYesterday (1093817) | more than 3 years ago | (#29858153)

The director stood up

You found the holy grail of successful IT endeavors, (including educating end users) - executive buy-in and support. I know at least a dozen companies in which the executives pay lip service to lots of things, such as IT security, but don't actually actively support them. As a result, nothing really gets done in those areas.

Show me a company that hires good IT folks, makes them feel valued, and supports them, and you will find a company with a rock solid IT infrastructure.

Re:Yell at them and make them feel like shit. (3, Insightful)

NoYob (1630681) | more than 3 years ago | (#29857161)

What some will do then is go out of their way to click on shit to fuck things up. Treating people like shit will never work.

Then, if you work in a company, said stupid people will undermine you. They'll make sure mgt knows you're insulting and unprofessional. Anything breaks, they'll let their bosses know that you were the one who "fixed" it and that your fixes don't work.

Treat people like children and they will usually act like children.

Re:Yell at them and make them feel like shit. (2, Interesting)

AndGodSed (968378) | more than 3 years ago | (#29857725)

I can second that. I tried the opposite and for some reason it worked, below is a link to my own "I clicked on an email link" type virus scenario.

(Apologies for the shameless blog punt...)

http://blog.g33q.co.za/2009/07/16/why-no-operating-system-is-safe-not-one/ [g33q.co.za]

Since then I have done the opposite of being the bofh.

One of the girls who work there was one of the main culprits in spreading the virus around by sending the mail to EVERYONE and copying files from every darn flashdrive she can get her hands on.

So I started joking with her regarding her having the most viruses on her computer, and since they are in an open plan office I did not need to work very hard to make that apparent. Also her Outlook broke, refused to run in anything but safe mode.

I refused to fix it. I just looked at it, fooled around with it a bit and loudly proclamed "Heck it must've broken because of that virus you had!"

Since that day there has been the odd virus mail (the greeting card type ones are very popular...) there have not been a major breakout of viruses. Usually they still begin with that girl - she just don't listen about security and so on - but as soon as anyone gets NOD complaining about a virus the attitude is to get in contact with me immediately, and to not forward each other funny mails.

Heck they even refuse funnies from this girl and her flashdrive is not allowed on anyones computer - not via management directive, but because the users themselves don't want her flashdrive.

I have caused her to be a bit of a computer leper, and for that reason there has been exactly two virus scares...

Re:Yell at them and make them feel like shit. (2, Insightful)

Brett Buck (811747) | more than 3 years ago | (#29857257)

Your only option is to yell at those idiots. Yell and yell and yell and yell. Make them feel like the shit that they are. They still won't understand why they shouldn't do the things you tell them not to do. They just won't do it to avoid your angry reaction.

          That will be a great story to tell all those people you meet at the unemployment office, there, tough guy.

          Brett

           

Re:Yell at them and make them feel like shit. (1)

AmiMoJo (196126) | more than 3 years ago | (#29857331)

What you want is an airbag behind the screen. When a virus is detected the airbag explodes out. The glass in the screen lacerates the user's face and indelible red ink on the airbag stains their skin for weeks to come.

Alternatively you could have a little water cannon under the desk that sprays their crotch so everyone thinks they wet themselves.

Only that kind of humiliation can ever hope to teach these lusers. -BOFH

Re:Yell at them and make them feel like shit. (0)

Anonymous Coward | more than 3 years ago | (#29857409)

Do make sure you measure them up before yelling. You don't want to start yelling and swearing in an office and calling some guy all sorts of names, only to find out its actually a relative of Andre the Giant with the same size, mass and temper :-)

Dont you mean "oppresing"... (1)

lawnboy5-O (772026) | more than 3 years ago | (#29856893)

Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P

Re:Dont you mean "oppresing"... (3, Interesting)

1s44c (552956) | more than 3 years ago | (#29856977)

Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P

You could try it but I doubt it will make your life easier. Most users don't understand and don't care and will expect you to fix their mistakes over and over again. Most of them have some kind of twisted pride in their ignorance.

