SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 4, Interesting) by VLM on Monday October 03 2016, @07:43PM
counterintuitive things
Culturally I think picking up random electronics and plugging them into secured systems is kinda like picking up random food and clothes discarded in a parking lot and dumping them on your work desk. Hey look, there's a beer bottle in the parking lot, looks like a sip or two left in it, gimme gimmie gimmie oh wait that was pee. I mean what kind of lunatic does stuff like that? What kind of company hires people like that?
Not that a post 1980s era OS design would hurt anything. Or a secure OS would hurt anything. Or secure hardware not having IO ports to plug random crap into. Or a hardware protocol that selectively enforces connectivity beyond mere PC power current negotiation.
But, WTF were you thinking, is still a valid question even in the face of horrible architecture and design. In that way I think the article is just wrong.
A world where you can find underwear laying in the parking lot and safely put it on is ... interesting, and I'm sure it would be a fascinating medical science challenge to accomplish, but not something I find very appealing or culturally acceptable.
(Score: 2) by JoeMerchant on Monday October 03 2016, @08:03PM
I don't think they're proposing a world where you find random underwear in a parking lot and can safely put it on... more, a world where you plug in a USB stick and default configurations don't allow it to automatically infect your computer.
Lots of "security" seems based in the world of Zork. Move North. You were eaten by a grue, you are dead, game over. Try again. You are in a cavern with three exits, North, NorthWest and South. What do you want to do? Eventually, people who keep playing Zork know not to move North from that room (unless you have a lantern, yadda yadda) - point being, you shouldn't have had to play this game before in order to not die.
🌻🌻 [google.com]
(Score: 1) by Francis on Monday October 03 2016, @08:17PM
Pretty much, if you insert a USB disk into a computer, you shouldn't have things executing from it unless you set them up to execute. And documents should never have executables embedded.
(Score: 2) by DannyB on Monday October 03 2016, @08:49PM
I agree with that.
But I disagree with the article's point about not changing the user.
The world is not a safe place. And nothing will magically make it so.
A good lock on your home's front door is better than a poor lock. Just as an OS that doesn't autoexec executables, is better than an OS that does. And better yet, the OS that doesn't autoexec executables should not even recognize it as an executable unless it has the right file permission, and USB media should be set up in your /etc/fstab so that execution cannot happen from that media. But you don't find an /etc/fstab in the OS that traces its history back to a copy of CP/M.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Interesting) by VLM on Monday October 03 2016, @09:46PM
The world is not a safe place.
True but my point in the grandparent post is some end user behavior should as a cultural thing be seen as icky. Like eating food out of a dumpster or sharing underwear with random strangers. Or IV needles for that matter. Note thats all actually pretty safe statistically speaking, but still seen as super gross. As it should be.
It appears not to be possible to discuss the cultural aspect of it. We're only allowed to agree that our immune systems should be strong enough to tolerate it, the original author thinks filthy users should not have to behave in a civilized manner and I'm asking them to keep it classy, or at least try.
I think we would all be happy in a world where computer security doesn't suck.
The original article author wants users to continue to behave like dirt bags. Personally I would prefer something a little more civilized and don't mind calling the users on their gross behavior.
(Score: 1) by Francis on Tuesday October 04 2016, @12:53AM
Right. Certain practices are too dangerous to enable, but you can never completely secure against the end user. And if you lock things down too much people hack around it.
(Score: 2) by mcgrew on Tuesday October 04 2016, @12:01AM
A good lock on your home's front door is better than a poor lock.
It doesn't matter, they have crowbars. Your locks will be safe, but not your door or belongings; that's how burglars broke into my house. Besides, what house has no windows?
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1) by Francis on Tuesday October 04 2016, @01:49PM
The point of locks and sturdy doors isn't to prevent people from the possibility of breaking in. The point of it is to raise the signature of people trying to break in. If they're having to mess around with the lock for a few minutes, that's going to deter a lot of burglars that would like to be in and out in a matter of a couple minutes. Especially if you're in an area that people frequent unpredictably.
If you can make your stuff slightly harder to break into than the other people's stuff, then you'll find a lot of criminals just skip it for the next house.
(Score: 3, Insightful) by JNCF on Monday October 03 2016, @10:25PM
Pretty much, if you insert a USB disk into a computer, you shouldn't have things executing from it unless you set them up to execute.
