Schneier: Everyone Wants You To Have Security, But Not From Them

An anonymous reader writes: Bruce Schneier has written another insightful piece about the how modern tech companies treat security. He points out that most organizations will tell you to secure your data while at the same time asking to be exempt from that security. Google and Facebook want your data to be safe — on their servers so they can analyze it. The government wants you to encrypt your communications — as long as they have the keys. Schneier says, "... we give lots of companies access to our data because it makes our lives easier. ... The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices. ... We want our data to be secure, but we want someone to be able to recover it all when we forget our password. We'll never solve these security problems as long as we're our own worst enemy.

He's being polite.

[some+old+guy]

What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.

Re:He's being polite.

What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.

Always has been that way, and since the latest Windows UI's wouldn't challenge an infants dexterity or color palette, I'd say we're rolling with it.

Re:He's being polite.

...and the number of people who identify as techies and still have no clue whatsoever about technical things is on the rise. Superstitions about the way things work are absolutely rampant.

Re:He's being polite.

[MrBigInThePants]

I agree.
For the most part this is an article written to people who don't read these articles and being read by people who don't need to read it.

The average knuckle dragging simian could not care less about any of this. They are just cattle chewing their consumer cud and waiting to be milked as per usual.

For the rest I bet that while most are on the "privacy bandwagon" very few of them take all the steps required to ensure their privacy.To me this does not mean that the system is wrong, just that people don't care about this as much as they make out...or at least as much as reported anyway.

I tend to look to actions, not words, when trying to discover what is going on in someone's brain jelly.

Re:He's being polite.

[Anon-Admin]

No they are not Techies they are "Power Users"

They think they are technical because the can navigate a gui, click on a button, and fill in a field. However they have no clue where the data is stored or what is going on under the GUI.

Hmm, that describes most windows admins. Wonder what they will do when windows goes command line and the GUI is no longer installed by default?

Re:He's being polite.

[DutchUncle]

Users aren't supposed to need to be technically literate, any more than automobile drivers should need to be mechanics or engineers or machinists or metallurgists. A lot of us get paid *specifically* to make this stuff simple enough for a child to use. The problem is that we've been so successful that the common user is not just passively clueless, but actively self-harming - just like the automobile industry making the *average* car equal to an old sports car without anyone suggesting that drivers should get a little more practice.

Re:He's being polite.

Didn't this already happen? Don't you have to explicitly install the GUI in Server 2012?

Re:He's being polite.

[CrimsonAvenger]

What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.

Note that there is a difference between "stupid" and "ignorant".

Note that being "technically illiterate" puts you into the "ignorant" category, but that claiming that "technically illiterate" is the same as "idiot" puts you well into the "stupid" category.

Now, arguably you can claim that the vast majority of users really don't care very much about the subject at hand, which might very well move them into the "stupid" group. But being technically illiterate, in and of itself, is not a sign of "stupid"....

Re:He's being polite.

[SeaFox]

...and the number of people who identify as techies and still have no clue whatsoever about technical things is on the rise.

Worse is some of them are selling their services as a "techie" to normal people.

I talked to an auto parts store a couple weeks back replacing a POS PC and it couldn't get online, but the other machine in the store could, and they were calling us (the ISP) about the issue. They were both hardwired to a router (that was not supplied by us) and the store's third-party tech who installed the computer was there. He didn't know how to check an IP address and hadn't even looked at the router itself. He'd just connected the wires from the old computer they replaced to the new one and expected it to work.

Re:He's being polite.

In 2012 and 2012 R2, the default is a Server Core install. Yes, you can get the UI back as this is part of the SConfig utility, but if you are using SCCM for managing machines and one isn't on the console (for example, it is a server that doesn't need any UI access like AD), then might as well just leave it in Server Core mode, just because less stuff will be running.

The Windows admin role has changed... in a medium to large IT shop, you are generally using PowerShell and other management tools, as opposed to RDP-ing into individual machines. For setup, you are using iLO and PXE, as well as customized WIM images so that the servers are loaded with a proper OS install with what the business has a requirement (usually an AV program, although Microsoft's SCEP oftentimes is already licensed, so if a company is wise, might as well just chuck that on the machine while tossing SCCM on there as well.) Even with virtualization, you have your Hyper-V hosts and SCVMM, and you spin those up from templates, so one might log onto the machine for an initial configuration, but that's pretty much it. Even updates are handled fairly easily via WSUS [1].

Disclaimer: I'm a UNIX guy posting good about Windows, so going to post this as AC.

[1]: Of course, there will be the "just approve all updates" trap that one can easily fall into. For dev and desktops, it may be OK... but when updates roll out and you just lost your DMZ, you will really have wished for time that the patches were tested before being kicked out to production.

Re:He's being polite.

[Anon-Admin]

I originally posted that tongue in cheek. The company I'm at, as well as many I know of, is running some 2003 and most are 2008. They are starting to move to 2012 and the windows admins are having a fit because there is no GUI and they can't just RDP into the system.

This has lead to "Your the Unix guy, you know command line stuff. Why don't you take over running these windows servers? They're just like Linux."

lol

Re:He's being polite.

[The-Ixian]

Yeah, I was a field tech for a number of years and would often have to clean up the mess left by other "techs".
 
It would always make me wonder how these people got employed in the first place....
 
...Until I learned about technical recruiters... then it all made sense.

Re: He's being polite.

STFU. I can't tell who is stupider, you or schneier. It would very easy using simple modern encryption schemes (os of course only) to encrypt every call, sms, and text on every smart device worldwide, and still get the job done. It is glaringly obvious they wanted the opposite to happen. What schneier states is a load of freaking crap.

Re:He's being polite.

This is not a surprise but completely logical. In order to setup a tech business, in fact any business, and win customers you merely need to have more of a clue than them. That is all. Sure you may get the odd client who is looking to outsource something because it takes up too much of their time and they are an expert in it but they will be few and far between and there are plenty more clients out there. Stop and take a look around you, at the business directory in your local paper. It will be full of companies run by fools whose only selling point is that they know marginally more than their customers.

Re:He's being polite.

[pr0fessor]

I got a call from a new admin today having trouble with some large files after he transfered them over a network and so I asked him how he verified the files weren't corrupted like fciv... Is that in the command line??? yes.