There was research done on office staff by flashing up random warning messages on their screens, most users ignored the messages no matter what they said, clicked anything to get rid of the message, and immediately forgot there was even a message.

Re:Dont you mean "oppresing"... (1)

lawnboy5-O (772026) | more than 3 years ago | (#29857065)

I agree - its like herding cattle. I was hoping to open a avenue of though concerning educating the user more... even if in an extreme example. Good thoughts friend. VERY interesting research cited... can you point us to the details? thanks!

Re:Dont you mean "oppresing"... (3, Informative)

1s44c (552956) | more than 3 years ago | (#29857133)

I did find this:

http://arstechnica.com/security/news/2008/09/study-confirms-users-are-idiots.ars [arstechnica.com]

I'm not sure if it's the study I was thinking of though.

Study confirms [Re:Dont you mean "oppresing" (sic) (1, Informative)

Anonymous Coward | more than 3 years ago | (#29857241)

...study-confirms-users-are-idiots.ars [arstechnica.com]

Unfortunately, there should be another article titled "study confirms that computer system administrators are also mostly idiots"... but, of course, that wouldn't win any awards on a site like arstechnica, which caters to the computer geek set, which likes to pretend that they are not idiots.

Nor on a site like slashdot, for that matter. (Moderation: troll, here it comes.... guess I'd better click that "post anonymously" box, or else I'm gonna burn through karma...)

Re:Study confirms [Re:Dont you mean "oppresing" (s (1)

DrNASA (849379) | more than 3 years ago | (#29857419)

oh - i don't think anyone would argue that sysadmins aren't idiots - just in different spheres of knowledge or influence.
i certainly couldn't cope in finance or psycology, but I'm not put into situations where I am expected to have a full working knowledge of the minutae of those fields and then left to my own devices to function - 'idiot be dammed'

That's basically what lawnboy was apparently suggesting - and that's a theory alot of sysadmins would reject in practice (i would love it if everyone could function in that way) but most won't and so it is left to us to safeguard them from themselves as well as others as much as possible. That's all it's about - it's not disdain for the person as a human, just a recognition of their skillset and the expectation that we should realisticlly have for them.

Re:herding cattle (1)

maxume (22995) | more than 3 years ago | (#29858581)

So it just sort of happens all on its own?

Re:Dont you mean "oppresing"... (1)

jimicus (737525) | more than 3 years ago | (#29856999)

Because when their computer is completely hosed and borderline unusable as a direct result, the chances are the OP or someone in a similar role will have to pick up the pieces. This gets really old really fast.

Myself, I think there may be something to be said for the endpoint security products that combine centrally managed antivirus, firewall and antispyware features.

Re:Dont you mean "oppresing"... (1)

Antique Geekmeister (740220) | more than 3 years ago | (#29857101)

I, for one, get paid to avoid them and my employers from wasting valuable time, money, and bandwidth both from such errors.

Re:Dont you mean "oppresing"... (0)

Anonymous Coward | more than 3 years ago | (#29857231)

.....right.....by this logic shouldn't malware and viri have expired long ago as people 'wise up' - what an ignorant, naive fool you are - perfect mid-management material.

Re:Dont you mean "oppresing"... (1)

DrNASA (849379) | more than 3 years ago | (#29857311)

HAHAHA - spoken like the guy not responsible for cleaning up other people's messes and securing mission critical or personal data. Users choosing their own level of security is why (probably) more than 70% of GeekSquad work is wiping hard drives due to malware. In the real world of business, it is the sysadmins job to provide the resources to get the job done and keep data safe. That's it. Getting the job done does not include YouTube, Facebook, or Solitare (yes, there are cases where social media is required) You want that - do it at home.

Work is called that for a reason. Hopefully you are fortunate enough to enjoy the work that you do, making it seem less like work, but work it is and shall be and sucks to the whiners.

Decide to let the marketing team decide their own security - a task for which they have neither the training, time, or inclination to do, and now nobody can access anything because the network is overrun with malware.

