SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 4, Insightful) by TrumpetPower! on Monday October 03 2016, @09:27PM
There're all sorts of simple and obvious things that you shouldn't do with cars that can cause all sorts of bad things to happen, from trying to start the engine when it's already running to braking hard enough for the wheels to lock up.
And, for the longest time, mechanics and auto manufacturers told people, "Don't do that!" and blamed them for the results when they inevitably did so anyway.
But today's cars don't even let you do those things any more -- and we're all better off as a result.
It's high past time computer engineers learned this lesson from their automotive counterparts.
Because, just as you might be able to brake marginally faster manually than with ABS, what makes you think the little old lady behind you can?
When you understand why you should want the cars around you to have ABS brakes and why such a want is entirely unrelated to questions of anybody's competence and / or machismo as a driver, you will understand why you should stop blaming people for common security "mistakes" and fix your broken systems in the first place.
Cheers,
b&
All but God can prove this sentence true.
(Score: 2) by edinlinux on Tuesday October 04 2016, @01:00AM
This is why you need to be licensed to drive a car..
Maybe people need to be licensed to use a computer then?
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @01:36AM
Microsoft has been advocating that with their Trusted Computing initiative.
Requiring a license to use the computer means no more "hacker" operating systems.
It also means that Microsoft administers e-voting. If you refuse to use a "licensed" system, no voting for you!
(Score: 2) by maxwell demon on Tuesday October 04 2016, @08:13AM
No, Trusted Computing does not involve an official license for the user comparable to the driving license. Instead, it involves locking down the computer, which would be the equivalent to forbid servicing your own car. Very different things.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @06:32PM
When I posted that I was thinking of an old video that Scott Charney, Corporate Vice President for Microsoft's Trustworthy Computing Group posted many years back.
I believe I have a copy sitting on a drive about 12km away. I asked Microsoft for permission to publish the transcript, but never followed up when they asked me to show them how it would be displayed on my website. I was not able to find it in initial searching.
In it he does advocate an internet license. You would not get online unless your PC remotely attests that you are using a blessed Microsoft stack.
(Score: 2) by maxwell demon on Tuesday October 04 2016, @07:45PM
Again, not the same, no matter how Microsoft calls it. You don't have to prove that you've got a certified Ford in order to get your driving license.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Tuesday October 04 2016, @08:11AM
Actually you can use a car without a license; you just can't use it on public roads.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @05:20PM
... legally