Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 2, Disagree) by Runaway1956 on Monday October 03 2016, @07:50PM
I've got a bunch of computers, which I expect my employees to use in certain ways, to do certain things. WTF do I even have USB ports enabled? Even if a person has non-malicious intentions, he just wants to listen to some music on his USB stick, WTF am I paying him to do so? OK - so maybe I gave in to a bunch of whiners who want to listen to music on my time. Eventually, one of them brings in an infected stick, and the Chinese are in my network, stealing all of my proprietary secrets.
If the IT department is security concious, they've unplugged all those USB ports inside the computer. Best if they remove the plugs, and put a dummy plug in it's place. If, somewhere in the organization, some of the computers actually NEED a USB plug, then we can arrange to have that plug hooked up and working.
Yeah, the author is at least partly correct. Stop trying to educate the user, and fix the machine so that the user can't screw it up. Our computers don't have floppy or CD/DVD drives. They DO HAVE USB ports, which I can use to boot into Linux. Once booted into Linux, I can steal ALL THE SECRETS on that machine.
Idiots. They walk among us, and they look just like real people.
(Score: 3, Insightful) by kazzie on Monday October 03 2016, @08:00PM
When you disconnect the front-panel USB ports, people will look round the back for a USB port to use. (You know, the ones directly soldered to the motherboard.)
If you get a system with no spare USB ports, then some smart person will start unplugging keyboards etc to plug their peripheral in.
It's probably better to deal with the issue within the OS in the end.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @07:59AM
Until everything is optical, the OS will not be able to protect the computer against a little 10cent device called a voltage doubler.
(Score: 3, Interesting) by TheRaven on Tuesday October 04 2016, @08:44AM
It's probably better to deal with the issue within the OS in the end.
Some of the recent USB malware attacks the USB controller's firmware directly. It will work even when there's no OS running. There are only a handful of USB controllers on the market and most instances of them are running old and unpatched firmware. Why attack an OS that's receiving regular security updates when you can attack some poorly written code that runs with higher privilege than the OS and is never patched?
sudo mod me up
(Score: 2) by Scruffy Beard 2 on Monday October 03 2016, @08:07PM
kazzie hinted at the answer: You use USB for the keyboard and mouse. Apparently the old PS/2 ports were too complicated (separate incompatible ports for the keyboard and mouse: using the same connector *was* a little weird/awkward).
What is worse, is that you do not even need to unplug the keyboard. It may act as a USB hub, depending on the model.
(Score: 1) by toddestan on Thursday October 06 2016, @01:34AM
Actually, I know at least with Lenovo you can still order many of their desktops with PS/2 ports, for the sole reason that once you get the mouse/keyboard off of USB you can now disable the USB ports to keep people from plugging things into them. They are also smart enough to detect whether it's a mouse or keyboard plugged in and adjust accordingly so it doesn't matter how you hook them up. Unless something has changed recently, they aren't hotpluggable though.
(Score: 5, Insightful) by Francis on Monday October 03 2016, @08:14PM
This attitude is why working sucks. Unless you're doing something that requires listening, why should the boss even care if the employees listen to music? This sort of psychopathic viewpoint accomplishes nothing of value.
(Score: 1, Insightful) by Anonymous Coward on Monday October 03 2016, @08:20PM
That attitude is how you get your end users actively working against your security. I have seen it many times. I will probably see it again in the future.
(Score: 2) by The Mighty Buzzard on Monday October 03 2016, @09:24PM
It keeps your shitstain employees from spending an hour creating a playlist on company time. Also, music is a distraction. Yes, even to you. When you can end up lost and not turn the car radio down, I might buy that line of bullshit; not until.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:31PM
If your employees are really that unproductive then fire them. If this is a recurring problem then perhaps look in a different direction for the cause....
If we ever make it to the post scarcity economy I thin people like you will be the first to achieve so-called enlightenment. Once your brain gets to drop all the cruft that goes along with work/bootstraps/anxiety/fear/anger it will have the perfect example of the insanity of reality. Poof, you'll be lighter than air and happier than ever.
Either that or your brain won't let go and you'll be one of the most miserable people mad at everyone for becoming happier overall.
(Score: 1, Funny) by Anonymous Coward on Monday October 03 2016, @09:45PM
You're one of the shitstain employees. Do yourself a favor and just resign now. If you insist on staying, know that if the building ever catches fire, you will be held personally responsible. Why do you want to work here anyway.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @10:12PM
Awww, po' baby got twiggard!
(Score: 2) by The Mighty Buzzard on Tuesday October 04 2016, @12:02AM
Good luck with that post-scarcity thing. I keep hearing it but I highly doubt it will ever materialize. Human ingenuity will always be a scarce commodity.
My rights don't end where your fear begins.
(Score: 2) by Zz9zZ on Tuesday October 04 2016, @12:21AM
We are already in a post scarcity world for most countries, or could be if we made decisions along that vein. However, greed has kept us locked into a class system. The people at the top don't want anything to change, and the people that want to BE at the top don't want it to change either. They dream of being the king.
Energy is the last big hurdle, and if we had actually invested in solar and other renewables a long time ago we would be done with that problem too. But again, the oil barons wanted to keep their empire rolling... Your last sentence is actually quite the kicker, in the post scarcity world human ingenuity will be much more available (fewer people ticking boxes and sleeping through meetings) and also more valuable.