Businesses run on specialization. Embrace that fact and let people ruin their own equipment. Not the company's.

Re:Dont you mean "oppresing"... (1)

pentalive (449155) | more than 3 years ago | (#29857367)

Perhaps because the asset at risk is company data, and some of the users could not care less about company data. Some of those users might even be middle management. Upper management usually knows the value of the data but they have other follies.

Joe User: Passwords do vex me - lets kill them now!

IS Dept: But that will mean anyone could copy our data.

Joe User: So? I could get my job done.

IS Dept: Even our most hated competitors would know everything/

Joe User: So? I could get my job done.

IS Dept: ???

Don't listen, they're lusers [Re:Dont you mean...] (0)

Anonymous Coward | more than 3 years ago | (#29857453)

Joe User: Passwords do vex me - lets kill them now!
IS Dept: But that will mean anyone could copy our data.
Joe User: So? I could get my job done.
IS Dept: Even our most hated competitors would know everything/
Joe User: So? I could get my job done.
IS Dept: ???

Or,

Joe: "This new security protocol makes it impossible for me to do my job!"

IT Guy: "So? That makes the system more secure."

Joe: "Who can I talk to to modify some of the problems here? I need a workaround so I can do my job."

IT Guy: "Send it to /dev/null. We don't listen to lusers."

Joe: "But you've made it so I can't do my job!"

IT Guy: "Not my problem. Go away, luser."

naaaahhh.. crazy talk. (1)

tempest69 (572798) | more than 3 years ago | (#29857479)

The whole bloody mess is mis-engineered... The secure settings in IE are a bear to browse with, and are still vulnerable to some zero day exploits. Windows itself is a mess, how many areas are there to check for programs that load at boot?

the legacy dos files...
the run and run-once lines in the registry (all of them)
runservices
load
userinit
the startup menu
the startup menu for the user
lots of the code doesnt work unless it gets full rein to jack your system. Turn on the windows based security and programs like xfire throw a fit as they are constantly requesting to break security for legit reasons.. The security breaks usability and the idiots want to be able to just see the video from a friend without all this hassle of loading flash. Or download a file without a freak-out.
While you can limit what sites you visit. mistype google or microsoft, and theres no telling what your pc will contract.

How do you explain a buffer overflow? (1)

sleepdev (1374409) | more than 3 years ago | (#29856923)

How about just saying that we can't do our jobs right, so you need to be very careful instead, to cover our asses for us.

Re:How do you explain a buffer overflow? (2, Insightful)

quickOnTheUptake (1450889) | more than 3 years ago | (#29857365)

As funny as I found your comment, as a serious note it's a bit too simplistic.
Ultimately the one weak link in security that is always present is the user. So you have to either hamper the user, and progressively cripple his ability to use the computer or you have to educate him of who to trust and who not to.
Any power you give the user is a power he can ultimately be tricked into misusing.

So you are looking for a "Reefer Madness" movie... (3, Insightful)

John Hasler (414242) | more than 3 years ago | (#29856963)

...about computer security? Those work so well.

Re:So you are looking for a "Reefer Madness" movie (1)

gmuslera (3436) | more than 3 years ago | (#29857167)

Probably a better example would be looking for a "Taken" about computer security... At least, the start of the movie, no matter how much we would like to hit, shot, stab, and put a spammer/botnet hoarder under electric shocks until the light gets cut for no payment.

Re:So you are looking for a "Reefer Madness" movie (2, Interesting)

countertrolling (1585477) | more than 3 years ago | (#29857239)

Yes, they do, on a mass scale. When applied "properly" to things like smut, terrorism, gay marriage, etc, the "Reefer Madness" tactic works very well. In fact it's still working on the drug situation also. Otherwise prohibition would have been abolished a long time ago. Do not underestimate the power of "madness".

Re:So you are looking for a "Reefer Madness" movie (1)

Mister Transistor (259842) | more than 3 years ago | (#29858249)

How about "Napster Baaaaad"?

