Some of the major obstacles we face with 802.1X center around creating a smooth end user experience.  We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.”  (Sometimes they go on a little further, but I’ll leave it at that.)

Why does it matter?

Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important.

What are some of the problems?

The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.

Call me easily impressible, call me naive, darn, call me "out of touch with current security issues," but this book struck a major, major chord with me. It really did.

Now, I have experienced as much poor quality and insecure software as the next guy. I am never ever surprised about some feature in MS Office (or other application, really) just flat out not working or not working as expected or not working every time.

I suspect that, by now, every human on Earth who ever laid their hands on a computer knows:

software = might NOT work.

Now, we expect roads, bridges, toasters, chainsaws, bicycles, cars (until they put software in them...) to work and work they do. And if they don't - the company who manufactures them usually makes them work for us fast - or goes away, cut down by the "benevolent" axe of capitalism. Now, software is totally different (my thinking about this one).

And everybody knows it. But nobody was brave enough to take a hard look at this and analyze how that simple fact affected, affects and will affect our society. And, for my extra-paranoid readers: "... and how it might end that very society."

Until "Geekonomics!"

This book might not reveal any secrets about how software works to an IT professional (it will reveal how law works though!), but it will explain why bad software is everywhere, why we are stuck with it, why it will not improve by itself and - sorry for a hysterical note here! - how we might all fucking die because of it. It then unemotionally predicts why more people will certainly die because of bad software. It studies the complicated dynamics of today's software market such as who is more at fault for bad software - buyers who agree to buy or vendors who make it (or both). It also suggests that many of today's regulations and compliance "thingies" are a little misguided (e.g. in a battle a PCI DSS-compliant enterprise and a 0-day-wielding hacker, any sane person will bet on an 0-day). It is also very well-written; it won't bore an experienced IT  or security pro and it will not overwhelm a mere IT user.

First, it explains why the software is the "foundation of our civilization" today, and how it will be more so in the future. Next, it casts a look at "innovation" and ponders how innovation-driven software development relates to the  fact that users don't touch 90% of features of a typical software. In the third chapter is presents the view of the "0wned world" where "only the stupid [cybercriminals] get caught."  Next chapters looks at how government oversight works in other areas (e.g. FDA), how it might work - and how it might fail (and did fail in the past). While doing it, the book dispels the "government will just  make it worse" myth (basically, because some things are really bad and quickly streaming towards worse already). The amazing chapter 5 gives the clearest explanation of litigation (torts, etc) that I have ever seen (the book is worth reading just for chapter 5 alone!). Chapter 6 takes a super-pessimistic look at open-source software (no comment - just read it). Finally, several possible future - "the way forward" - is discussed.

Another thing I would like to mention about this book is that a reader should keep in mind that it is not about "insecure" software: it is about bad quality, unsafe software in general and less about "hackable" software. The author chose to not make this distinction very clear, perhaps on purpose.

So, everybody in software business, security business - in fact, just everybody who uses a computer - MUST READ THIS BOOK! Seriously, understanding the point made there might be a matter of life or death for some (all?) of us.

As a conclusion, if you want the visual image of the future to end my review, here it is: it is not "Terminator" future (where machines kill people out of evil) that we must fear and work to prevent, but "Robocop" future (where they do due to software bugs).

Go read the darn book!  And support liability for software manufactures. Also, in a few days, check this out (not yet but hover over the link to get a preview...)

Dread is a powerful force. The problem with dread is that it leads to terrible decision-making.

Slovic says all of this results from how our brains process risk, which is in two ways. The first is intuitive, emotional and experience based. Not only do we fear more what we can't control, but we also fear more what we can imagine or what we experience. This seems to be an evolutionary survival mechanism. In the presence of uncertainty, fear is a valuable defense. Our brains react emotionally, generate anxiety and tell us, "Remember the news report that showed what happened when those other kids took the bus? Don't put your kids on the bus."

The second way we process risk is analytical: we use probability and statistics to override, or at least prioritize, our dread. That is, our brain plays devil's advocate with its initial intuitive reaction, and tries to say, "I know it seems scary, but eight times as many people die in cars as they do on buses. In fact, only one person dies on a bus for every 500 million miles buses travel. Buses are safer than cars."

Unfortunately for us, that's often not the voice that wins. Intuitive risk processors can easily overwhelm analytical ones, especially in the presence of those etched-in images, sounds and experiences. Intuition is so strong, in fact, that if you presented someone who had experienced a bus accident with factual risk analysis about the relative safety of buses over cars, it's highly possible that they'd still choose to drive their kids to school, because their brain washes them in those dreadful images and reminds them that they control a car but don't control a bus. A car just feels safer. "We have to work real hard in the presence of images to get the analytical part of risk response to work in our brains," says Slovic. "It's not easy at all."

And we're making it harder by disclosing more risks than ever to more people than ever. Not only does all of this disclosure make us feel helpless, but it also gives us ever more of those images and experiences that trigger the intuitive response without analytical rigor to override the fear. Slovic points to several recent cases where reason has lost to fear: The sniper who terrorized Washington D.C.; pathogenic threats like MRSA and brain-eating amoeba. Even the widely publicized drunk-driving death of a baseball player this year led to decisions that, from a risk perspective, were irrational.