Re:He's being polite.

[hitmark]

Well it hasn't helped that we have had a generation or two of marketing saying that you don't need to know anything to operate a computer.

Computers may well be the most complex things humanity has constructed, yet the claim is that the interfaces can be refined so much that a infant can operate them unassisted.

Sorry, but we can't have it both ways...

Re:He's being polite.

[hitmark]

And the industry wants it that way.

More and more products have a "user" mode, and (maybe) a "developer" mode.

the user mode will be locked down to tight that moving files around is virtually impossible without bouncing them off some cloud service.

the developer mode is wide open, but they will refuse you access to any kind of for pay service because you may be a pirate...

Re:He's being polite.

[Demonoid-Penguin]

Note that there is a difference between "stupid" and "ignorant".

One has it's charms.

Re:He's being polite.

[Culture20]

FYI, if your windows admins don;t know it yet, Windows 2003 is EOL soon.

Protection Rackets

This is how protection rackets have always operated, whether government, religion, or privatized. Make sure that you're safe from our competition, but look the other way if we're ever wrong.

The human mind...

... didn't evolve for this kind of society. AKA we 'want someone else to do it', because we have limited time, resources, intelligence and energy. This is just about the limits of what it is to be human.

Everyone forgets the laws of nature, if you are working most of your life and your constantly being attacked by corporations/government and your mind didn't evolve to deal with it... you get a big mess, who'd have thunk it?

Good Points.

[jellomizer]

The idea of 100% security just doesn't happen... However they are things that everyone can do that will reduce their risk.
Biometrics is one method, it isn't 100% but it is better than password use on the average. We have Encryption Standards, we just need to find a way to get the Official Certificate issue, so it can be free, and really prove who you are.
There seem from some reason to not push SSH on windows platform, so we are having the many unsecure port issues still...
Sure it isn't 100% but I think we can get to a state of good enough.

Re:Good Points.

[AK+Marc]

100% doesn't exist. Better security than a more attractive target is all you need. And sadly, that's a pretty low target.

Re:Good Points.

[Coolfish]

> We have Encryption Standards, we just need to find a way to get the Official Certificate issue, so it can be free, and really prove who you are.

There's a way to do that. I think. See my other post in this thread.
http://it.slashdot.org/comment...

Re:Good Points.

[david_thornley]

Biometrics have problems. The "password" is based on something I can lose (yeah, it's attached to me, but accidents happen, and I don't know how a fingerprint reader's going to react to a bad cut). (Without loss of generality, I'm going to assume fingerprints.) If used remotely, it's data going over a connection and can't be tested to see if it's a live finger. That makes it copyable, and I've only got ten fingerprints. If all of those are compromised, I can't grow another finger to get fresh fingerprints. The reader is not likely to be completely accurate, so it can be set to refuse my fingerprint sometimes or let other, similar, fingerprints work sometimes.

So, while they have advantages, they can still be lost or compromised, and there's no recovery from them.

Official certificates, I assume, are a way of associating a key pair with a real live wetware entity, or an organization of same. Given no dishonesty, this can be essentially free. Given attempts to deceive, such as me trying to associate my key pair with somebody not eminent and widely known, there's investigation costs, and you have to balance cost against certainty. Theoretically, I could be asked to come into an office with photo ID, and at that point I can get fake ID (and those can be pretty convincing), I can bribe whoever's examining my ID to let it pass, I can try to hack into the systems or communications (probably the hardest of the three), or other techniques I'm not coming up with off the top of my head.

Moreover, key pairs can be compromised, and at that time you need some sort of revocation ability, preferably one that can be easily activated by the owner under almost all circumstances, and can't be activated by the bad guy (and requiring a message signed with the key pair doesn't work here).

Do they

[invictusvoyd]

Have control over all the encryption algos of this world? Its hard to believe that all these smart people will let them get away with this .. having saild all that .. The prsident , the director of the NSA and all the pezzenovantes dont make this stuff .. This stuf is made by you and me ..

Re:Do they

Have control over all the encryption algos of this world? Its hard to believe that all these smart people will let them get away with this .. having saild all that .. The prsident , the director of the NSA and all the pezzenovantes dont make this stuff .. This stuf is made by you and me ..

Yeah but they have enough manpower to try to figure out every possible type of encryption scheme.

Re:Do they

[dcollins117]

Yeah but they have enough manpower to try to figure out every possible type of encryption scheme.

Huh? Everyone has access to open source encryption algorithms. That is a strength, not a weakness. Strong encryption algorithms rely on the fact that everyone has equal knowledge of the algorithm employed. It is the encryption key that is secret, not the algorithm.

That's the beauty of it. Evey mathemetician the world over can know what the problem is, but they cannot solve it in any reasonable time frame without the key. That's the whole point.

Welcome to reality

[BarbaraHudson]

We'll never solve these security problems as long as we're our own worst enemy.

We'll never solve these security problems.
FTFY

Welcome to the real world, where the only way for three people to keep a secret is if two of them are dead. And even that's not a 100% guarantee. Not much has changed over the centuries.

Re:Welcome to reality

[Jawnn]

We'll never solve these security problems as long as we're our own worst enemy.

We'll never solve these security problems. FTFY

Welcome to the real world, where the only way for three people to keep a secret is if two of them are dead. And even that's not a 100% guarantee. Not much has changed over the centuries.

Sorry, Barbara, but that's a useless oversimplification of the issues here. There are things that a person or an organization can do the make things more secure and/or more private (the two are not really the same thing). Technical ignorance is certainly a reason that many take your view and just throw up their hands, but the fact is that there are solutions for those willing to expend the effort to understand what's going on.

Re:Welcome to reality

[BarbaraHudson]

No solution yet has withstood the test of time. Enigma fell. DVD encryption was broken. Various pay tv's "unbreakable" nagra encryption was broken. Various password hashing techniques have been broken. Various implementations of RSA have been broken, and RSA-1024 is probably breakable now by the NSA. What the NSA can do today, you'll be doing on your home computer in 20 years.

And then there are the leaks, the bad choices of implementations, random number generators that are not so random after all, social engineering hacks, keyloggers, you name it ... there is no such thing as 100% security and there never will be.

Sure, you can take precautions, but expect them not to last forever. Look how many people still think that encrypting zip archives with a password is secure.