Change their perspective to be self gratifying (4, Interesting)

onyxruby (118189) | more than 3 years ago | (#29856965)

I was spending some time with some friends of mine a few months back when the inevitable malware conversation came up. These friends happened to all be quite computer illiterate. What I did instead of giving the usual spiel about malware was show them a better experience.

I sat them down and showed them how to use firefox with noscript. I showed them their favorite sites without all the baggage and they were amazed at the improved experience. I made sure I showed them how to use noscript with sites like facebook and still get what they wanted.

All of this was done in less than 15 minutes, and they now use this combination on a daily basis, not because of the improved security, but because of the improved experience. The fact that their security is improved is entirely incidental.

Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.

Re:Change their perspective to be self gratifying (2, Insightful)

ddillman (267710) | more than 3 years ago | (#29857285)

Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.

You know, sticking this down in some random response on a Slashdot discussion thread is not the most likely way to have Firefox devs see and possibly implement what you're looking for. Have you posted this over at mozilla.com?

Re:Change their perspective to be self gratifying (1)

Nimey (114278) | more than 3 years ago | (#29857499)

I'm sure many people who work in professional IT have been griping about this to Mozilla for years. It would be such a handy feature, after all.

Re:Change their perspective to be self gratifying (1)

onyxruby (118189) | more than 3 years ago | (#29857919)

I agree with your point, it was more of a by the way thought will I was at it. I have followed the other 'bug report' link from another user as well as looking at an ADM tool link from another poster.

I understand Firefox is open source, and that if I think something ought to be done better I have the right and license to go in and do it better myself. However I'm not a programmer, I have other skills like creating scripts and configuring RAID arrays which is a far cry from being qualified to perform programming. All I can do is try to comment to those that can make it better and have an interest in increased utilization.

I'm an infrastructure architect and my managers aren't interested in running beta anything. My job is to make enterprise environments very stable, and I can't do that with unproven tools. All that being said, I think I will follow your idea and post something over at Mozilla.com for those that are qualified.

Re:Change their perspective to be self gratifying (1)

DrNASA (849379) | more than 3 years ago | (#29857447)

Google is your friend:

http://sourceforge.net/projects/firefoxadm/ [sourceforge.net]

Re:Change their perspective to be self gratifying (1)

onyxruby (118189) | more than 3 years ago | (#29857797)

Looking at it now, looks like development only picked up on this again September of last year and it still hasn't hit a 1.0 release. That may sound silly, but to an enterprise manager that shows the software is immature and may not be stable. That being said this looks promising and I will be taking a look at it. Understand, I use firefox at home, I want to use it at the enterprise level, but that can't happen without the right toolsets to manage it at the enterprise level.

www.IdentityTheft.info video (4, Informative)

Cyko_01 (1092499) | more than 3 years ago | (#29856985)

here is a great video that shows how to detect a phishing scam using examples http://www.youtube.com/watch?v=bzfPUmQcfDs [youtube.com]

Tactile education (-1)

Anonymous Coward | more than 3 years ago | (#29857011)

Tactile is usually a better educator than visual. Every time they do something stupid, rig a spring-loaded boxing glove to punch them in the face.

Backdoor.Ghostnet (3, Informative)

adnd74 (1022357) | more than 3 years ago | (#29857013)

Symantec Security Response [sarc.com] has an excellent video about Backdoor.Ghostnet [youtube.com] on their youtube channel [youtube.com] .

I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you

Re:Backdoor.Ghostnet (1)

buchner.johannes (1139593) | more than 3 years ago | (#29857515)

No, the message is screw VNC and SMB. I want to use that userfriendly tool!

