SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 2, Insightful) by Anonymous Coward on Monday October 03 2016, @08:03PM
It's not because an eminence grise of security says something that he is always right.
In this case, he is wrong, the user most certainly needs fixing.
The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things.
No, security is just counterintuitive to how people normally operate. Get over it. It is that way so that you actually THINK before acting instead of acting and then blaming the results on 'a difficult system'.
Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Because the world isn't a happy place where all sing kumbaya. The user IS the problem.
Or in other words: we make it deliberately hard and counterintuitive to launch nukes, should we make it easier perhaps.
(Score: 2) by MrGuy on Monday October 03 2016, @09:14PM
A theory proven by the fact that social engineering attacks work, and are still one of the most important vectors for security breaches.
People want to trust the person on the other end of a phone is a real person, who is who they say they are, and a well-intentioned person who is being upfront about their motivations and goals. People do not default to "don't trust," especially when the person in question becomes abusive, unreasonable, or threatening to their job. Even people who are specifically instructed on policy and how social engineering attacks work are vulnerable if the "path of least resistance" is to bend the rules just this once, because I'm sure he's who he says he is and I don't see why it's a big deal to reset his password for him anyways.....
(Score: 2) by Arik on Monday October 03 2016, @10:01PM
"Because the world isn't a happy place where all sing kumbaya. The user IS the problem."
But all these things are reasonable. Most password restrictions are not necessary and not security-positive either. It should be perfectly safe to click on any arbitrary link, it IS (essentially) safe to do so using a sane browser in fact. Autorunning malware off a USB stick is only possible because Microsoft deliberately rigged an insane mechanism here and even after being lambasted for it thoroughly by everyone they keep right on shoving that down the users throat. It's a misfeature, a design failure, simple as that.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @09:15AM
No, security is just counterintuitive to how people normally operate.
In other words, security breach is based on exploiting normal behavior. If you change normal behavior to plug security holes, the security landscape changes, revealing next set of security holes. If doing right thing is inducing more everyday effort, then sooner or later either someone will invent yet another "simple & easy" gadget or widget that is supposed to make users' lives easier again and that novelty will become a new attack vector, or users will simply suffer fatigue and start short-circuiting and working around security procedures.
In short it is unsolvable problem, especially if left to users to implement any proposed solutions.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:15PM
You are entering the blame game. Neither the user nor the system will get fixed when the fault is always at the other end.
Unfortunately, both are necessary. A technical fix will not help if the user is an antisocial ass and you can't expect great masses to go counter their own personal interest in the name of security when the design is thoroughly misguided.