Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday October 03 2016, @07:29PM   Printer-friendly
from the inherently-broken dept.

Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by Francis on Tuesday October 04 2016, @12:50AM

    by Francis (5544) on Tuesday October 04 2016, @12:50AM (#409757)

    A lot of this has to do with expected use and visibility. Usb disks are usually used to transfer files between computers, so it makes no sense to enable execution from there.

    Likewise email attachments should have to be downloaded manually before manual execution. And documents shouldn't ever be executable.

    The point is that reasonable actions should be planned for and secured. Complete security is never possible and users do need to do their share, but the system shouldn't be enabling incompetence or hiding risks.

  • (Score: 3, Informative) by JNCF on Tuesday October 04 2016, @01:53AM

    by JNCF (4317) on Tuesday October 04 2016, @01:53AM (#409771) Journal

    I was trying to point out that even with execution from USB drives disabled your computer can still be susceptible to malicious drives that simply pretend to be keyboards and type commands in. There is a decision to be made here: we cannot simultaneously have universal ports, permissionless keyboards that don't rely on brittle third-party certificate schemes, and a feeling of safety when plugging in a USB drive found in a parking lot. Obviously, we should grant USB keyboards permissions individually. I suspect most users would hate that, but I'd love to be wrong.

    • (Score: 1) by Francis on Tuesday October 04 2016, @01:46PM

      by Francis (5544) on Tuesday October 04 2016, @01:46PM (#409979)

      That's true, but that's something else that the computers should be guarding against. Same goes for those cracks that involve firmware of things like monitors that nobody can reasonably be expected to worry about.

      But, at some point, there is a limit to what can reasonably be done about things of this nature. I suspect in terms of malicious devices, a pop up confirming that you plugged in a certain type of device and usb drives not being allowed to type or keyboards not being allowed to have internal memory would make things considerably harder. Probably just a one time deal with some sort of hash to verify that it's the same device that was previously whitelisted.