Its not a simple change, but I think its one worth striving for instead of going round and round the already sold out Monopoly board.
~Tilting at windmills~
(Score: 2) by The Mighty Buzzard on Tuesday October 04 2016, @12:41AM
Nah, as long as human ingenuity is valuable there will be no post-scarcity world. Nothing will change. Since the first currency was invented, it was never about the resources and always about human ingenuity.
My rights don't end where your fear begins.
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @01:22AM
Solar and renewables are chump change compared to nuclear power.
It just sucks that our current nuke plants use so little of their fuel. (If 95% of the fuel was used up, there would be no waste problem).
(Score: 4, Insightful) by Anonymous Coward on Tuesday October 04 2016, @12:13AM
(Score: 3, Interesting) by The Mighty Buzzard on Tuesday October 04 2016, @12:31AM
That's some of the funniest shit I've heard all day. It's first, last, and all points in between about the money for them. Don't believe it? See if they'll accept trust and respect in lieu of wages.
Now if you want to pay a motherfucker to dick around, be my guest. This is America and your business is by definition your business. Me, I want every dime I pay someone to be earned and if extra work at crunch time is necessary, I'll pay them the extra with a smile because they've earned it.
My rights don't end where your fear begins.
(Score: 5, Insightful) by Anonymous Coward on Tuesday October 04 2016, @02:15AM
Like most selfish dipshits, you've never learned just how powerful and important morale is. With high morale, they will, in fact, accept trust and respect in lieu of wages. Not for their entire salary, of course, but you can "purchase" many extra manhours of work per week per person that way.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:31AM
Yup! When work is slow people dick around and take it easy. If you're a good boss/client those workers will bust their asses to make sure things work out.
If you're too narrow minded and demand that every minute is accounted for, well you create stress where it is unneeded and thus your workers are unfairly taxed with "urgency". It is a real thing, and trying to pull spreadsheets out to argue the point will only lose you credibility.
(Score: 2) by SecurityGuy on Tuesday October 04 2016, @01:32AM
If you have shitstain employees who spend an hour creating a playlist on company time, then their listening to music isn't the problem. Goofing off on company time is the problem.
Personally, I listen to music at work when I need more focus than I can get without. Sure, I could focus even better in perfect silence, but cube farms aren't conducive to perfect silence. In point of fact, my company bought us all noise cancelling headphones in recognition of the fact that when you're trying to focus, having to listen to the guy over the cube wall can be a hell of a lot more distracting than music.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:39AM
Talk about useless optimizations. People might have wasted some time on the company's dime; how terrible! Unless it become a serious issue, I don't see the problem. Sometimes, doing 'useless' things can improve efficiency by giving the employees enough time off to prevent brain overload. There's also a concept known as diminishing returns; expecting people to work at 100% efficiency for hours and hours is unrealistic.
It's pretty much never good to micromanage employees, and if some of your employees are so bad that you feel they need to be micromanaged, then they need to be fired.
(Score: 1) by Francis on Tuesday October 04 2016, @01:57PM
There's no clinical evidence to support such a strong assertion. There's a huge variety of music and of individuals. I personally get a whole lot more done of certain types of tasks when I'm listening to music. There are combinations to avoid like any type of music with words when you're working with words as the two interfere with each other. But, in most jobs there's a ton of time where you're not needing to do much thinking because you've done the task dozens of times and having music makes that go a lot more smoothly.
As for the car, again, it depends a great deal on what kind of music you're listening to. On the rare occasion where I'm driving, I'll throw on some baroque music and it makes the process a lot calmer and a lot safer. Unfortunately, you can't legally do that on a motorcycle around here, so I'm stuck without the music.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:15PM
Then you get, "We just lost a $20k contract with Foo Inc. because we couldn't send a PDF application they gave us via USB stick fast enough. You're fired!"
Blunt policies can't make judgements about legitimate uses versus cruft.
(Score: 2) by EvilSS on Monday October 03 2016, @09:09PM
It's easier to just restrict them with software. That way you can allow specific devices and you don't fuck your leases gluing plugs into the USB ports of thousands of PCs. I have several clients that do this. Mice, keyboard, specific equipment, and company owned encrypted thumb drives are all that's allowed.
(Score: 3, Insightful) by MostCynical on Monday October 03 2016, @10:15PM
when "users" (aka "employees") are forced to work in 'open plan' torture centres, with no privacy, lots of noise and movement (just from people going to the loo - how dare they!), headphones can be a god-send. Little bit of music while you get the seventh revision done and checked (while not disturbing others) makes concentrating far easier.
if the internet is disabled, using the USB is verboten (you signed the policy), then I just use a radio (shock, horror, FM *and* AM, and, even, now DAB+). For those who's musical taste precludes listening to broadcast radio, MP3 players are not expensive.
For employers who expect employees to suffer ("Stop being happy! I'm not paying you to smile!"), well, you'll likely never learn, and always be surprised with your employee churn..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1) by Francis on Tuesday October 04 2016, @01:59PM
Usually, you can also use a cellphone. An unlimited data plan isn't that expensive any more and if they're being bitches at work, it's the step before going to work for somebody that knows what they're doing.