Re:Welcome to reality

[Dutch+Gun]

No one of any credibility has ever claimed that anything can be made 100% secure. However, the bar for cracking today's state-of-the-art encryption schemes is significantly higher than older standards. Not just a little higher, but exponentially higher. At the moment, it would take a modern PC until far past the heat death of the universe to crack a modern 4096-bit encoded certificate. That means that unless a fundamental weakness is found or we invent quantum computers, no one will brute force that key in our lifetimes, and probably our children's lifetimes as well, even given continued improvements of hardware speeds and proliferation. Many of our modern encryption schemes rely on the premise that a very large semiprime number is hard to factor. As long as that holds true, it's likely our cryptography will hold as well.

Many early algorithms, such as WEP or early ZIP encryption, were created behind closed doors by security novices, and as such were broken by design. Current encryption standards are well vetted in public by crypto-analysists from all over the globe for many years before they're adopted. It's a really big deal if an analyst discovers a way to reduce even one or two bits of entropy in a modern encryption standard. Of course, it would be equally foolish to declare that we'll *never* crack our current standards, but I'm not sure I'd compare them to relatively simplistic or fundamentally flawed standards of the past. Our current technology is at the trailing end of a very Darwinian process, and has been made much stronger because of all the failures of the past. Engineering of all types works this way: failures result in gained knowledge, and we use that knowledge to build better systems going forward.

Nowadays (as you correctly indicated), security is much more likely to be breached because of a side-channel attack: a faulty implementation of an otherwise solid encryption algorithm, stolen keys, or even by deliberately weakened random numbers. I'm much more pessimistic about our current security in this regards compared to the actual encryption algorithms, simply because of the huge attack surfaces our infrastructure has.

Cryptography is a field where confidence can only be gained by longevity, so we'll just have to see how things play out. Still, the fact that our three-letter agencies seem desperate to force us to use encryption with backdoors seems like a pretty good indicator of how strong they perceive modern encryption to be.

Like People and Rules

[rodrigoandrade]

Everyone wants everyone else to follow rules, but not themselves.

Re:Like People and Rules

A great thought, that--especially when set to some fine blues:
        Everybody wants to hear the truth
        But yet, everybody wants to tell a lie
        I say everybody wants to hear the truth
        But still they all want to tell a lie
        Oh everybody wants to go to heaven
        But nobody wants to die
                                                                                              Albert King

But-but-but

[war4peace]

I think there are more shades of grey than 50, here.
The phrase "I want my data to be secure" makes no sense. There's no such thing as "secure data". One can't even define "secure data". Data can only be considered secure within context, e.g. my pictures stored on SpiderOak are secure... as long as someone doesn't beat the username and password out of me with a $5 wrench. My Facebook data isn't secure by definition, anyone could save those pictures or that text. And yes, each company wants their piece of the pie (the bigger, the better) and yes, each person wants to be able to do stuff as easily as possible. The more secure data is, the greater the usability sacrifice.

We're not our worst enemy. We are how we are and it's impossible to change it. Try explaining your mom that she needs to enter an overly complicated password and then receive a code through SMS and then type that code manually in a little text box every time she wants to look at each of her granskid's pictures. Won't work. And it's not because your mom is lazy, but because the perceived need for security for such data is very low.

Yes, a thief only needs to browse his local area citizen Facebook profiles to identify who's going away on vacation. Before that, he needed to physically roam the neighborhood to find out. In both cases, the reward (loot) greatly outweighed the effort, the sole difference being less effort now than then.
The advent of Internet and technology brought us great advantages as well as risks. They always go hand-in-hand.

Schneier's opinion isn't what it once was

[BitZtream]

We want strong security, but we also want companies to have access to our computers, smart devices, and data

No, we don't actually want them to have that access, they don't give us a choice if we want their services. We can solve these by teaching people that you don't need to put your data online and then voting with our wallets by buying software that doesn't force us to do so.

We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices

No, we don't. We want it to not be so ridiculously difficult to do so, but companies have determined that they can use this to their advantage and get us to give them our data to make it easier. Android's SD card behavior is so absolutely shit that its easier for non-geeks to just give Google all their data. Apple phones only let you sync certain things over USB and its kind of convoluted for a non-geeky person, so they use iCloud.

We don't WANT it this way, but its the only option we have because you've failed to educate people to the fact that theres another way and what is actually wrong with giving Google/Facebook all our data. You lost peoples interest when you started ranting and raving.

We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

No, we don't. I too write encryption related software Mr Schneier, but I'm not a paranoid nut job. Important data that I want to protect simply isn't available to the outside world so it doesn't NEED encryption. If you get to the data, then you've probably already bashed my head in. This isn't like a door lock where its possible to overcome them and we can't stop them from being overcome, so we take advantage of locksmiths when we screw up. Locks can not be 100% secure, encrypted data can be effectively 100% secure and thats a different environment.

What we WANT is for our systems and software to not force us to put shit on the Internet, and being forced to be Internet connected is why we want it encrypted. Even my 65 year old mother in law understands that encryption is effectively unbreakable and she treats it that way, uses it where it needs to be used (yes, she actually uses encryption) and just acts intelligently about where she puts other data.

People are not as ignorant as you may think, its that you haven't bothered to educate the ones you know beyond being a paranoid nut job about things, which doesn't work well for normal people. Now, I understand why you're paranoid, you have good reason to be, the NSA is fucking ridiculous, but you were pretty fucking stupid for putting shit you don't want people to know on a public network in the first place, and you of ALL PEOPLE should know better, and you have in fact written about this very subject.

If you bothered trying to educate people properly and nicely without being a jerk about it or flipping out about the way things are, things may actually change.

Then theres side two of it all ... MOST PEOPLE DON'T GIVE A SHIT ABOUT THE DATA THAT GOOGLE GETS FROM THEM. The ones that do, DON'T GIVE IT TO GOOGLE OR FACEBOOK IN THE FIRST PLACE.

You're losing your edge, somewhere in your many years of working with security issues you've lost sight of how everyone who isn't in the security or data mining industry behave. This article you've written seriously lowers my opinion of your relevance these days. Not that I'm really relevant either, but I'm certainly not the only one who's losing interest in your opinion.