I don't want that to happen either, but most users do. Most users want to be able to use USB sticks in the same ports that they can plug keyboards into. Most users don't want to have to manually enable a keyboard after plugging it in. Therefore, most users implicitly want a computer that will allow malicious USB drives to type any arbitrary command into their computers (even though they don't explicitly realise this). If the problem were made clear to them, I think most users would begrudgingly choose convenience over security and then quickly proceed to forget about the problem entirely. The traditional trade-off Schneier eschews is very real, and users simply can't have both security and convenience in the levels they desire. Hopefully our priorities will change as people get more educated.
(Score: 1) by Francis on Tuesday October 04 2016, @12:50AM
A lot of this has to do with expected use and visibility. Usb disks are usually used to transfer files between computers, so it makes no sense to enable execution from there.
Likewise email attachments should have to be downloaded manually before manual execution. And documents shouldn't ever be executable.
The point is that reasonable actions should be planned for and secured. Complete security is never possible and users do need to do their share, but the system shouldn't be enabling incompetence or hiding risks.
(Score: 3, Informative) by JNCF on Tuesday October 04 2016, @01:53AM
I was trying to point out that even with execution from USB drives disabled your computer can still be susceptible to malicious drives that simply pretend to be keyboards and type commands in. There is a decision to be made here: we cannot simultaneously have universal ports, permissionless keyboards that don't rely on brittle third-party certificate schemes, and a feeling of safety when plugging in a USB drive found in a parking lot. Obviously, we should grant USB keyboards permissions individually. I suspect most users would hate that, but I'd love to be wrong.
(Score: 1) by Francis on Tuesday October 04 2016, @01:46PM
That's true, but that's something else that the computers should be guarding against. Same goes for those cracks that involve firmware of things like monitors that nobody can reasonably be expected to worry about.
But, at some point, there is a limit to what can reasonably be done about things of this nature. I suspect in terms of malicious devices, a pop up confirming that you plugged in a certain type of device and usb drives not being allowed to type or keyboards not being allowed to have internal memory would make things considerably harder. Probably just a one time deal with some sort of hash to verify that it's the same device that was previously whitelisted.
(Score: 2) by maxwell demon on Tuesday October 04 2016, @07:21AM
They want it because they've been educated to want it. It's also much more convenient to enter a house without first needing to unlock it. Yet I'm not aware of people demanding no-lock front doors.
I'm not aware of anyone in the pre-USB times complaining that you plugged the keyboard to another port than the printer. There were some complaints about PS/2 keyboard and mouse, but that was because they were too similar without being identical; I'm not aware of similar complaints with the earlier serial mice.
Also I'm sure that the vast majority of people don't ever change the keyboard that came with their computer. So there could be keyboard pairing, and the computer could come with the keyboard already paired, just as the OS is already installed.
Also note that people accept entering long sequences of meaningless characters at installation for "product activation" where the only one having an advantage is the provider of the software. You won't tell me that it is not inconvenient. So why should people not accept some inconvenience for hardware installation when they get more security in return? Again, they do accept door locks for security, too.
Of course that doesn't mean the software designers don't also have an obligation to make reasonable security reasonably easy. But that does not mean to sacrifice security for ease of use.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:17PM
Also I'm sure that the vast majority of people don't ever change the keyboard that came with their computer. So there could be keyboard pairing, and the computer could come with the keyboard already paired, just as the OS is already installed.
A decent idea technically, but I'm sure it would be abused by the companies selling the computers before you can say, "Hey, does anybody remember SecureBoot? That guy standing over you with a hammer assuring you he won't use it?"
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by JNCF on Tuesday October 04 2016, @05:51PM
They want it because they've been educated to want it. It's also much more convenient to enter a house without first needing to unlock it. Yet I'm not aware of people demanding no-lock front doors.
We've been using physical locks of some sort for thousands of years, and some folks still fail to keep their doors locked (it seems fairly common on the East coast of the US, anecdotally). I hope that within a generation or two we take information security at least as seriously as we currently take physical security, but I'm very skeptical of our ability to inculturate those concerns into people who haven't been exposed to them at a young age and aren't seeking out better security practices of their own volition. Again, I'd love to be wrong about this. Schneier is basically arguing that we shouldn't even try because that would be blaming the victim, you insensitive clod, you! I really like some of his writing, but I found this particular piece uncompelling.
Also note that people accept entering long sequences of meaningless characters at installation for "product activation" where the only one having an advantage is the provider of the software.
