Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday October 03 2016, @07:29PM   Printer-friendly
from the inherently-broken dept.

Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Monday October 03 2016, @09:12PM

    by Anonymous Coward on Monday October 03 2016, @09:12PM (#409660)

    I don't think they're proposing a world where you find random underwear in a parking lot and can safely put it on... more, a world where you plug in a USB stick and default configurations don't allow it to automatically infect your computer.

    Indeed. It seems to me that a lot of this could be solved just by turning autorun off in windows. Of course, it won't solve everything, but it would be a good start.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 2) by Leebert on Tuesday October 04 2016, @02:11AM

    by Leebert (3511) on Tuesday October 04 2016, @02:11AM (#409776)

    It seems to me that a lot of this could be solved just by turning autorun off in windows. Of course, it won't solve everything, but it would be a good start.

    Eh... the USB worm AutoPlay issue has been fixed since something like Windows XP SP2. I don't recall off the top of my head, but I *think* it was sanely set by default in Vista, and certainly in Windows 7.

    • (Score: 1, Informative) by Anonymous Coward on Tuesday October 04 2016, @07:54AM

      by Anonymous Coward on Tuesday October 04 2016, @07:54AM (#409857)

      Nope. They said they would, but they didn't.

      They disabled it for anything that claimed to be a hard drive, but kept it on for anything that claimed to be a read-only media (CD-ROM, etc). And then they published documents on how to make your auto-running-driver-install use the USB IDs of read-only media, to keep autorun working.

      It may stop your everyday virus (assuming that the USB ID is in ROM, and when was the last time you saw anything with a ROM chip?) but not someone deliberately leaving a back doored USB stick in the parking lot.

    • (Score: 2) by tangomargarine on Tuesday October 04 2016, @02:21PM

      by tangomargarine (667) on Tuesday October 04 2016, @02:21PM (#409999)

      I believe as of Windows 8.1 the default is, it pops up a menu asking you what you want to do when plug in a USB drive. One of the options is still "auto"run.

      (I own a dual-boot Win 8.1 machine.)

      http://www.eightforums.com/tutorials/30511-autoplay-turn-off-windows-8-a.html [eightforums.com]

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 2) by TheRaven on Tuesday October 04 2016, @08:41AM

    by TheRaven (270) on Tuesday October 04 2016, @08:41AM (#409877) Journal
    Good advice... for 1998. These days, the stuff you have to watch out for subverts the USB controller's firmware or pretends to be a USB HCI device to send arbitrary control sequences to the device (and also pretends to be a USB mass storage device so that it can copy sensitive information to a partition that it then unmounts).
    --
    sudo mod me up