Re:Schneier's opinion isn't what it once was

[BarbaraHudson]

The professional paranoia peddlers don't like reality very much. It cuts into their schtick.

A generation ago, there was this thing called a phone book - it had everyone's name, address, and phone number - and nobody went nuts about "OMG they have my address!" You could go to the public library and use the Lovell's "upside-down phone book" to look up any address and get the names and phone numbers of the people living there. And it would also tell what economic quintile that area fell into. the Again, no big deal. Electoral lists were sent out before the election giving every voter living in your polling areas' name, address, and profession - and nobody thought "aaAGGHH!"

Now it's like people have gone nuts. As in stupidly paranoid drama queens.

My view is a bit different - put everything out there in the open and there's nothing to be afraid of people finding out. No lever to be used against you. No threats of inopportune disclosure. Problem solved.

Re:Schneier's opinion isn't what it once was

[PPH]

A generation ago,

There was a high barrier to this sort of public information being used. If you wanted to use the libraries' reverse directory, you had to actually go there. Now, with this sort of data on-line, marketers can slice and dice it any way they want for little more than the cost of processing power. But so can the 'bad guys'.

Re:Schneier's opinion isn't what it once was

[Registered+Coward+v2]

This isn't like a door lock where its possible to overcome them and we can't stop them from being overcome, so we take advantage of locksmiths when we screw up. Locks can not be 100% secure, encrypted data can be effectively 100% secure and thats a different environment.

While I agree with most of your points there is no such things as 100% secure data; some is only harder to get than others. It only take step right approach to get it.

Re:Schneier's opinion isn't what it once was

A generation ago, there was this thing called a phone book - it had everyone's name, address, and phone number - and nobody went nuts about "OMG they have my address!"

You're wrong. I am from that generation, and my number wasn't in the phonebook. It was a perfectly straight forward thing to do on my application form for a phone line to tick the "don't put my number in the phone book" box.

Re:Schneier's opinion isn't what it once was

[BarbaraHudson]

Not really that much different. Many companies bought annual subscriptions to Lovell's upside down phone books. The poll lists were public - just go and pick them up at the central polling office. And normal phone books were dropped off at the door yearly. Ditto with yellow pages for lists of business.

Re:Schneier's opinion isn't what it once was

But the phone company still had your phone number, and a log of every call you made. Give me a break.

Re:Schneier's opinion isn't what it once was

Wow. Anecdotes and capital letters. Once you touchdown from the unprovoked rage you flew into you might want to get your perspective checked.

Re:Schneier's opinion isn't what it once was

I believe when he says "we", he means Joe Sixpack, so what YOU want might vary

Re:Schneier's opinion isn't what it once was

[Sean]

That's true, but there was no book at the library that listed which articles in the newspaper we decided to read and which ones we decided to skip. The post office didn't make copies of all our letters and the phone company didn't record all our calls. When we used a map to find directions, none of this information used to be recorded. When we had our photographs developed, we could be quite sure the photo lab wasn't making copies of all of them.

Records of our financial transactions were much more limited because most of them were cash. Now we use payment cards for almost everything.

Re:Schneier's opinion isn't what it once was

[Dutch+Gun]

When Schneider says "we", I understood that to mean he's talking about the vast majority of the public, not security or privacy-conscious people - who, let's face it, are almost certainly a minority. It feels like you're reading those statements as *advocating* those positions, when instead I think he's just describing the reality of the current situation.

Re:Schneier's opinion isn't what it once was

> MOST PEOPLE DON'T GIVE A SHIT ABOUT THE DATA THAT GOOGLE GETS FROM THEM

I see it as slightly more nuanced -- people don't give a crap about the data that Google and Facebook gets from
them because they can't easily see the down-side because there is a level of indirection (example: search for X ailment ->
credit score goes down). Indirect evil like this tends to get resolved via two paths:

1) Evil-doer gets greedy/sloppy and do 1:1 direct evil (no indirection) that the public clearly sees and gets really outraged
        (classic example is price gouging).
2) The current generation is screwed and the next generation that grew up on the evil really understands it and changes it.

I can't think of any case off-hand that a corporation did indirect evil and enough people realized it and voted with their
wallets such that it significantly affected the company's finances. . .would anyone be able to give an example. . .I'm curious. . .

Re:Schneier's opinion isn't what it once was

[david_thornley]

If Google were to have the idea that I have depression issues, I don't think they'd share it with others, but would use it as part of my profile to target ads to me. On the other hand, they probably would be able to make money selling that information to insurance companies and the credit rating companies, so I wouldn't count on it.

Even targeted ads can have consequences. There was a case here a while back when Target sent coupons for baby-related items to a teenaged girl who had done some searches on Target.com, and they were found by the girl's father, who had not known of the pregnancy up until then. I don't know what happened, but it can't have been emotionally comfortable.

Re:Schneier's opinion isn't what it once was

[david_thornley]

I'm going to make a guess that you really don't mean it about everything being public. I could be wrong, but I'd bet you have some sort of bank account or bitcoin wallet or something, and, while you might be perfectly comfortable with us knowing everything about how you use it, you really don't want to share the access codes so we can drain your accounts and wallet and whatever.

Not everybody is in a position where they can afford full disclosure. I'm pretty open about things, but there are a few things you don't know about me and are very unlikely (I hope) to find out if you conduct a reasonably thorough investigation. Some people are in positions where they have to live something of a lie, which is uncomfortable, and I really don't want to judge them and say they deserve exposure without knowing the details. (I knew a guy who concealed his asthma from his employer because he thought it would impede his career if people knew that and not that he didn't let it slow him down.)

But, yeah, I've been warned that somebody could find out where I lived if I did such-and-such, and had to point out that there are organizations that keep track of that to allow other people to contact me in the first place.

There's no $$$ to be made in security

More to the point, there is no money to be made in security. Not only does it cost money to implement, having real security *closes off* business opportunities. The entire Internet economy is BUILT on spying on you and selling your information!

Re:There's no $$$ to be made in security

[nobuddy]

I beg to differ. I moved from sysadmin to security because this is where the growth is, and doubled my salary. I get headhunters and poachers several times a week trying to lure me away with wheelbarrows full of money. Companies are finally starting to realize they need to take security seriously.