It doesn't matter how much users would prefer a product that doesn't require an activation step if they don't pay for the product. Customer satisfaction is only one factor in the profit motive equation. I agree that people would still use computers if they had more mildly annoying security practices like keyboard permissions by default, I just think that they would prefer computers without that bug/feature. If Windows implemented it and OSX didn't, I think that would generally be seen as a point in favor of OSX. I hope I'm wrong.
(Score: 1, Insightful) by Anonymous Coward on Monday October 03 2016, @09:12PM
Indeed. It seems to me that a lot of this could be solved just by turning autorun off in windows. Of course, it won't solve everything, but it would be a good start.
(Score: 2) by Leebert on Tuesday October 04 2016, @02:11AM
Eh... the USB worm AutoPlay issue has been fixed since something like Windows XP SP2. I don't recall off the top of my head, but I *think* it was sanely set by default in Vista, and certainly in Windows 7.
(Score: 1, Informative) by Anonymous Coward on Tuesday October 04 2016, @07:54AM
Nope. They said they would, but they didn't.
They disabled it for anything that claimed to be a hard drive, but kept it on for anything that claimed to be a read-only media (CD-ROM, etc). And then they published documents on how to make your auto-running-driver-install use the USB IDs of read-only media, to keep autorun working.
It may stop your everyday virus (assuming that the USB ID is in ROM, and when was the last time you saw anything with a ROM chip?) but not someone deliberately leaving a back doored USB stick in the parking lot.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:21PM
I believe as of Windows 8.1 the default is, it pops up a menu asking you what you want to do when plug in a USB drive. One of the options is still "auto"run.
(I own a dual-boot Win 8.1 machine.)
http://www.eightforums.com/tutorials/30511-autoplay-turn-off-windows-8-a.html [eightforums.com]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by TheRaven on Tuesday October 04 2016, @08:41AM
sudo mod me up
(Score: 3, Insightful) by Hairyfeet on Monday October 03 2016, @11:14PM
Sigh...haven't actually checked out those "security studies" have you? Protip: Windows hasn't had autorun since it was patched out of Windows XP.
The way they infect the system, which just FYI works just as well on Linux and MacOS, is to exploit the user using the classic dancing bunnies [codinghorror.com] where you make the bait so damned tempting that even if they know they shouldn't they'll run it anyway. In the case of these USB sticks all they had to do was make "(Name of company) confidential salaries list.exe" and they would run it, even disabling the AV if they had that option, just to see what the other guy was making. You can even bypass the local AV by making it an .HTML that takes the user to a page where they are slammed with exploits, all that matters is getting the user to run it which is trivial.
I've seen it a billion times in the shop, from "porn codec.exe" to someone on FB getting a "come see this, isn't it cool?" .HTML that sends them to a page filled with exploits, it really doesn't matter anymore which OS you are using (which is why Android reached a million infected 15 years faster than windows reached the same milestone) all that matters is "can you get the user to do what you want?" and with just a teeny bit of psychology that answer is nearly always "yes".
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:56AM
Part of the problem is the entire security model around executables. Or rather... the lack of it. Any program I run as user x automatically has the same privileges as user x, which in practice it means it can do whatever it wants to in my home folder containing my documents and other data. Who needs admin or sudo privileges when you can simply ransom or steal the user's data?
The solution is to not allow anything unless explicitly needed. porncodec.exe should not be allowed to do anything other then render porn videos to a framebuffer/texture or whatever a codec does.
My web browser should not be allowed to do anything besides acces the net and place files in select directories for settings, caches or downloads. The web browser should not be allowed to access my home folder unless I have picked a file to be uploaded from that folder using a file picker dialog supplied by the operating system, and then the operating system should open that file in read-only mode and supply the data stream to the browser. Any browser extensions that need more permissions should ask for these at the moment that they need them while clearly indicating why such a permission is needed.
Installers should not be able to go hog-wild doing whatever they want just because I gave permission to do system changes to install a program which I think might be useful but secretly contained a copy skynet.
We need to redesign our operating systems from the ground up, to include security based on behavior blocking from the start, and in ways that are user friendly. Instead of training users to only run software that they trust, I wish to see systems that assume that all code and all data is untrustworthy and to allow safely running this untrustworthy code while knowing that even if it is malicious, it can do only very limited damage.
Also the Android model with tons of blanket permissions required to even install an app is a slight improvement but almost as bad as the desktop situation. You still have very little control over what an app might be doing behind your back.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:12PM
Protip: Windows hasn't had autorun since it was patched out of Windows XP.