I’ve met thousands of IT pros during my years speaking at conferences around the world. And if there’s one thing that’s true for all of us it’s that all IT pros become support professionals for their family, their friends, and their neighbors—your “FFN” base, as I call it. And, like doctors, we’re expected to provide this kind of support for free!

Once upon a less-demanding time, these questions were rare and usually involved things like setting up Windows, configuring printers, snarfing from the free wireless network across the street—the sorts of things that normal people don’t do when going about their daily lives (face it, we IT pros aren’t normal). So the monthly late-evening phone call usually wasn’t a burden. Alas, those days are now nothing more than wistful memories.

You see, the bad guys (and, increasingly, girls) who lurk in the Internet’s dark alleys and secret passages have discovered that those who constitute your FFN are prime targets for their reprehensible ways. The millions of home computers squatting on kitchen counters and in bedrooms don’t enjoy the protection that corporate PCs do—no fortified network, no centralized administration and updating, no traffic inspection, no security policies. Rarely do the people in our FFNs possess detailed security knowledge, so home computers are ripe targets for attack. The bad guys know this, and they’re rapidly taking over as many machines as they can get their grubby little hands on.

For a while now, Microsoft has provided easy-to-follow guidance for home users at our Security at Home site. This is an excellent resource, with information on how to protect your computer, yourself, and your family. However, we can’t do it alone—we need your help! Maybe it’s already happened to many of you; if not, it’ll happen soon: you’ll become a security consultant for your FFN. That’s right, you. Stop glancing around the room, don’t slink down in your chair and hope I won’t see you. Your FFN is having security problems right now, and they need your help.

What to say, you ask? Where to go for guidance on how to talk to your FFN? It’s the same place: Security at Home. I’ll review some of the most important steps you can take.

Four steps to protect your computer

These aren’t optional; they aren’t open for debate. At the very minimum, all computers connected to the Internet should follow these steps.

1. Keep your firewall switched on.
2. Keep Windows up to date.
3. Use updated antivirus software.
4. Use updated antispyware software.

Computers running Windows Vista or Windows XP Service Pack 2 (SP2) already have firewalls that are enabled by default. Leave them running. I've yet to see any example of applications typically run on home computers that would break because the firewall is running. There’s simply no excuse for running a PC connected to the Internet without a firewall. Computers running anything older than Windows XP SP2 should be upgraded immediately—and this is again where you can help. Visit your FFN and ensure that everyone has installed the service pack.

Make a habit of ensuring that the automatic update client is running whenever you visit your FFN. This feature exists for them and minimizes the amount of work you need to do. Let Microsoft take care of patch management for your FFN—outsource it to us by making sure that all computers are downloading and installing updates automatically.

Simply using a firewall and installing updates can be enough to protect a computer from most attacks. But as we security consultants (stop looking around the room again!) know, attackers don’t target only computers. They target people, often by concealing malicious software inside tempting packages delivered by e-mail or Web sites. We call this the “dancing pig” phenomenon—no amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen! So to add to a home computer’s defense, we need utilities that detect and remove malicious software. Antivirus and antispyware tools can take care of this for you. (Yes, you need both; they detect different kinds of attacks.)

The case could be made that antivirus and antispyware tools aren’t necessary for computers whose users are highly skilled, security savvy, and have an experienced feel for recognizing malware before it strikes. Indeed, I’ve written about this before ("Antivirus softwre—who needs it"? and "More on the necessity of antivirus software"). However, for my FFN, antivirus and antispyware are requirements. They should be for your FFN, too.

The Malicious Software Removal Tool also helps to eliminate malware. It’s updated each month through the automatic update client and runs the next time a computer boots. It scans for and removes common malware like certain prevalent worms and rootkits. Since the tool’s introduction, millions of computers have been cleaned of billions of pieces of malware.

If you need to quickly scan a computer for malware, try the Windows Live OneCare safety scanner. It’s free, and it might be a useful habit for you to develop every so often when you get a call from an FFN. There are two versions of the scanner. One is for Windows XP, the other is a beta for Windows Vista.

What about ensuring that your FFN runs as non-admin? That would be an excellent step, but a lot of software written for the home market still requires being an admin to install and run (yeah, not everyone realizes the Earth is round). Such software should be tossed in the junk bin—yet if you need to manage some knitting projects, and there’s only one program you can find that works for you, sigh… Non-admin is a tough call. Perhaps you can enforce it on the home network in your own house, since you’re right there. Enforcing it on the computers in your FFN, though, might end up creating more work for you.

Keep your information more secure

Spam and scams are the techniques most bad guys use to steal your information to try to assume your identity. I don’t like the common term “identity theft”—how can you really steal someone’s identity? You can steal a purse, thus denying the purse’s benefit to its original owner. But you simply can’t take away someone’s identity. Think of identity theft as a form of impersonation attack (it’s like spoofing a human, I suppose). To impersonate you, the bad guy needs to obtain information about you. Phishing scams and spam lure millions of unsuspecting folk (these would be your FFN) into divulging secret details they’d never tell their pastors or principals or parents.