Re:There's no $$$ to be made in security

Yes, companies are anxious to keep *themselves* from getting hacked. (And some companies are eager to sell their services to other companies to help them achieve it.)

My point was that these same companies *don't give a damn* about *your* data security. What they want is unfettered access to and control of your data, not "privacy" for you. "By using this service, you agree to allow us to sell, share, etc. your data with our partners..." You have no control over what they do with it or who they give it to.

Re:There's no $$$ to be made in security

[DoofusOfDeath]

I beg to differ. I moved from sysadmin to security because this is where the growth is, and doubled my salary. I get headhunters and poachers several times a week trying to lure me away with wheelbarrows full of money. Companies are finally starting to realize they need to take security seriously.

Out of curiosity, what kind of money are you seeing people make for what you do?

Re:There's no $$$ to be made in security

[mlts]

This is a good thing. In the past, a company would get breached, and it would have a minimal impact after paying for a PR campaign, definitely forgotten after six months.

However, the Sony hack with E-mails leaked which got celebs mad and data destroyed is different. Before that, a company got hacked... but their data was still there, so a lot of managers just brushed it off. However, if an intrusion means that the entire company is unable to do business and likely will fail in days to weeks [1], security goes from something in the backseat that is perceived as having no ROI, to a major concern.

This is a good thing. We have had solid security concepts since the 1970s, and most enterprise applications and devices can be well locked down. It is just using the functionality involved and making it work for that company/organization's culture.

It also might get vendors focused on security, perhaps being able to standardize on things. For example, it would be nice to have a style of USB cryptographic token that works with anything, be it an AIX machine or a Windows box.

Which means more money for those who can keep pace with security.

[1]: There are a lot of businesses who decided to follow the hype and drop tape, and instead, go with tiers of SANs for backups. Backing up to SANs does provide decent protection against hardware faults.

However, all data accessible comes at a cost. A bad guy can log onto the SAN's backend and purge all data with just a single command. Once this is done, the data is gone, and because there are no backup tapes... there is no recovery possible. Even with SANs that replicate to different physical locations, the deletion will be replicated. Even more insidious is tampering over time where someone logs on a SAN, and just starts overwriting stored data that nobody ever accesses.

It makes me wonder if tape will go from being laughed at as "retro" to being a primary medium for storage again. A pile of tapes stored offline will require physical access to destroy, as opposed to zeroing out everything with just one button. Even cloud "media" is easily destroyed if a blackhat gets enough access.

Re:There's no $$$ to be made in security

[Bob+the+Super+Hamste]

I would love to find this out as well given the silly offers I have gotten. The worst offer I got was for $35,000 a year which being someone with 10 years of experience with securing industrial control systems and 15 years experience as a software engineer which I laughed at. Most of the unsolicited offers I have been getting have been for $50K-$60K but frequently there are the stupid low ones.

the solution

[slashmydots]

My 14 year and still running policy of giving fake names, fake e-mails, fake phone numbers etc and no personally identifiable data other than my IP address to most online companies is working great. They ask me for data I don't want them to have and they get useless bullshit. Problem solved.

Re:the solution

[nobuddy]

Same. Mr Homer J. Simpson of 742 Evergreen Terrace has a lot of internet accounts. That Ned Flanders that lives next door has a lot of porn accounts.

Re:the solution

[Bob+the+Super+Hamste]

Although when doing things like this you may end up with Facebook believing that you are a gay Jew looking for a Jamaican lover to join you Yellow knife Canada. So to that end I believe I have sufficiently poisoned that well.

Re:the solution

[DocSavage64109]

I just had to update my information with my employer's insurance broker. Among the info they needed was name, address, SSN, and mother's maiden name. Assuming you have health insurance, your info is out there.

Re:the solution

[AK+Marc]

And I've always used my real name and information and never had a problem.

Re:the solution

[slashmydots]

You should look how many Rusty Shacklefords there are on Facebook. Get it? Dale from King of Hill used it when he didn't want to give the government or a company his real name for privacy reasons?

Re:the solution

It's adorable that you think you're fooling those companies or subverting their intent in any way. They don't care that the name attached to their profile of you is Seymour Butts.

Re:the solution

[Opportunist]

The added bonus is that you can very easily add the relevant information to your spam filter. Provided, of course, that you use a different pseudonym for different occasions.

Re:the solution

until men in white uniforms carrying a special jacket show up on your door step.

they will claim that you are unbalanced, and need help and if anyone complains (other than you because they would never listen to the shouting of a crazy person) they will just say "oh wont you think of the children in his neighbourhood, this needs our help"

its all fun and games until someone needs you out of the way, the solution is just to not use these services... for the past 14 years i have been using email hosted at my own machine at home, i havent had a need for any social media presence and thus have never signed up.

contrary to popular belief you do not need a social media account to be social.

Re:the solution

[Stormy+Dragon]

And the online companies in question probably have deanonymized all those accounts and know exactly who is really behind them

Example: How hard is it to 'de-anonymize' cellphone data?

Researchers at MIT and the Université Catholique de Louvain, in Belgium, analyzed data on 1.5 million cellphone users in a small European country over a span of 15 months and found that just four points of reference, with fairly low spatial and temporal resolution, was enough to uniquely identify 95 percent of them.

Not all companies

[mozumder]

Apple doesn't care if they can't get to your encrypted data. If you lose your password to your encrypted iOS device and your primary computer, you're screwed.

Re:Not all companies

But be aware, your Mac logs virtually everything, and what the OS isn't logging, the Spotlight search feature is. Spotlight already sends a lot back up to the mothership. And if you call Apple for assistance and they ask you to use their system information and troubleshooting tool, it scoops up ALL the logs and ALL Spotlight metadata and sends them home. So they have information on what's in you machine's latest memory dump, every application that's installed, and quite possibly a lot of what applications may have been deleted. And they keep a file on every interaction based on your machine's serial number for reference on future calls in case of an ongoing support problem.

On the one hand, it's quite a tool for good troubleshooting and customer service. But it's also a bit creepy.

Re:Not all companies

[ColdWetDog]

This IS really annoying by Apple, even if you believe nobody (or nothing) actually looks at the data. Spotlight is always wanting to send this or that out and I've spent a lot of time moderating it's bad behavior using Little Snitch.