The way they infect the system, which just FYI works just as well on Linux and MacOS
Large citation needed. The couple times you've actually given me a link to stuff like this before, you've turned out to be full of shit, too.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Hairyfeet on Thursday October 06 2016, @03:32AM
Want me to wallpaper the page with Linux malware links? I don't think the mods here would like me very much if I did that, but I will be more than happy to show that major exploits are adding Linux support [zdnet.com] because hey guess what kernel Android runs on? You know, that OS that now has passed the number of Windows laptops infected per year as of 2014 [bgr.com] and which now accounts for more than 56% of infections on mobile networks [wirelessdesignmag.com] and beats Windows by a country mile in that category? Yeah I hate to break the news to ya Sparky but its Linux.
Which just FYI proves what I've been saying for over a decade, that Linux much vaunted "security", which just FYI is 15 years behind with R/W/X compared to the much finer grained ACLs, is nothing but security by obscurity and once someone actually popular used Linux it would get pwned. But hey, all those malware ridden systems are running a Linux kernel right? If that isn't worth a Linux party! [ytmnd.com] then nothing is, right?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by tangomargarine on Thursday October 06 2016, @02:11PM
In other news, computers in general suck. Welcome to Sturgeon's Law.
zdnet>
However, the Linux malware is based on an old and publicly available proof-of-concept backdoor known as 'cd00r.c', developed by hackers at phenoelit.org to solve the visibility 'problem' of standard backdoors.
Half points on that one. Admittedly apparently the problem still hasn't been fixed.
bgr>
The company says the malware infection rate is at 0.68% for mobile devices, which comes to around 16 million devices worldwide. Downplaying malware infections at its annual Google I/O developers even last year, Google hinted that just 0.5% of total active Android devices might have a malware problem, a percentage that amounted to about 5 million gadgets, according to Google’s own stats at the time.
So it's still a miniscule fraction of the devices out there. What percentage of Windows PCs are infected with something?
The report says that in the second half of 2014 alone, there were as many Android devices infected with malware as Windows laptops.
Notice the quote is laptops only.
wirelessdesignmag>
Nokia Security Center Berlin, powered by Nokia Threat Intelligence Lab, today released research findings showing that in the mobile networks, smartphones pulled ahead of Windows-based computers and laptops, now accounting for 60% of the malware activity observed in the mobile space.
I'm a little curious what exactly they mean by "mobile" in this context. Smartphones, tablets, iTouches, and laptops?
Due to a decrease in adware activity, the overall infection rate in mobile networks declined from 0.75% to 0.49% on Windows-based PCs connected to the Internet via a mobile network
I've been connected to the Internet via a WiFi dongle on my desktop before. Does that count as "mobile"? If laptops count, can they really be referring to cell networks?
In the same time period, smartphone infection rates increased and now account for 60% of infections detected in the mobile networks.
Android continues to be the main mobile platform targeted
For the first time since the report began, iOS-based malware – including XcodeGhost and FlexiSpy – is on the top 20 list. In October 2015 alone, iPhone malware represented 6% of total infections.
So iOS infections are included in that 60%. Sorry to disrupt your Linux-hate hardon there, Skippy.
I guess your links aren't quite as badly full of bullshit as usual. Congrats I guess.
And I know you know that Windows security is more or less just as bad, so you just like bitching about Linux. Can't stand to see people enthusiastic about something I guess.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Thursday October 06 2016, @02:13PM
Also, from your previous comment, you seem to be implying that autorun infections "work just as well on Linux and MacOS," which you didn't cover in this reply.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by toddestan on Thursday October 06 2016, @01:26AM
Not quite true. Windows 7 will still autorun off of a CD drive - not sure about Windows 8/10*. So the way it's done is the USB stick will pretend it's a USB CD-ROM drive, and then Windows will autorun whatever the USB stick wants it to run. I've seen this tactic used by some USB memory sticks that want you to install some manager software (no thanks, please just be a USB mass storage device please), but there's certainly no reason that it couldn't be used to attempt to launch something malicious.
*Windows 10 is probably safe though due to the disappearing DVD drive bug, which I have encountered so far on every Windows 10 machine I've come across that still has an optical drive.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @07:42AM
It may still be wet inside and short out your computer.
Even worse, until everything is optically connected, you always risk the device you found containing a simple voltage doubler or five (5 volts doubled 5 times is 160 volts).
