Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday October 03 2016, @07:29PM   Printer-friendly
from the inherently-broken dept.

Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Arik on Monday October 03 2016, @08:50PM

    by Arik (4543) on Monday October 03 2016, @08:50PM (#409647) Journal
    Getting a virus simply by opening an email was an urban legend, a technically impossible but scary sounding thing to frighten normies with, as late as the 90s.

    As best I can remember Microsoft made that myth real with the first release of Outlook, but I could be forgetting something that was less widespread perhaps. Certainly there's no way you can get a virus using a sane email client like, oh, pine. Nope, not without being aware of the attachment, deliberately downloading it, deliberately executing it.

    Similarly, simply opening a website should NEVER, EVER be a security risk in a sane browser. Yet look at what they try to call webpages today. If you don't have a dozen critical security problems (or at least emulate them in a VM) you can't even get most of these things to display.

    --
    If laughter is the best medicine, who are the best doctors?
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by MrGuy on Monday October 03 2016, @09:09PM

    by MrGuy (1007) on Monday October 03 2016, @09:09PM (#409657)

    Certainly there's no way you can get a virus using a sane email client like, oh, pine. Nope, not without being aware of the attachment, deliberately downloading it, deliberately executing it.

    Yep. The internet sure was better when everything was plain text, and lynx was the state of the art as a browser. That's the only sane way to use the internet, and all these new fangled people with their formatting and their images and videos are just completely unreasonable in thinking that's something we should support.

    • (Score: 2) by Arik on Monday October 03 2016, @09:45PM

      by Arik (4543) on Monday October 03 2016, @09:45PM (#409678) Journal
      "Yep. The internet sure was better when everything was plain text, and lynx was the state of the art as a browser. That's the only sane way to use the internet, and all these new fangled people with their formatting and their images and videos are just completely unreasonable in thinking that's something we should support. "

      You speak as if you don't think it's possible to have formatting and images and videos without also having insecurity. Can you really believe that?

      --
      If laughter is the best medicine, who are the best doctors?
      • (Score: 2) by MrGuy on Monday October 03 2016, @10:35PM

        by MrGuy (1007) on Monday October 03 2016, @10:35PM (#409711)

        You speak as if you think formatting and images and videos are a problem that's holding back the internet from reaching its full potential, and we should really go back to the "good old days" when the internet was all text.

        Can YOU really believe that?

        • (Score: 1, Informative) by Anonymous Coward on Monday October 03 2016, @11:12PM

          by Anonymous Coward on Monday October 03 2016, @11:12PM (#409724)

          Arik never said anything about formatting/images/videos, just that most browsers and websites have huge vulnerabilities because very little attention was paid to security. It isn't about the good old days, its about security.

        • (Score: 3, Informative) by termigator on Tuesday October 04 2016, @04:07AM

          by termigator (4271) on Tuesday October 04 2016, @04:07AM (#409803)

          People forget that there were attempts a long time ago to provide formatting in email (e.g. text/richtext, text/enriched, text/setext, etc). Did not get much traction, likely due to graphical environments still being more of a luxury. Then the web with HTML came along. Instead of asking, "Should we?" asshats decided that HTML (which brings in scripting support) should be used: "Hey we got this web browsing thingamjing, so lets slap it into our email client... look I can use colors and make my text real big, whipee!". HTML in email was chosen by developers out of pure laziness and cluelessness.

          Images and video attachment capabilities in email pre-date the web. I think what some of us object to is the gross ignorance that has been pushing the evolution of MUAs. Microsoft has been the worst in screwing up the progress and usage of email-based technologies. I hope there is a special place in hell for them.

  • (Score: 1) by andersjm on Monday October 03 2016, @09:23PM

    by andersjm (3931) on Monday October 03 2016, @09:23PM (#409665)

    Certainly there's no way you can get a virus using a sane email client like, oh, pine.

    pine is written in C. Don't count your chickens.

    • (Score: 0) by Anonymous Coward on Monday October 03 2016, @09:33PM

      by Anonymous Coward on Monday October 03 2016, @09:33PM (#409673)

      Somebody should rewrite pine in Ada. Adapine will be perfectly secure because nobody will ever use it.

