SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 3, Insightful) by MrGuy on Monday October 03 2016, @09:36PM
I'll let novices use hand woodworking tools without much supervision. The worst that's going to happen is someone bashes their thumb with a hammer. They can build basic things just fine. If they want to leap up to using the pneumatic stapler, I'm going to want to make sure they understand how it works, and know they're not going to shoot at each other with it when my back is turned. If they want to use the table saw, I'm going to want to be damn sure they know how it works, understand appropriate safety rules, and never, ever put their fingers where they shouldn't go, or I'm damn sure going to take away their privileges to use it.
The power user with access to all the tools can do a lot more, a lot faster, but with a lot more risk of doing harm if they're not careful. The fact that some tools can do damage if the operator doesn't know how to use them safely isn't a good argument for taking away all the power tools. Nor does it (to me) make a compelling case that we need to invest a huge amount of resources in developing power tools that are so safe that no one can ever hurt themselves with them. It won't really help the people who should have access to power tools, and won't really teach the people who shouldn't how to behave safely.
The hard part, of course, is figuring out what the level of capability someone has, and giving them appropriate access to functionality based on that. This doesn't have a straightforward answer. But I'm sure the answer isn't either extreme of "just trust them!" or "lock everything down always."
There's a lot of room here for training and assessment. Oh, you want local admin on your machine? OK, please take the online test - if you pass it, we'll allow it.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:47PM
We don't have time for training! Hire the H1Bs and give them access! Now!