Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday October 03 2016, @07:29PM   Printer-friendly
from the inherently-broken dept.

Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by maxwell demon on Tuesday October 04 2016, @07:21AM

    by maxwell demon (1608) on Tuesday October 04 2016, @07:21AM (#409845) Journal

    They want it because they've been educated to want it. It's also much more convenient to enter a house without first needing to unlock it. Yet I'm not aware of people demanding no-lock front doors.

    I'm not aware of anyone in the pre-USB times complaining that you plugged the keyboard to another port than the printer. There were some complaints about PS/2 keyboard and mouse, but that was because they were too similar without being identical; I'm not aware of similar complaints with the earlier serial mice.

    Also I'm sure that the vast majority of people don't ever change the keyboard that came with their computer. So there could be keyboard pairing, and the computer could come with the keyboard already paired, just as the OS is already installed.

    Also note that people accept entering long sequences of meaningless characters at installation for "product activation" where the only one having an advantage is the provider of the software. You won't tell me that it is not inconvenient. So why should people not accept some inconvenience for hardware installation when they get more security in return? Again, they do accept door locks for security, too.

    Of course that doesn't mean the software designers don't also have an obligation to make reasonable security reasonably easy. But that does not mean to sacrifice security for ease of use.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by tangomargarine on Tuesday October 04 2016, @02:17PM

    by tangomargarine (667) on Tuesday October 04 2016, @02:17PM (#409997)

    Also I'm sure that the vast majority of people don't ever change the keyboard that came with their computer. So there could be keyboard pairing, and the computer could come with the keyboard already paired, just as the OS is already installed.

    A decent idea technically, but I'm sure it would be abused by the companies selling the computers before you can say, "Hey, does anybody remember SecureBoot? That guy standing over you with a hammer assuring you he won't use it?"

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 2) by JNCF on Tuesday October 04 2016, @05:51PM

    by JNCF (4317) on Tuesday October 04 2016, @05:51PM (#410137) Journal

    They want it because they've been educated to want it. It's also much more convenient to enter a house without first needing to unlock it. Yet I'm not aware of people demanding no-lock front doors.

    We've been using physical locks of some sort for thousands of years, and some folks still fail to keep their doors locked (it seems fairly common on the East coast of the US, anecdotally). I hope that within a generation or two we take information security at least as seriously as we currently take physical security, but I'm very skeptical of our ability to inculturate those concerns into people who haven't been exposed to them at a young age and aren't seeking out better security practices of their own volition. Again, I'd love to be wrong about this. Schneier is basically arguing that we shouldn't even try because that would be blaming the victim, you insensitive clod, you! I really like some of his writing, but I found this particular piece uncompelling.

    Also note that people accept entering long sequences of meaningless characters at installation for "product activation" where the only one having an advantage is the provider of the software.

    It doesn't matter how much users would prefer a product that doesn't require an activation step if they don't pay for the product. Customer satisfaction is only one factor in the profit motive equation. I agree that people would still use computers if they had more mildly annoying security practices like keyboard permissions by default, I just think that they would prefer computers without that bug/feature. If Windows implemented it and OSX didn't, I think that would generally be seen as a point in favor of OSX. I hope I'm wrong.