    • (Score: 0) by Anonymous Coward on Monday October 03 2016, @11:31PM

      by Anonymous Coward on Monday October 03 2016, @11:31PM (#409730)

      pine, mutt, outlook, and every other major email client have each had open-email-and-get-pwned bugs. More in outlook (see: hooking system explorer renderer in old versions?!) but not zero in any.

      • (Score: 5, Insightful) by maxwell demon on Tuesday October 04 2016, @09:03AM

        by maxwell demon (1608) on Tuesday October 04 2016, @09:03AM (#409887) Journal

        pine, mutt, outlook, and every other major email client have each had open-email-and-get-pwned bugs.

        I don't know about pine and mutt, but the problem with outlook was that it was not a bug. It was a misdesigned feature.

        Yes, bugs creep in, and some bugs may be so bad that they may be used to pwn your computer. But they are not there by purpose. A misfeature is there by purpose, and a misfeature that is designed in a way that you have to think less than a minute about to see how it could be used for malicious purposes absolutely should not get into a product. Ever.

        Bugs cannot be completely avoided. Blatant misfeatures can.

        --
        The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 0) by Anonymous Coward on Monday October 03 2016, @09:59PM

    by Anonymous Coward on Monday October 03 2016, @09:59PM (#409694)

    Certainly there's no way you can get a virus using a sane email client like, oh, pine. Nope, not without being aware of the attachment, deliberately downloading it, deliberately executing it.

    And, yet, I *still* get the occasional e-mail to which a Word document has been attached and the text of the message is "read this".

    Biggest offender: the monthly security newsletter from corporate HQ. Yes, I've complained.

  • (Score: 1, Informative) by Anonymous Coward on Monday October 03 2016, @10:16PM

    by Anonymous Coward on Monday October 03 2016, @10:16PM (#409704)

    Getting a virus simply by opening an email was an urban legend
    You have not been doing this very long have you?

    "I LOVE YOU" https://en.wikipedia.org/wiki/ILOVEYOU [wikipedia.org]

    deliberately executing it.
    That bad boy took out the whole company I worked at when it came out. 20k in employees. Not a outlook server or client in sight. That email prog was fun *@*@* and you could spam the whole company. They ended up taking it out at the server level and just stripping the payload. Deliberate execution is exactly how it spread. Most people trust their coworkers and friends. I 100% guarantee you could email a docx to your whole list of people you know and at least one person would open the file. Even people who are 'smart' about it can have a brain fart and mess up.

    It is also why JS and COM execution was disabled around 1999 in most email clients.

    • (Score: 3, Informative) by maxwell demon on Tuesday October 04 2016, @09:07AM

      by maxwell demon (1608) on Tuesday October 04 2016, @09:07AM (#409890) Journal

      From the post you replied to, emphasis by me:

      Getting a virus simply by opening an email was an urban legend, a technically impossible but scary sounding thing to frighten normies with, as late as the 90s.

      From the linked Wikipedia page, right in the first sentence, again emphasis by me:

      ILOVEYOU, sometimes referred to as Love Letter, was a computer worm that attacked tens of millions of Windows personal computers on and after 5 May 2000

      I'd say the link confirms that post, rather than refuting it,

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 1, Informative) by Anonymous Coward on Tuesday October 04 2016, @08:49PM

      by Anonymous Coward on Tuesday October 04 2016, @08:49PM (#410308)

      You have not been doing this very long have you?

      "GOOD TIMES" https://en.wikipedia.org/wiki/Goodtimes_virus [wikipedia.org]

  • (Score: 3, Informative) by FatPhil on Tuesday October 04 2016, @11:42AM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday October 04 2016, @11:42AM (#409938) Homepage
    It's a close one when it comes to who fucked up first, but my guess for first vulnerable mail platform would be the web-based version of CC:Mail on IE3 which had a dreadful JScript implementation (and also their own scripting language, I forget what it was called). That would be early 1996 and just before Outlook. (MS Mail was MS's competitor to CC:mail at the time.)

    I remember predicting its inevitability whilst bashing^Weducating bulk hoax forwarders in 1995, and remember it coming true remarkably quickly.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves