Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

E2E: Erik Meijer and Cormac Herley - Rational Rejection of Security Advice by Users

Download

Right click “Save as…”

Dr. Cormac Herley spends most of his time thinking about why and how computer users reject security advice (from both fellow humans and software security warning prompts). Recently, his paper, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," received a fair amount of attention from the general media (Boston Globe, Tech Republic, NPR, etc). The paper also prompted our favorite software renegade, Dr. Erik Meijer, to send me an email, simply asking that I "please set up an E2E with Cormac Herley." I did just that and the following conversation is what happened...

Enjoy.

Tags:

Follow the Discussion

  • FIRST!

  • CharlesCharles Welcome Change

    Great... You should watch the video, listen to the conversation and develop some intelligent questions/feedback, then post. There is nothing special about being the first to post a comment on Channel 9....

     

    C

  • Alex "BuckyBit" CovicAlex Covic buckybit

     

    I thought about users and security a lot over many years...and I gave up on end-users. You, of course, cannot.

     

    How many, 1 billion PC's worldwide? 100s of millions financial transactions every day. It is a miracle that so little is compromised! On the other hand, you can buy (in a couple hours, every time of the day) DVDs full of legit credit card numbers and other relevant data, if you know the sources.

     

    End-user security will never improve, because IMHO we cannot show the users pictures of rotting carcasses or dying baby seals ... something to make them more aware, more cautious BEFORE something 'bad' happens, they lose their money or ID-theft. Who uses PGP? Who checks his own passwords with password crackers? Who encrypts his emails? Last time you updated your Key Fingerprint?

     

    My concern is more on the company and government side. The recent New York Times article that explained how the Google Hack was possible (including the usage of Microsoft Instant Messenger and a click to a link - ah, ActiveX Controls) made me shiver.

     

    Your company is as secure as your dumbest employee? But who was the real risk factor? The guy that clicked? The supervisor, that did not explain, not to use such a thing? The CTO who had no policies in place to explain the risks to the employees? etc... who's fault is it?

     

    When it comes to security problems, I often defend Microsoft and Windows products explaining to people "This is what you wanted" - they want easy usability, they want to drag and drop things, to copy and paste... they wanted COM and ActiveX controls - jumping between apps, shiny, Flashy, javascript web, ... do users care about the problems this may cause? No! They are no programmers! They just want to drive the car, no wait - they just want the ride! They don't want to care what the difference is between http and https...

     

    Blackhats who are after individuals are not my concern anymore. We need to think of the Chinese hacker madras (no offense, fellow Chinese Devs), the Cyberwars that are going on right now. The daily attacks we have to deal with on a daily basis. Industrial and military espionage is real. Our technology is used in critical areas. The vulnerability is there, too. People, who work in sensitive areas need to be educated.

     

    [Edit] Consumer world End-users? What can we really do for/about them?

     

     

     

     

     

  • Well I just spent 20 mins composing a comment only to have the web page "expire" and throw all my work away. Should have known to compose it offline like the long ago email systems - what wonderful technology we have today!!!

     

    So here's an abreviated version (by the way I did watch the video, but haven't read the paper.)

     

    My main point was that in weighing the economic equation part of the equation that we also forget is the attempt to shift the cost from the technology to the user - my analogy was asking the user to put a deadbolt lock on the front door when we have the user living in a grass shack!!

     

    Can't track down the perpetrators? That's because we designed and deployed a network that makes it increadibly easy to hide. Why did networking innovations stop when TCP/IP was invented. Is it really better to ask millions of users to compensate then to fix the technology. Could we offer a safer technology at a cost that users would be willing to pay rather than absorbing these other costs with marginal value!

     

    Examining the address bar in some vain attempt to figure out how legit the web site is! Rediculous. I don't deposit my money down the street with Joe but carefully choose a bank to keep it in (well lets ignore the banking crises for the moment). We have fairly effective measures (social and legal) that prevent Joe from putting up a "Wells Fargo" facade so I don't have to worry much about making my deposit in the wrong place. Can't we do a heck of a lot better technology wise on the internet - why does the site I throw up in my back yard have exactly the same presence as a site put up by wells Fargo.

     

    Not saying that these are altogether cheap or easy technical issues, but I think the average user has figured out that we are not holding up our end of the bargain so why should they give a lot of effort or creadence to our suggestions (or attempts to color the address bar!).

     

    Dave

  • I'm really afraid of what will happen when computers and the internet become more and more integrated into our social and personal identities, the physical world (what Butler Lampson called "embodiment" in another of your videos) and eventually even our physical bodies.  The security infrastructure we have seems hopelessly inadequate to the task, and I fear it will take a disaster to make people serious about fixing it. 

  • Richard Anthony HeinRichard.Hein Stay on Target

    Shocking.  I've become a victim, because of my failure to attend to security.  It's just so hard to believe, but really there are groups that are so sophisticated that they can weave an illusion.  Epic fail on my side.

  • Bent Rasmussenexoteric stuck in a loop, for a while

    I still dream of pervasive high-quality secure biometrics, for example in keyboards, screens, mobile phones, etc. In my country two-factor authentication (printed card with throw-away passwords as well as reusable password) is being implemented as the national authentication scheme to be used for accessing the web bank as well as all national web services. My own bank uses three-factor authentication at the moment: printed card with throw-away passwords, reusable password and social security number. All transactions, even sending mail to the bank, requires a throw-away password. So it's very secure but not a lazy-mans solution. The two-factor authentication scheme is being implemented because it's supposedly cost-effective and has good usability as well as of course being very secure.

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.