This just gave me an idea. (1)

pavon (30274) | more than 3 years ago | (#29857045)

You know what would be really cool? If you had a rewriting-proxy that would occasionally insert a cartoon spy in pages that could be unsafe, reminding/warning them about what could have happened. For example if they submitted a form with a password, and it wasn't encrypted, the spy could pop up and say "This password is unprotected, and could be snooped. Be sure not to use the same password for anything important!", and then have buttons the users could click to submit the form anyway or cancel. If they arrived on a form from a link (refer is set) you could insert the spy, reminding them to check that the URL is correct and not a phishing site, and to always type the URL for important sites, like banks.

Situational reminders like this (if not overdone) would do more to create an atmosphere of caution and thoughtfulness then a yearly presentation would.

Really? (1)

denzacar (181829) | more than 3 years ago | (#29858275)

A reminder/warning that user should click on to make it go away?

How much time do you suppose would pass before:

a) users completely ignore it, madly clicking [ OK ] without even looking at the text?
b) it is spoofed and/or copied by malware sites, cartoon spy and all?

Answer should be calculated in minutes and seconds, but feel free to use larger time units like hours and days.

Re:This just gave me an idea. (1)

bjelkeman (107902) | more than 3 years ago | (#29858937)

Use the MS Office tools with the paperclip a lot?

Cisco's Website (1)

Cytlid (95255) | more than 3 years ago | (#29857165)

Check out Cisco's website. Really. Most of the time, they have some videos geared towards marketing and business types. They even have some cute superhero thing about threats. It drives me crazy because usually I go there for technical purposes, I want to see configuration commands and tech docs. But every once in a while I'll find a good diagram or video which gets my point across to non-techie types.

People are stupid (1)

Crashspeeder (1468723) | more than 3 years ago | (#29857179)

it doesn't matter how you explain it to them, whether it's pretty pictures or text, they won't understand or care.

Security education video game and movie (2, Interesting)

redtail (265571) | more than 3 years ago | (#29857187)

http://cisr.nps.edu/cyberciege/ [nps.edu] is a video game designed to teach computer security concepts. In addition to its more advanced scenarios, it includes a few simple "awareness" scenarios, the first of which directly addresses your topic. Further, this animated movie: http://cisr.nps.edu/cyberciege/movies/02CIEGE.html [nps.edu] helps the layman understand why the problem of malicious software is so hard to solve. The link includes a free evaluation version of the game.

Videos help? (3, Insightful)

MrCrassic (994046) | more than 3 years ago | (#29857209)

I figured that most people would treat videos on computer security like the videos that teachers would show at school. Their reaction?

"NO WORK!!!"

I think that what's most effective is just enforcing your security policies using Group Policy or other management tools on the network. That way, you KNOW that most people won't violate any policies set forth, and those that do are the ones that didn't need the training in the first place.

If you're really adamant about educating your employees with videos and such, find REALLY GOOD videos that will hold their attention for their entire run. Remember, at the end of the day, those computers don't belong to them and most of them simply wish to get work done. Any teaching method which can exploit these two truths for educational value is probably worth watching.

Dark Ages (2, Insightful)

banished (911141) | more than 3 years ago | (#29857223)

My company's solution is to lock down the systems so tightly as to turn network systems into standalone systems.

What's in it for them? (3, Insightful)

petes_PoV (912422) | more than 3 years ago | (#29857277)

Viruses, worms etc. aren't really the users' problem - unless you can categorically point the finger at an individual and get them fired (as an example, pour les autres). Why should they care if THE COMPANY computers crash, or slow down or give them reasons why they can't do their job?

So why should they go to the inconvenience of not clicking on links that they want to, or not visiting any website that takes their fancy? By appealing to their "professionalism" or "humanity" or "team spirit" you're probably on a loser. While these might get them gee-d up for a short time, you can bet that unless there's some personal pain involved in doing it, they'll be back to their old habits in a few weeks time.

Once you can put security in terms a normal user will understand: i.e. If you click on a bad website, these bad things will happen TO YOU, they'll pay attention. Until then you haven't got a chance.

