SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 1) by Scruffy Beard 2 on Monday October 03 2016, @07:59PM
As far as I can tell, anti-viruses are more trouble than they are worth.
People turn off their critical thinking skills if they think the anti-virus is there to catch them.
(Score: 2, Funny) by Anonymous Coward on Monday October 03 2016, @08:20PM
People had lots of unprotected sex when they thought penicillin could cure anything. AIDS ruined the illusion.
Anti-virus was very effective in the old days when floppy dicks were the infection vector. Ubiquitous internet connectivity ruined the illusion.
(Score: 3, Funny) by Anonymous Coward on Monday October 03 2016, @09:07PM
Heh. I see what you did there.
(Score: 3, Insightful) by mcgrew on Monday October 03 2016, @11:51PM
It's not just that, though. Ignorance causes far more trouble than just not thinking, and you can't blame ignorance on the ignorant. You and I may need no AV, but most people I know IRL think computers are magic.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by maxwell demon on Tuesday October 04 2016, @06:44AM
But they obviously haven't yet learned that using magic means you have to be careful that the demons you control don't get out of control.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Touché) by NotSanguine on Tuesday October 04 2016, @01:46AM
People turn off their critical thinking skills if they think the anti-virus is there to catch them.
This assumes that they have critical thinking skills. Which is an iffy proposition, IMHO.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:30AM
The problem is that these software packages have "evolved" as companies learned that scare tactics brought in the money.
They they will label even useless "optimizers" as malware, just because people dislike having them on their system.
This in turn inflates the number of hit a scan gets, but also increase the risk of false positives.
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @06:41PM
That started in earnest after the Sony-BMG rootkit scandal [wikipedia.org]
The Sony virus got a "pass" because, well I would be speculating to say exactly why.
People learned that anti-virus software does not protect them in many cases. You need anti-malware as well because semantics.