Apple *really* should mellow out and at least shut down the conduit. Even if you opt out of web searching with Spotlight, it STILL sends stuff back to Apple.

Spot on about Google+ "pseudonymity"

Schneier's comments describe perfectly the alleged pseudonymity that Google offers on their Google+ service. You are allowed to use a pseudonym, but only as long as Google knows which real name account lies behind it.

Your right to privacy is respected, but only when Google is exempt.

Did you read it?

[danaris]

That's not what he said at all. I mean, I'm not disagreeing with you substantially, but that's completely separate from the actual point of the piece.

It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.

More importantly, that's even true of those who actually want to help keep our data secure from others—even our governments.

The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone—and that there are so many, even those that theoretically should be trying to do so, working directly against that end—is definitely something we need to be concerned about, far beyond simply bemoaning the stupidity of all the "lusers" who will happily give away their data for free because they just don't know any better.

Dan Aris

Re:Did you read it?

[mlts]

Devil's advocate here:

What about DISA/NIST and their publications/guidelines? This is paid for by the taxpayers, and can be very useful, even though the info might be obvious in some places [1]. They have decent checklist guides on recent operating systems under their national vulnerability database.

It is nice to be able to fetch info, even if one doesn't have to worry about stuff like FISMA and SCAP, just to have a decent baseline of security.

[1]: Things like using group policies, not allowing multiple users use the same account, etc.

Re:Did you read it?

[chihowa]

The same NIST that pushed the adoption of Dual_EC_DRBG even when it was evident that it was flawed? I mean, even the organizations that nobody trusts, like the NSA, publish helpful guides and information.

Re:Did you read it?

[Demonoid-Penguin]

It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.

The need to outsource (transfer responsibility) is fast becoming the "techno Nuremburg defence". tl:dr is just a symptom of the blame disease.

If you can't take responsibility for the risks of your actions, or fail to understand and measure them - then you have no right to demand it of others. Especially if you're unable to see the irony of calling for a "major entity" to "keep our data safe" (sigh).

Summary (for the Too Lazy:Dumb and Recalcitrant): if you won't do it (security) yourself for any reason, you are doomed to failure of your own making. Wishful thinking and "but it (the thing wot I don't understand - because I prefer to put more effort into justifying doing nothing than into learning) should be simple/safe" is the mantra of sheep whose investment in magical "thinking" demands the shepherd "care" for them (but fail to see the shepherd's incentive).

Dan - that's a response to your comments which are a common "belief", not a criticism of you. A criticism of your belief is - if you find yourself in a position where you "believe" you have "no choice" but to cede responsibility you seriously need to ask yourself "do I really need to do x?" If you find the answer is yes you may find you've conflated "want" and "need".

I'm sorry some find that offensive. I'm not sorry it offends them. They should take responsibility for the result of them lowering the standards and empowering the oppressors (tl:dr? they have the wrong end of the offense).

Re: Did you read it?

[Redmancometh]

Summary (for the TDumb and Recalcitrant): if you won't do

Post too long;didnt read

Re: Did you read it?

[Demonoid-Penguin]

Summary (for the Too Dumb and Recalcitrant): if you won't do

Post too long;didnt read

(APK is that you? Damn, I must update muh hosts file) Sore lips or sore head? Try lube for the former, a grease gun for the later

Satire, sarcasm, and irony. The Holy Trinity

My personal mission is make everyone equal - I've got the chainsaw and the club of knowledge, it's finding the time that's proving difficult.
I figured the first place to start was with myself - so I cut off half a leg and the top part of my head (equalised my height and IQ). The bad news is it hurt, I lost a lot of blood, and wind farms make me ill. The good news is I woke up in Texas (Go Doggies!) with a new job as a cop stationed outside the local methadone clinic, and I've made lots of new (noo) friends at the local church (gotta love talking in tongues and rolling around). The fact most are called Bubba makes remembering names a hole lott easieuh.
I used to think evolution wasn't horizontal. Now I don't think and I know evolution is a commie/pinko/lesbian lie (I saw it on Fox so it must be true.

Life is a roller coaster - what you lose on the ride you gain on the merry-go-round (especially if you've been eating corn dogs).

Slashdot + HTTPS = When?

Speaking of security, how about some end to end TLS (with pinning) in the near future?

There is one major entity - Apple

[SuperKendall]

The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone

Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.

It's not exactly true of all data, but Apple tries to give you specific control of data where it can.

The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.

Re:There is one major entity - Apple

[danaris]

The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone

Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.

It's not exactly true of all data, but Apple tries to give you specific control of data where it can.

The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.

This is true—I tend not to think of Apple as "an entity working to keep our data safe," since I primarily think of them as a hardware/OS vendor. But yes, any data Apple does happen to hold of yours is as safe as they can make it from those who want to monetize it—and they don't care to do so themselves.

Dan Aris

Re:There is one major entity - Apple

[DoofusOfDeath]

Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.

Do we really know that for sure?

Re:There is one major entity - Apple

[poetmatt]

"Apple doesn't mine it"

Yeah, ok. Show me where/how you can guarantee that any more than anyone else who already has your data? Apple in this case *already has your data* without HealthKit. Apple is identical to google and facebook and every tech company that collects user data in this regards.

Re:There is one major entity - Apple

So the last time iCloud was hacked there was nothing to be gotten because all the data was end-to-end encrypted so only the user could decrypt it? And Siri only does offline voice recognition and never send sound clips to the Apple for data mining?

Re:There is one major entity - Apple

iCloud was "hacked" by knowing the user's passwords, so your proposed "solutions" don't work.

Re:There is one major entity - Apple

[SuperKendall]

And Siri only does offline voice recognition and never send sound clips to the Apple for data mining?

"It's not exactly true of all data"

I said that explicitly thinking of Siri. They absolutely send that raw voice data to Siri but in theory the server could only be doing processing, to convert the speech to text and then return you a result.

The question is what is remember from that transaction. Do they use that data to improve further conversions? I would image so. But what I DON'T think Apple does is remember that you personally asked Siri to look for Ice Cream stores at 7pm. All the processing being done on the server though, there's no way to say for sure, except to say that Apple does not benefit from keeping data like that since they don't sell it to anyone or use it themselves .

