Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday October 03 2016, @07:29PM   Printer-friendly
from the inherently-broken dept.

Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by meustrus on Monday October 03 2016, @07:43PM

    by meustrus (4961) on Monday October 03 2016, @07:43PM (#409598)

    The final statement speaks volumes about internet security. Blaming the victim applies equally as well as it does everywhere else: you live in an insecure world, and although we'd like it to be more secure, you should behave according to the actual security you have. It's fair to tell users to stop being slutty, as the case may be, but only if it isn't used as an excuse to not bother improving the security situation. And if they get a virus despite being "protected" it's fair to say the manufacturer of their "protection" may be at fault.

    Let's all care about safety and security, fight the causes of danger and insecurity, and make our protections easy and effective.

    --
    If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 1) by Scruffy Beard 2 on Monday October 03 2016, @07:59PM

    by Scruffy Beard 2 (6030) on Monday October 03 2016, @07:59PM (#409612)

    As far as I can tell, anti-viruses are more trouble than they are worth.

    People turn off their critical thinking skills if they think the anti-virus is there to catch them.

    • (Score: 2, Funny) by Anonymous Coward on Monday October 03 2016, @08:20PM

      by Anonymous Coward on Monday October 03 2016, @08:20PM (#409632)

      People had lots of unprotected sex when they thought penicillin could cure anything. AIDS ruined the illusion.

      Anti-virus was very effective in the old days when floppy dicks were the infection vector. Ubiquitous internet connectivity ruined the illusion.

      • (Score: 3, Funny) by Anonymous Coward on Monday October 03 2016, @09:07PM

        by Anonymous Coward on Monday October 03 2016, @09:07PM (#409655)

        Anti-virus was very effective in the old days when floppy dicks were the infection vector. Ubiquitous internet connectivity ruined the illusion.

        Heh. I see what you did there.

    • (Score: 3, Insightful) by mcgrew on Monday October 03 2016, @11:51PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Monday October 03 2016, @11:51PM (#409737) Homepage Journal

      It's not just that, though. Ignorance causes far more trouble than just not thinking, and you can't blame ignorance on the ignorant. You and I may need no AV, but most people I know IRL think computers are magic.

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 2) by maxwell demon on Tuesday October 04 2016, @06:44AM

        by maxwell demon (1608) on Tuesday October 04 2016, @06:44AM (#409835) Journal

        But they obviously haven't yet learned that using magic means you have to be careful that the demons you control don't get out of control.

        --
        The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 3, Touché) by NotSanguine on Tuesday October 04 2016, @01:46AM

      by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Tuesday October 04 2016, @01:46AM (#409769) Homepage Journal

      People turn off their critical thinking skills if they think the anti-virus is there to catch them.

      This assumes that they have critical thinking skills. Which is an iffy proposition, IMHO.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:30AM

      by Anonymous Coward on Tuesday October 04 2016, @03:30AM (#409794)

      The problem is that these software packages have "evolved" as companies learned that scare tactics brought in the money.

      They they will label even useless "optimizers" as malware, just because people dislike having them on their system.

      This in turn inflates the number of hit a scan gets, but also increase the risk of false positives.

      • (Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @06:41PM

        by Scruffy Beard 2 (6030) on Tuesday October 04 2016, @06:41PM (#410189)

        That started in earnest after the Sony-BMG rootkit scandal [wikipedia.org]

        The Sony virus got a "pass" because, well I would be speculating to say exactly why.

        People learned that anti-virus software does not protect them in many cases. You need anti-malware as well because semantics.

  • (Score: 4, Insightful) by DannyB on Monday October 03 2016, @08:44PM

    by DannyB (5839) Subscriber Badge on Monday October 03 2016, @08:44PM (#409644) Journal

    Yes. Blame the victim!

    If you take what the article says . . .
    * use simple passwords
    * click links in untrusted email
    * insert every USB stick you can find (into your computer of course)

    But don't try to change the user he says.

    Let's compare to:
    * lock your house at night, when you leave, and perhaps all the time even when you're at home
    * don't leave your house keys under the welcome mat
    * lock your car
    * don't leave your wallet on the hood of your car while refueling

    Those may seem like common sense -- but let's not try to change the user! Oh, no! Somehow, magically, the world should just be a safe place where bad people cannot take advantage of you.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Monday October 03 2016, @08:50PM

      by Anonymous Coward on Monday October 03 2016, @08:50PM (#409648)

      On a computer, it's the IT guy's fault.