If you want them to learn... (2, Insightful)

OpenSourced (323149) | more than 3 years ago | (#29857297)

Nobody learns to avoid fire by being told. You have to get near and feel the heat to know you better not do it. So my advice is: make traps. Send them emails signed by other coworker asking for their password. Send them executable files that block their computer and flash a sign telling them that all their files are being erased, just because they executed a file from a unknown origin. All kind of traps, with nasty consequences if possible, you don't want them to click into everything because it can be another amusing idea of you. You want them scared of your ideas so that they look askance to every email or web page to see if it could be a trap. As they might be, so that's the right attitude.

Re:If you want them to learn... (0)

Anonymous Coward | more than 3 years ago | (#29857395)

Absolutely!

And two months later when you're back at the unemployment office you can chuckle to yourself about the fun you had.

Re:If you want them to learn... (1)

OpenSourced (323149) | more than 3 years ago | (#29858273)

And two months later when you're back at the unemployment office you can chuckle to yourself about the fun you had.

That's a possibility, of course. But you'd be doing your job in the best possible way. In my experience, there is always an element of risk in excellence. Anyway, you can minimize your risks. You can always make a seminar first, give everybody a ten-commandment-sheet, etc. explaining what they cannot do, and then send the traps as tests, after some weeks. If they fail, you can say that anybody following the security measures has nothing to fear from the traps, that way you slyly shift the blame to them victims.

Flash? (0)

Anonymous Coward | more than 3 years ago | (#29857301)

Boy, I thought you were going to avoid dangerous and annoying plugins ...

Set policy (1)

InlawBiker (1124825) | more than 3 years ago | (#29857313)

It is pretty simple really. You have to set policy and communicate it. Then, if policy is broken the company must actually follow up with the repercussions stated in the policy. People are pretty smart - they understand repercussions. If the company doesn't back up the policy then it's not a policy, and there's no real reason for users to follow it.

spo8Ge (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#29857329)

gon3 Romeo and

How to fix it (0)

Anonymous Coward | more than 3 years ago | (#29857415)

1) Download and install http://camstudio.org/ [camstudio.org]
2) Start CamStudio.
3) Turn javascript OFF.
4) Stop CamStudio.
5) Post the video somewhere.
6) Send out general announcement e-mail with link to above video. Include sentence explaining that websites which don't work without javascript are inherently unsafe and unnecessary.
7) Relax and do something more interesting.

Here's the solution (1)

Khyber (864651) | more than 3 years ago | (#29857431)

Make yourself a laptop with a deep freeze image. this way you can infect the system at will, reboot and it's clean.

Show the people using your system just how badly a zero-day exploit can hose a system.

Reboot, show the next group. Rinse, repeat.

Re:Here's the solution (1)

mysidia (191772) | more than 3 years ago | (#29857765)

Quite dangerous... what happens when your infected system sends spam or the infection downloader pulls a new version from the author and tries to spread itself to other machines in your corporate network, through a zero-day vuln you haven't patched yet?

One visual representation always works... (0)

Anonymous Coward | more than 3 years ago | (#29857491)

...that of a pissed off sysadmin charging down the corridor wielding a sizable rubber mallet.

Virtualforge has really good XSS and CSRF vids (1)

spinkham (56603) | more than 3 years ago | (#29857505)

http://www.virtualforge.de/vmovie.php [virtualforge.de]

the XSS and CSRF videos are very good visualizations for the common user using simple examples.

xshit... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#29857523)

from within. GAY NIGGERS from between each BSD Learn what mistakes Irrecoverable Shout the loudest is part of the mistake of electing Just yet, but I'm core team. They

Deny internet access to repeat offenders (2, Interesting)

JustNiz (692889) | more than 3 years ago | (#29857583)

Deny internet access to repeat offenders. They soon get the message that way.

Excellent Question; Really Bad Timing (1)

DaveAtFraud (460127) | more than 3 years ago | (#29857605)

Excellent question but, unfortunately, it hit the main /. page on a Saturday. Let's just say that the percentage of readers who are IT professionals drops off significantly over the weekend. Go figure.

