I have to grudgingly agree with Dr Spafford on this. On our public ssh servers our main problem used to be users who set passwords to guessable words. However, while we have this occur everynow and then, the bigger problem is where users use the same password everywhere. While we limit the number of ssh attempts, make the users pick stronger passwords.. we can't stop them from using it at AOL etc. And even SSH blocking is limited as the crackers have parallelized their tools enough that as we block one host another picks up right where we blocked the last and they come from all over the internet that we can't really shut everything down.
And even if we were able to block all that.. we would just be the mythical bosun on the Titanic that Dr Spafford mentions.. making our selves useful as the ship sinks.
- We can't make the users patch their systems since the majority of them are privately owned. [State laws or some such.]
- It seems impossible to train common sense. You can tell people "Don't give your password to someone.", "Don't use the same password in multiple locations.", "Be careful of attachments.", etc and they will still do stupid things. Maybe because there is no evolutionary consequences.. "So you opened that attachment. Well its time to install Eunuchs on you."
- Even if we were able to patch the systems AND train the users.. there are too many tools that are too expensive to replace that have to run un-encrypted etc to make much of a difference.