SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 2) by DannyB on Monday October 03 2016, @08:49PM
I agree with that.
But I disagree with the article's point about not changing the user.
The world is not a safe place. And nothing will magically make it so.
A good lock on your home's front door is better than a poor lock. Just as an OS that doesn't autoexec executables, is better than an OS that does. And better yet, the OS that doesn't autoexec executables should not even recognize it as an executable unless it has the right file permission, and USB media should be set up in your /etc/fstab so that execution cannot happen from that media. But you don't find an /etc/fstab in the OS that traces its history back to a copy of CP/M.
The lower I set my standards the more accomplishments I have.
(Score: 3, Interesting) by VLM on Monday October 03 2016, @09:46PM
The world is not a safe place.
True but my point in the grandparent post is some end user behavior should as a cultural thing be seen as icky. Like eating food out of a dumpster or sharing underwear with random strangers. Or IV needles for that matter. Note thats all actually pretty safe statistically speaking, but still seen as super gross. As it should be.
It appears not to be possible to discuss the cultural aspect of it. We're only allowed to agree that our immune systems should be strong enough to tolerate it, the original author thinks filthy users should not have to behave in a civilized manner and I'm asking them to keep it classy, or at least try.
I think we would all be happy in a world where computer security doesn't suck.
The original article author wants users to continue to behave like dirt bags. Personally I would prefer something a little more civilized and don't mind calling the users on their gross behavior.
(Score: 1) by Francis on Tuesday October 04 2016, @12:53AM
Right. Certain practices are too dangerous to enable, but you can never completely secure against the end user. And if you lock things down too much people hack around it.
(Score: 2) by mcgrew on Tuesday October 04 2016, @12:01AM
A good lock on your home's front door is better than a poor lock.
It doesn't matter, they have crowbars. Your locks will be safe, but not your door or belongings; that's how burglars broke into my house. Besides, what house has no windows?
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1) by Francis on Tuesday October 04 2016, @01:49PM
The point of locks and sturdy doors isn't to prevent people from the possibility of breaking in. The point of it is to raise the signature of people trying to break in. If they're having to mess around with the lock for a few minutes, that's going to deter a lot of burglars that would like to be in and out in a matter of a couple minutes. Especially if you're in an area that people frequent unpredictably.
If you can make your stuff slightly harder to break into than the other people's stuff, then you'll find a lot of criminals just skip it for the next house.