E2E: Erik Meijer and Cormac Herley - Rational Rejection of Security Advice by Users

Play E2E: Erik Meijer and Cormac Herley - Rational Rejection of Security Advice by Users

The Discussion

  • User profile image


  • User profile image

    Great... You should watch the video, listen to the conversation and develop some intelligent questions/feedback, then post. There is nothing special about being the first to post a comment on Channel 9....



  • User profile image
    Alex Covic


    I thought about users and security a lot over many years...and I gave up on end-users. You, of course, cannot.


    How many, 1 billion PC's worldwide? 100s of millions financial transactions every day. It is a miracle that so little is compromised! On the other hand, you can buy (in a couple hours, every time of the day) DVDs full of legit credit card numbers and other relevant data, if you know the sources.


    End-user security will never improve, because IMHO we cannot show the users pictures of rotting carcasses or dying baby seals ... something to make them more aware, more cautious BEFORE something 'bad' happens, they lose their money or ID-theft. Who uses PGP? Who checks his own passwords with password crackers? Who encrypts his emails? Last time you updated your Key Fingerprint?


    My concern is more on the company and government side. The recent New York Times article that explained how the Google Hack was possible (including the usage of Microsoft Instant Messenger and a click to a link - ah, ActiveX Controls) made me shiver.


    Your company is as secure as your dumbest employee? But who was the real risk factor? The guy that clicked? The supervisor, that did not explain, not to use such a thing? The CTO who had no policies in place to explain the risks to the employees? etc... who's fault is it?


    When it comes to security problems, I often defend Microsoft and Windows products explaining to people "This is what you wanted" - they want easy usability, they want to drag and drop things, to copy and paste... they wanted COM and ActiveX controls - jumping between apps, shiny, Flashy, javascript web, ... do users care about the problems this may cause? No! They are no programmers! They just want to drive the car, no wait - they just want the ride! They don't want to care what the difference is between http and https...


    Blackhats who are after individuals are not my concern anymore. We need to think of the Chinese hacker madras (no offense, fellow Chinese Devs), the Cyberwars that are going on right now. The daily attacks we have to deal with on a daily basis. Industrial and military espionage is real. Our technology is used in critical areas. The vulnerability is there, too. People, who work in sensitive areas need to be educated.


    [Edit] Consumer world End-users? What can we really do for/about them?






  • User profile image

    Well I just spent 20 mins composing a comment only to have the web page "expire" and throw all my work away. Should have known to compose it offline like the long ago email systems - what wonderful technology we have today!!!


    So here's an abreviated version (by the way I did watch the video, but haven't read the paper.)


    My main point was that in weighing the economic equation part of the equation that we also forget is the attempt to shift the cost from the technology to the user - my analogy was asking the user to put a deadbolt lock on the front door when we have the user living in a grass shack!!


    Can't track down the perpetrators? That's because we designed and deployed a network that makes it increadibly easy to hide. Why did networking innovations stop when TCP/IP was invented. Is it really better to ask millions of users to compensate then to fix the technology. Could we offer a safer technology at a cost that users would be willing to pay rather than absorbing these other costs with marginal value!


    Examining the address bar in some vain attempt to figure out how legit the web site is! Rediculous. I don't deposit my money down the street with Joe but carefully choose a bank to keep it in (well lets ignore the banking crises for the moment). We have fairly effective measures (social and legal) that prevent Joe from putting up a "Wells Fargo" facade so I don't have to worry much about making my deposit in the wrong place. Can't we do a heck of a lot better technology wise on the internet - why does the site I throw up in my back yard have exactly the same presence as a site put up by wells Fargo.


    Not saying that these are altogether cheap or easy technical issues, but I think the average user has figured out that we are not holding up our end of the bargain so why should they give a lot of effort or creadence to our suggestions (or attempts to color the address bar!).



  • User profile image

    I'm really afraid of what will happen when computers and the internet become more and more integrated into our social and personal identities, the physical world (what Butler Lampson called "embodiment" in another of your videos) and eventually even our physical bodies.  The security infrastructure we have seems hopelessly inadequate to the task, and I fear it will take a disaster to make people serious about fixing it. 

  • User profile image

    Shocking.  I've become a victim, because of my failure to attend to security.  It's just so hard to believe, but really there are groups that are so sophisticated that they can weave an illusion.  Epic fail on my side.

  • User profile image

    I still dream of pervasive high-quality secure biometrics, for example in keyboards, screens, mobile phones, etc. In my country two-factor authentication (printed card with throw-away passwords as well as reusable password) is being implemented as the national authentication scheme to be used for accessing the web bank as well as all national web services. My own bank uses three-factor authentication at the moment: printed card with throw-away passwords, reusable password and social security number. All transactions, even sending mail to the bank, requires a throw-away password. So it's very secure but not a lazy-mans solution. The two-factor authentication scheme is being implemented because it's supposedly cost-effective and has good usability as well as of course being very secure.

Add Your 2 Cents