HealthKit is much more sure - all of the data is from local sensors, locally stored. You don't HAVE to back up anything to iCloud and I'm not even sure it does get backed up there anyway (in fact the more I think about it the more I am pretty sure that does not happen). You can easily monitor, if you wish, what data leaves your device for a while to be sure it's not transmitting anything.

Re:There is one major entity - Apple

Ok fanboi, keep believing what you want. I guarantee you they are mining your iTunes/iCloud data. And if you have "Hey, Siri" enabled they are listening to everything picked up by the mic on your iPhone.

You are correct that Apple revenue in the market comes from the hardware, but that doesn't mean they aren't using the data collected by the software.

Re:There is one major entity - Apple

Yes. We know that Apple products don't send regular messages back to Apple, because we can audit the traffic.

What we don't know is if there is logic encoded in Apple products either for NSA use, or for their own use, in the event that you become a nuisance.

I hate everything he said

[TheCastro1689]

I don't want companies and apps having any of my information. They want it, and in exchange for using their services I have to hand it over for them to lose. Yet somehow they aren't responsible for that loss. Then all the someone else stuff is really you want an ecosystem that works on your computer or phone, true I do want it to work togther, but I don't want them knowing anything about my pics or texts or whatever. The last part is ridiculous. The only, only, only reason I need to be able to do a password recovery is because all of these sites don't allow me to use the password I want and nothing less or more. The fact that some demand a capital and don't accept certain punctuation annoy the hell out of me. And without a password saver or some sort of requirements hint on the log in it's all guessing if I frequent the site very little.

Open Source FTW

[mrflash818]

partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you

...Open Source software, FTW!

Re:Open Source FTW

[BarbaraHudson]

partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you

...Open Source software, FTW!

You mean like the OpenSSL heartblead bug? Or the bash ShellShock bug?

Re:Open Source FTW

Yes, unlike the closed source bugs it's ILLEGAL to find and fix.

Re:Open Source FTW

[BarbaraHudson]

How many people actually look for bugs? ShellShock has been around since September 1989. Or Heartbleed, since the end of 2011? Or the multipe security holes in pgp and gpg?

A programmer who isn't familiar with the codebase and tries to do a quick fix will probably introduce as many bugs as they fix.

For the vast majority of users, it doesn't matter if it's open or closed - they can't fix it.

Mod Parent Up

Albert King references deserve an automatic +5.

Breaking News!

[SeaFox]

Security is inversely proportional to convenience.

Confused terminology

[stevez67]

This, like so many articles, and commenters, there is a lot of confusion about the terms security, privacy, and secrecy, equating them as being the same thing. One thing they have in common is that they're each inversely proportional to convenience and violating one compounds the breach of the others.

Re: Confused terminology

imagine that. 2 dumbfuck statements in a row

Time to sing along!

[Em+Adespoton]

This tech is your tech
This tech is my tech
From the lowly Bitcoin
To SSL/TLS
From the AES cipher
To S/MIME and GPG
This tech was made by you and me.

Re:Time to sing along!

[phantomfive]

To SSL/TLS

That line is tough to sing.

Maybe it's time to start over

[lhowaf]

The Internet has turned out to be an ugly, hostile den-of-thieves. It isn't going to get better because the thieves own it. Maybe we should abandon http and the World Wide Web and build something with inherent security and anonymity.

Re:Maybe it's time to start over

[Opportunist]

Ok, how do we keep governments and industry out of it AND still provide funding for it?

Nice play on words

Google and Facebook want *your* data to be safe — on their servers so they can analyze it.

No

They want their data to be safe on their servers so they can analyze their data as they see fit. Private property: essential to liberty and freedom.

What Schneier is saying, as interpreted by Homer..

[DavidHumus]

Can't someone else do it?
https://www.pinterest.com/pin/...

What?

[freeze128]

We're not our worst enemy. We are how we are and it's impossible to change it. Try explaining your mom that she needs to enter an overly complicated password and then receive a code through SMS and then type that code manually in a little text box every time she wants to look at each of her granskid's pictures. Won't work. And it's not because your mom is lazy, but because the perceived need for security for such data is very low.

I don't agree with this. it *IS* possible to change. The internet userbase has already done it!

In the early days of computers, they were difficult to use. They used cryptic commands, offered no gui, and had limited help. But we used them. We made them do amazing things. Then as computers became more powerful, and cheaper, they also came with GUIs and help, making them easier to use.

They didn't have to!

We had already learned how to use the complex computers, so we don't NEED the GUIs.

The same is true for file servers. Up until the mid 2000's, every company that wanted a website had their own web server. Many had internal file servers. They were secure, and they were only accessible by the people who needed to access them. Then, when "the cloud" became a popular buzzword, the companies started relinquishing control of the servers to third parties. THEY DIDN'T HAVE TO! If you want security, keep your servers to yourself!

Re:What?

[war4peace]

Nope. "We" didn't use it. A few select people used it.
That's a big difference.

Yes, a company can keep the servers to themselves, and thus give up other advantages. Again, balancin one with the other is held true.

Security's hurdle - being useful for something

[Coolfish]

Why haven't we fully embraced security, as consumers? Even as business, we do a lousy job of it. It's because we don't get anything out of it. Immediately. It isn't immediately useful. Yes, it's great if someone hacks your servers, or if you know someone is trying to steal your identity, then you think about it. But other than that, security just makes you WORK rather than give you something. That's why it hasn't been embraced.

Here's how I think that can change. We need to build a service that anyone, and everyone, can use. That provides you with immediate benefits, even as a consumer, as well as a business. What could this be?