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:06PM
If you eat food off the ground, you have a chance of getting sick. You might be sick enough to need hospitalization, and even if your medical bills are covered, you'll still miss work. Even if you don't get fired for missing work, missing work will cost you socially when you lose face time with your peers. You can't afford to eat food off the ground because you will lose social status.
If you pick up USB sticks off the ground and put them in your work computer, your computer might get malware. It's the job of the IT guys to fix malware. By breaking your computer, you made those low-status IT losers do some actual work instead of wasting time like every low-status work-shirker does. You don't lose any social status by making work for the IT guys.
That's the cultural issue: IT ain't my fault, boss!
(Score: 4, Funny) by Anonymous Coward on Monday October 03 2016, @08:12PM
is kinda like picking up random food and clothes discarded in a parking lot and dumping them on your work desk
Don't you judge me.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:25PM
YOU BETRAYED THE LAW!
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:24PM
is kinda like picking up random food and clothes discarded in a parking lot and dumping them on your work desk
I'm the janitor, you insensitive clod. Picking up garbage in the parking lot is my job.
(Score: 2) by DannyB on Monday October 03 2016, @08:51PM
But eating it is probably not in your job description. (Although the employer might think that since you can eat trash from the sparking pots, that he can lower your wages so you don't have to purchase food.)
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @09:03AM
I am a robotic janitor, you insensitive clod!
(Score: 2) by PocketSizeSUn on Monday October 03 2016, @09:42PM
Yeah, but that USB key may not be the USB key you *think* it is, regardless of where it came from a bad actor could have replaced your known good key with a bad one. So by *assuming* that a malware infested device will be inserted by a foolish user also protects a reasonable user from a bad actor.
The problem statement is that the user should not have to be paranoid about security as part of the everyday user experience.
Today, every link that is clicked on is potentially a vector for malware and virii, every USB key plugged into a computer, every method of sharing information of every kind, really.
Most users follow a typical risk/reward paradigm where they are at low risk precisely because your average user is of low value. Only when such users are easily exploited for a very low margin is it worth attacking them. Most users don't have to worry about specially crafted JPGs or PDFs because they aren't worth the effort. The users that do have to worry about being specifically target will probably always have to worry no matter what the security model and infrastructure is.
I think the point is we should have an infrastructure that is based from the premise that the user will do something dumb. That alerts should be meaningful and rare and that privilege escalation is a last resort to be avoided at all costs.
The real question is what would such a security infrastructure look like and what limits does it represent?
And passwords ... ye god ... what a horrible method for keeping things secure. Why haven't we transitioned to a public-key infrastructure? Probably because passwords are cheap and easy to implement.
(Score: 2) by FatPhil on Tuesday October 04 2016, @10:52AM
Unprotected private keys are not an alternative to passwords, they are an entirely different type of security. They are "something you have (in a form inconvenient for you, but convenient for malware)" rather than "something you know (but which you share with others liberally)". Things that you have can get lost, copied, or stolen. There are also families of security exploits which can only happen in a PKI scenario, not in a password scanario, it's not a magic bullet.
Of course, you can protect your private keys with a passphrase, but if you think that's better than a password...
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Insightful) by LoRdTAW on Monday October 03 2016, @09:50PM
Your missing the main point: The vast majority of people don't understand computer security because they arent taught computer security. Growing up people learn about real word security, don't talk to strangers, cleanliness, lock your doors, etc. They have a connection established early on that says that bottle is probably full of piss and the clothes could have bed bugs or are soiled with god knows what. You lock your door at night because people could walk in, steal shit and possibly hurt you in the process.
Thing is, computers don't trigger those security measures because they weren't taught. If you taught kids computer security instead of playing oregon trail and learning to use MS office, we might actually have people who see a USB stick kicking around and think "Oh hell no". They also might see a bogus email and cautiously open it or delete it outright.
It's called education. And the author seems to acknowledge that no one is doing anything to educate kids who eventually become adults not to do stupid shit and click every link in an email or plug in random USB drives. So we might as well try and mold secure computing around such a careless society. It's certainly not the right way to do things but what can you do on the face of such apathy?
(Score: 2) by mcgrew on Monday October 03 2016, @11:55PM
I agree with you, but people don't understand how this stuff works. If the system were designed correctly you could plug in a random USB stick or click a link in an email. The trouble is that the system's designers aren't up to the task, or are unwilling to tackle it.
mcgrewbooks.com mcgrew.info nooze.org