      * use simple passwords

      It's the IT guy's fault.

      * click links in untrusted email

      It's the IT guy's fault.

      * insert every USB stick you can find (into your computer of course)

      It's the IT guy's fault.

      • (Score: 3, Insightful) by maxwell demon on Tuesday October 04 2016, @06:50AM

        by maxwell demon (1608) on Tuesday October 04 2016, @06:50AM (#409839) Journal

        * click links in untrusted email

        It's the IT guy's fault.

        In this case, it's the software designers' fault. When email was new, people were making fun of the idea that an email could spread a virus. When the web was new, it was perfectly safe to follow any link you liked. Thanks to the combined efforts of Netscape and Microsoft, this is no longer the case.

        --
        The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by LoRdTAW on Monday October 03 2016, @09:50PM

      by LoRdTAW (3755) on Monday October 03 2016, @09:50PM (#409687) Journal

      Which ones are taught to you in school and by your parents? No, I'll wait.

      • (Score: 3, Insightful) by DannyB on Tuesday October 04 2016, @01:13PM

        by DannyB (5839) Subscriber Badge on Tuesday October 04 2016, @01:13PM (#409965) Journal

        They should ALL be taught to you in school and by your parents.

        The article seems to be saying that the most sensible basic computer precautions should NOT be taught to you in school and by your parents.

        Go ahead and plug every random USB stick into your computer. If you receive an email from an unknown person advising you to download something cool and install it, then go right ahead!

        So on one hand, you should lock your doors because the world is unsafe. But on the other hand, when you use a computer, you should just leave yourself wide open to attack and do the most stupid careless things, because if you get hurt -- it's the software designer's fault for not making you safe! You shouldn't have to take any precautions or exercise any common sense.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 1, Insightful) by Anonymous Coward on Tuesday October 04 2016, @02:28AM

      by Anonymous Coward on Tuesday October 04 2016, @02:28AM (#409784)
      Clicking links in untrusted email and inserting random USB sticks shouldn't lead to pwnage! We have Microsoft to blame for that latter piece of brain damage, and unsandboxed scripting on web pages for the former. Using simple passwords though is more like building your house with an easily forced door.
    • (Score: 3, Informative) by bradley13 on Tuesday October 04 2016, @05:55AM

      by bradley13 (3053) on Tuesday October 04 2016, @05:55AM (#409832) Homepage Journal

      Not quite a fair analogy.

      - Simple passwords = Be able to use a simple lock on an ordinary front door, not the front end of a bank vault.

      - Click links in untrusted mail = Talk to strangers on your porch, without fear they are going to assault and rob you.

      - Insert USB sticks = Pick up a dropped envelope to find out which neighbor lost it, without worrying that you will be infected with anthrax.

      In this sense, the job of IT professionals is simple (difficult, but simply explained): create a sufficiently robust infrastructure that ordinary human behavior does not lead to catastrophe.

      While some security holes are very abstruse, essentially impossible to foresee (Rowhammer), many are just plain stupidity. I still see advanced students and young professionals write code that is open to SQL injection. "Oh, it doesn't matter for this project".

      The problems are manifold, but if we go all the way down to the bottom, the root issue may be the lack of any sort of verification of competence. We don't let amateurs (or incompetent professionals) design bridges, but what assurance do we have that the people writing kernel drivers know what they're doing? For all we know, they're script kiddies hired on the cheap. While any sort of global qualification body would be impossible (and likely corrupt), we could enforce qualifications through economics: If a bridge collapses due to faulty design, the company that built it will be held liable. The executives may even land in jail. Hold software companies to the same standard: Your IoT devices are spamming the Internet? Your company is liable for damages, plus getting those devices off of the Internet.

      --
      Everyone is somebody else's weirdo.
      • (Score: 2) by meustrus on Wednesday October 05 2016, @04:41AM

        by meustrus (4961) on Wednesday October 05 2016, @04:41AM (#410502)

        - Simple passwords = Be able to use a simple lock on an ordinary front door, not the front end of a bank vault.
        - Click links in untrusted mail = Talk to strangers on your porch, without fear they are going to assault and rob you.
        - Insert USB sticks = Pick up a dropped envelope to find out which neighbor lost it, without worrying that you will be infected with anthrax.