To reduce the likelihood of having your identity impersonated, teach your FFN to follow a few simple steps.

1. Use the phishing filter that’s built into Internet Explorer 7.
2. Reduce the amount of spam in your e-mail.
3. Use good passwords online.

The phishing filter in Internet Explorer 7 includes a long list of known phishing sites, and it warns users if a site they’re visiting is on the list or exhibits characteristics typical of phishing sites. The filter can communicate with an online service to keep itself updated—and this is important, since phishing sites often disappear after just a couple days.

Windows Live Hotmail, Windows Live Mail, and Windows Mail—probably the most common mail programs in your FFN—include technology to reduce spam. Their spam filters are updated regularly through Microsoft Update, which is yet another excellent reason for keeping the automatic update client enabled. Also be sure that you configure them to block images in HTML mail, which are often used for secretly tracking whether someone’s read a message.

Don’t forget to teach your FFN about basic techniques they can learn to become more security savvy. Common practices like disguising your e-mail address on discussion boards (me AT example DOT com), using a separate e-mail address for newsletters and online transactions (yes, you can have more than one Hotmail account), and being aware of prechecked boxes on Web forms that will result in things you didn’t want—for example, various toolbars, sharing your e-mail address with “partners,” or signing you up for newsletters that you can’t unsubscribe from.

Similarly, spam becomes easy to spot once you get in tune with its characteristics. Don’t reply to any message that wants personal details. It’s highly unusual; legitimate sites will use Web pages to sign up for services or maintain accounts. If you get an e-mail message that appears to come from your bank, don’t read it—delete it. Then call your bank; if they need something from you, their customer service department can handle it. Legitimate businesses simply don’t use e-mail to conduct account maintenance transactions, because e-mail itself is insecure. Never click on links to any kind of online payment service you use; instead, type the address directly into the browser’s address bar. If you hover your mouse over a link, the real URL appears in a small box—and if they don’t match, then yep, the e-mail message is definitely fraudulent.

While working with your FFN, make the link between online safety and personal safety. Most of us wouldn’t wander down random smelly alleys in isolated parts of the city during the middle of the night. It’s the same with your e-mail. Ignore attachments you don’t expect, avoid pleas for giving to “charities,” dismiss any messages that promise easy money, and don’t reply to any spam—all this does is confirm that your e-mail address is legitimate, guaranteeing that you’ll get more. Teach your FFN to make regular use of Snopes.com, one of the best sites on the Internet for learning whether something is legitimate or a scam. Type a few words from the suspicious e-mail message into the site’s search box and see what the results are.

Web sites often require you to log on. This means you need to create a user ID and password for every site you might visit. There’s a lot of discussion about what constitutes a “good” password; personally, I’m a fan of length rather than complexity. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

• Web mail: "my dog and i got the mail"
• Shopping: "my dog and i bought some stuff"
• Office: "my dog and i went to work"

If you don’t follow this kind of system, eventually you’ll start to forget which password you used on which Web site. Ugh, how can you manage it all? How can you have strong and unique passwords on the 60 different sites you visit every day? If the site uses basic authentication, you can instruct Internet Explorer to remember its password—however, few sites use this method. Instead, forms-based authentication is far more common, and Internet Explorer can’t remember these. Some sites have “Remember my password” checkboxes on the logon forms, which causes the site to store your password in an encrypted cookie (this is fine). There are many third-party programs you can use to manage passwords; one popular and well-regarded one is the free Password Safe.

Won’t all this just overwhelm my FFN?

Not really. Ordinary people subconsciously make security and safety decisions every day—going to the same hot dog vendor you’ve always trusted, changing lanes after verifying the target lane is unoccupied, walking along known streets with good lighting. Being safe online is really no different than being safe in the real world. Yet, online, people have a tendency to move toward one of two extremes—trusting everything they read and receive or becoming suspicious and essentially refusing to engage in anything online. Maybe it’s because online threats use scary language (like “identity theft”) and receive attention that far outweighs the risks (like child predators).

The threats we all face daily online are really no different than the threats we’ve all faced ever since we came down from the trees. This doesn’t mean we should ignore them or become too agitated. It means that we can apply the common sense most of us already have, aided with numerous tools and bits of good advice from software vendors, and—most importantly—a cadre of IT pros who can help their FFNs become savvy enough to protect their computers, themselves, and their families so that they can integrate the vast power of the Internet into their normal routines and enjoy everything it has to offer.

This article gave you some starting points for conversations with your FFN. There’s far more to explore. Spend an evening perusing the resources we’ve provided for you at Security at Home. We’re regularly updating the pages here to ensure that the information is current and relevant for home users. We’ve also created a newsletter specifically for home computer security, an online safety and security magazine, and several videos that cover a variety of security topics.

One more thing: accept our humble thanks for your help. We believe that you, our IT pros, can become the most valuable element in spreading the message of how to be safe and secure online. Thank you!