Maybe it's just me, but for me, the fundamental issue here is identity, and the attached personally identifiable information (PII). Identity and PII are the link between consumer and business, and they're required by everyone. Your identity (login/pass) to /., facebook, twitter, your bank, your email, your other email that your partner doesn't know about but really they're just pretending, they know it's over, they've been hitting the gym and got a lawyer, and how did you not notice that they've been off facebook for 3 weeks? They're getting a divorce attorney right now. You're screwed. All of these logins require an effort on your part - creating them, and then remembering the passwords. And then remembering to change them on occasion. It's a lot of work, and it's ripe for a service to handle it. But a password wallet? How is that enough, there are tons of them already, you dingus. I know that. That's why I'm not talking about a password service, but an identity service. One built on a cryptographically secure network. A distributed network. An open and public network, that doesn't require significant energy requirements because artificial scarcity is great for currency, but absolutely useless for identities. One that any business that wishes to maintain a connection with their client will use. A network that will allow a business to manage their own internal identities, and associated groups, to avoid having to store passwords.txt in the passwords folder. An identity network that will allow the user to control what PII is associated with an identity, whether that identity is public or private, and to manage requests for authorizations to use PII externally of the system. A method to track and manage identity/PII use and ensure accountability in its use. A network that allows the quick and easy creation of wallets - sorry, I mean identities, really, I'm not talking about the *coin network, artificial scarcity is useless for identities remember, and add them to their own list of identities. A method to post short messages/notifications, encrypted with the public key of the identity and for that message to be passed on, or left for passive retrieval, to the final destination. In short, a simple to use identity service that lets you connect with others, be they anon or a corporate entity, and control/monitor its use of your information. On the plus side, the PII remains encrypted and the business has less to worry about getting hacked.

wo/man, I'm hoping someone out here is smarter than I am and gets what I'm talking about and can help me figure it out.

Erh... Bruce, I usually like your insightful posts

[Opportunist]

But this one is one of the "gee, really, you don't say?" kind.

OF COURSE everyone wants to be the only one who has access to something. Monopolies are something really awesome, and only cool if they are, well, monopolies.

Data is worthless if everyone has it, only if you have the exclusive ability to use it it becomes valuable. In our world, the value of something is determined by its scarcity. Data is now something that can, by its very nature, be reproduced with near zero cost in infinite amounts. It only becomes a commodity if you control when, how and most of all if that data may be reproduced.

Re:Erh... Bruce, I usually like your insightful po

[Coolfish]

Hm, I think data doesn't have to be worthless if everyone has it, it has worth to those who take the time to do something with that data. For everyone else, it's worthless. EG if the inner details of a business's day to days was public and accessible to all - you might not care, particularly if the business isn't near by, but a competitor would definitely be interested, or regulators looking for fraud, etc. I get what you're saying, and I'm not trying to be pedantic, but the value doesn't automatically decrease to zero. It decreases to whatever it is those who have access to it value it for (eg the amount of effort they'll put into it).

Encoding vs Encrypting.

[Kittenman]

In the following example:
"Mother" is the Chief of Staff
"Uncle James" is the head of state,
"Maisie's house" is the UN building
"Fishing" is 'discussing nuclear limitations'>br> "Peeling Plums" is 'advising of invasion plans for country xxx

Message starts: "Mother and Uncle James are on their way to Maisie's house to peel some plums. After that they hope to go fishing, then see a movie. Have a lovely weekend. Cousin Sam"

Message is indecipherable without a code book.

I don't agree

[endus]

The sad fact is that most companies aren't even implementing basic controls that everyone knew were important 10 years ago. If you look at a lot of the high profile breaches, they're due to fundamental stuff, not a lack of super high end ultra-expensive security appliances. Its something consumers reasonably expect companies to be doing, but they aren't doing.

I believe it is possible to have companies manage things and have good security. You could accomplish this by having individual consumers take more responsibility for their information, but its more likely and more effective that "we" would take more responsibility for our information through market pressure, standards, etc.

The most likely form for this to take right now is through standards and compliance. The improvements in the situation are being driven by this now. We're not there yet, but its improving.

The area where I do agree, though, is that it will be difficult to have effective security and privacy without legal support. The government is completely full of shit when it comes to information security, as they are full of shit when it comes to so many things. The NSA's efforts to compromise encryption and product security are a great example of this.

On the other hand there are laws like HIPAA. HIPAA is so vague, and yet it has been effective in driving change in the healthcare industry. Again we're not, "there" yet, but things are changing at a relatively rapid pace. HIPAA is actually a good example of where the government was not overly prescriptive, but does enforce substantive penalties for noncompliance with very general common sense requirements. On the other hand you have industry regs like PCI which are extremely prescriptive and have had a similar effect. Consequences are the only reason why PCI is having an effect as well...

Re:There is one major entity - Apple. Not.

[ikhider]

https://archive.org/details/22...

Oh Yeah Mr Electrical Engineer

Because as soon as you communicate a little longer you will provide more than enough context to break this "ingenious cipher".

Boy, get yourself an internet and look up "JN-25" or "Kriegsmarine code books Naval intelligence".

These codes were much more advanced and still broken, because they were no real One-Time codes.

Please send me $100 for my educational services via Paypal at noob.educator@yandex.com

Consumers fault, but not the way most think

[DriveDog]

It's not that typical users don't understand how anything works and aren't willing to find out (though that annoys many of us). It's that they're busy salivating over the latest hyped product ("can't way for 6!") instead of demanding decent security and demanding that things be done right. When did parents stop teaching their kids to not take candy from a stranger? Everyone's eating apples with razor blades and only complaining when they nearly bleed to death.

So we are stupid... I knew that.

So we are all a bunch of idiots. Lazy. Void of responsibility.

Yeah... I knew that. What most don't know is "we" is also who is in charge of securing your data.

They/we don't do any better job of it than I/we could.

We are all elitist pigs.

[FreedomFirstThenPeac]

We need to remember that most of us would not know how to create a financial derivative wrapping up bad mortgages into a pretty package and then selling them to banks who then get the government to cover the losses at the high end leaving the luzr$ holding underwater assets that they have to just give up. $12T worth of equity vanishing in the process. Yet these are the guys who pay us the best. The "techs" who lurk at the fringe, and who do not really know a packet from a pickle should be treated like physician's assistants or paralegals. Useful to do the routine stuff, but needing tech supervision or nudging aside when the going gets tough. They might be the hardware guys opening the hood and putting in the parts, while we wait at the keyboard to make it work. In a repair shop, it makes sense to form these sorts of teams, but for on-site delivery it is usually a one-man team, and in that case, we need to be careful to send in the paratechs only when called for, sending in the true techs when necessary. In the end, it is about education. Educate the users about why they sometimes only need the power user, sometimes the paratech and sometimes the tech. Educate the support spectrum to have proper (if limited) respect for each other and keeping each level engaged.

Sheesh, you'd think we thought being techie qualified us to do brain surgery, for crying out loud.