        That looks like a great analogy to me, and unfortunately things can't be the same on the internet. Because people have always been able to do terrible things to you. The only difference is that now it's super cheap to send 10,000 copies of junk mail without having to pay the post office. You know it sure would have been different if the email system was designed to allow individual network operators to charge some micropayment for the privilege of forwarding that mail. I suppose the main reason they couldn't, besides ideological reasons, is that microtransactions over the fledgling internet were simply uneconomical. You would need Bitcoin as a prerequisite to bring the transaction fees low enough, which obviously the designers of email couldn't have had. So it will be forever free to send email, lowering the bar to entry for every shady business practice, with no profit incentive for cleaning up the bottomfeeders.

        And you know what? That's a good thing. We needed something as useful as email to make any progress on the internet, and its freedom has led to a lot of the success. Not that nobody pays for email. And it's a shame that it's not really possible to maintain a secure email server without the resources of a Google or a Yahoo. But wouldn't it be nice if the user of somebody with those resources was actually getting a fair experience? Without violating their privacy? With some semblance of market competition for the user's attention, not for the advertisers who are the real customers of the internet? If we can somehow eliminate advertising and the need for it, perhaps by making a more crowd-sourced information distribution system (like say SoylentNews or Reddit, or even more distributed like Diaspora), we could make the world a much safer place.

        --
        If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
      • (Score: 2) by urza9814 on Thursday October 06 2016, @02:59AM

        by urza9814 (3954) on Thursday October 06 2016, @02:59AM (#410936) Journal

        - Simple passwords = Be able to use a simple lock on an ordinary front door, not the front end of a bank vault.

        - Click links in untrusted mail = Talk to strangers on your porch, without fear they are going to assault and rob you.

        - Insert USB sticks = Pick up a dropped envelope to find out which neighbor lost it, without worrying that you will be infected with anthrax.

        Yeah, your *neighbors* are probably pretty safe. Physical distance provides much of the security of the real world. The internet doesn't have that. If you put Gates in his mansion in some slum in Elbonia he certainly wouldn't be stopping to talk to the neighbors on his porch or picking up dropped mail or using a standard household door lock. He'd be hiding behind big walls and armed guards -- assuming he doesn't do that already.

        On the internet, you are *always* a tourist walking through the worst slum in a foreign city at 3am. Because anyone, anywhere can attack you at any time. You can't behave as you would around your friends and neighbors and assume you'll be safe, because you *aren't* around your friends and neighbors, you're around a bunch of random strangers all across the globe.

        People *aren't* that trusting in the real world, and they shouldn't be online either. Consider how people still spread the stories about drugs and razor blades in Halloween candy every year. Even though it pretty much never happens. And even though if there's a razor blade in an apple, the whole damn neighborhood knows which house was giving out apples so it'd be no mystery who did it. The Internet is certainly less safe than knocking on neighborhood doors asking for candy, yet people so often don't think twice before doing the digital equivalent of shoveling down food from some anonymous stranger in Tehran. Sure, it's probably safe. But maybe they used contaminated discount ingredients, or it's expired, and they don't even know. Maybe it's been sitting unattended in the street for a week. Or maybe it's a big slice of Rohypnol pie.

        And how many times in this country have we detonated someone's underwear because they left their suitcase lying outside? We treat every random suitcase like a potential bomb, but when it's a digital suitcase attached to an email we should assume there's no way it could be harmful?

  • (Score: 0) by Anonymous Coward on Monday October 03 2016, @10:41PM

    by Anonymous Coward on Monday October 03 2016, @10:41PM (#409713)

    > only if it isn't used as an excuse to not bother improving the security situation.

    Yah think? That's his entire point. That the engineering quality needs to improve and stop pushing the responsibility off to the non-experts.

  • (Score: 2) by meustrus on Wednesday October 05 2016, @04:47AM

    by meustrus (4961) on Wednesday October 05 2016, @04:47AM (#410505)

    I would just like to add to my statement. We need to recognize that a motivated person will always be able to get the best of us. Hopefully, if we are no longer habitually ignoring warning signs because we're getting the wrong signs, we will be more prepared to recognize the warning signs that matter and prepare for them. But it almost never works out that way, and the only way we can get forward is by having an honest conversation about why this happened to begin with. The most important aspect of that in my opinion is why the person was so motivated; it would be much better for us not to be incentivized to do such harm to other people.

    --
    If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?