Most of your responses so far are along the lines of, "You NAZI! Leave your users alone and let the one's who don't learn get what they deserve." Obviously, not the response of an IT type who has to deal with regulatory requirements and wants to keep his job. You might try the same question again but on a weekday on a computer and network security related site.

Good luck with your search.

Cheers,
Dave

I Have a Vision of... (2, Funny)

mrsquid0 (1335303) | more than 3 years ago | (#29857623)

Hi, I'm Troy McClure. You may remember me from such IT security videos as "Microsoft Explorer: Ubiquitous but Unsecure" or "Passwords: The Road to Ruin".

Demostrate (1)

Deathlizard (115856) | more than 3 years ago | (#29857631)

A demostration of the "Customer Appreciation Bat" works wonders.

Although since it's a corporate institution, the "Security Empowerment Bat" might be more effective.

Simple solution (0)

Anonymous Coward | more than 3 years ago | (#29857665)

A simple solution: redirect known dangerous sites to "n i m p . o r g" (with spaces on purpose - if you delete them and go there, you'll know why, but DON'T). I guarantee that the first time they click on a bad link will be their last...

Impress what happens when they AREN'T secure (1)

mnemotronic (586021) | more than 3 years ago | (#29857743)

I suggest you emphasize the possibilities of what the Chinese government hackers, Russian mafia, and US Customs & Border Patrol will do to them if they don't practice proper security procedures. A scene from "Deliverance" [youtube.com] that will get the point across. You know what I'm talking about.

Why you shouldn't click random links (0)

Anonymous Coward | more than 3 years ago | (#29857971)

such as not clicking links in the occasional spam email which passes through filters

Here's a good example of why people shouldn't click random links. http://www.youtube.com/watch?v=Yu_moia-oVI

Look for vids of the WMF bug (2, Informative)

BLKMGK (34057) | more than 3 years ago | (#29857975)

Sunbelt Security had a video posted of what occurs when you got hit by the old WMF bug awhile back. You could see software being installed, icons appearing on the desktop, and the desktop background being modified as this thing went to town and began popping fake AV warnings. It was one of THE most extreme and informative examples I can think of for this.

Here's a copy of it I found on Youtube. A search for "WMF exploit" on YouTube will get you plenty of hits :-)

http://www.youtube.com/watch?v=WTBcDJ9kJH4 [youtube.com]

IMO, I think this answers your question!

I ususally use anaologies... (1)

smisle (1640863) | more than 3 years ago | (#29858239)

I teach computer classes to seniors and other people who have (usually) never turned one on before. When I cover the security section, I try to use analogies to help them understand the threat level and some ways to avoid most of it.

For virus protection, I equate it to a body guard - If you're in a small town, or walking around downtown, you're fine, and the body guard probably won't even be needed. If something did come up, you'd be fine since it would probably be a mugger or a rabid dog, and the body guard would be able to take care of that. Now, if you start wandering around in a mine field, or in the middle of a battle (analogous to visiting warez sites or downloading and running a file someone you didn't know sent you, etc.) no amount of body guards will keep you from dying.

This has really helped impress in my student's minds that it's really still up to them to not do anything stupid, and their anti-virus can't always keep them safe - especially if they are doing something dangerous on purpose.

If you are talking about corp users (1)

geekoid (135745) | more than 3 years ago | (#29858605)

why not block access to anything non-approved?
More accurately, only allow specific site.
Yes some people will get around it, but most people capable enough to get around aren't high risk. How many people who know how to tunnel would also download smileys?

PUMP them UP (1)

bwcbwc (601780) | more than 3 years ago | (#29858653)

Maybe create some internal XSS that resides on your corporate proxy server. So when someone runs (say) a Facebook app, your XSS runs some Javascript off of an internal server that does something moderately annoying like continual pop-ups. Then if they click on one of the popups, disable their external web access completely.

how i really feel about it. (0)

Anonymous Coward | more than 3 years ago | (#29858711)

I say we just stick our foot up your arse.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...