Folk Models in Home Computer Security

This is a really interesting paper: "Folk Models of Home Computer Security," by Rick Wash. It was presented at SOUPS, the Symposium on Usable Privacy and Security, last year.

Abstract:

Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I investigate how home computer users make security-relevant decisions about their computers. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of 'viruses' and other malware, and four different conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring some security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.

I'd list the models, but it's more complicated than that. Read the paper.

Posted on March 22, 2011 at 7:12 AM • 57 Comments

Comments

arfnarfMarch 22, 2011 8:46 AM

PDFs formatted with two columns are not easy to read on a computer screen.

I wonder when people will stop doing this? I guess they are never forced to read what they've written.

Otherwise, interesting paper.

Clive RobinsonMarch 22, 2011 8:53 AM

I'm not sure it digs deep enough into the "perceived security".

Long before we had the Newtonian science model we had the Aristotle model and witch craft / religion.

The difference that is important was the idea of "testable measurments" which needed "measurands" and "metrics" that became standardized.

Without them a user has no way to tell the difference between "folk wisdom" of witch craft / religion and "Scientific Deduction".

Every time I see "what the top 10 companies did" recomendations tarted up as "best practice" I just cannot give it the creadence of "My magic umbrella" thinking, thus it's almost down to what you would expect of children waving sticks and saying "Abracadabra".

Clive RobinsonMarch 22, 2011 8:57 AM

@ arfnarf,

"I wonder when people will stop doing this?"

When the journals that one produced "printed paper" stop using it as a "house style".

When printed in that format with extra wide gutter space it (supposadly) alows for written anotation by the reader...

rjhMarch 22, 2011 9:04 AM

Also, readability studies from 50's and 60's showed significant readability improvement from tall narrow text vs full page width. The tall narrow layout of paper newspapers is no accident.

karrdeMarch 22, 2011 9:14 AM

Interesting analysis.

A couple of times, I've gotten an email from friends who say something like 'someone hacked my old email account...don't open stuff coming from my old AOL/HotMail account'. Often they would add 'I deleted the account, but they can somehow still get in and send from it.'

Generally, such people are technically illiterate enough to not understand how easy it is to forge the 'FROM' line in an SMTP header. I sometimes try to tell them how such things work, and sometimes just let it slide.

There are obviously large loopholes in public knowledge about computer security. I wish there was an easy way to fix it.

As an analogy, there is a fair amount of public knowledge about auto maintenance and use. Regular oil changes top the list, with some knowledge about 'tune-ups', 'fluid checks', etc. Thus, most people keep their car in running order by taking it to specialists for some work on a quarterly basis.

But few people think of their computer system needing preventive maintenance. So they don't take it in to any shop to have its registry scanned, and maybe have the running-background-processes list trimmed and tuned.

ChrisMarch 22, 2011 9:23 AM

@karrde: "So they don't take it in to any shop to have its registry scanned, and maybe have the running-background-processes list trimmed and tuned."

Sounds like a good way to get fleeced for $80-100 (depending on your shop) each time, plus served up a heaping helping of bullsh*t about how you need to purchase Upsell X, Y, Z, and Q in order to keep things safe. Oh, and having all your music/videos/personal photos/etc cloned to a machine in the back and combed through for anything worth keeping.

(Why no, I don't have a poor opinion of big-box retail outlets, why do you ask?)

transmogrifiedMarch 22, 2011 9:25 AM

@rjh
I expect the classical newspaper layout predates any studies made in the 1950s or 1960s and was influenced more by the need to economically use expensive commodities such as paper, ink and editors. Writing articles across the entire width of the newspaper would create a lot of wasted space simply because of the paragraph endings, thus requiring significantly more paper to print the same amount of information and significantly more editing to make the text of several articles fit in the available space.

Regardless, the 2 column layout makes for an extremely unpleasant reading experience on both computers and e-book type devices, which are fast becoming the primary means of accessing such things nowadays.

WinterMarch 22, 2011 9:55 AM

A classical case of blaming the victim.

The abstract starts with:
"Home computer systems are insecure because they are administered by untrained users."

Replace "Home computer systems" with "Mobile phones" and the whole paper falls apart.

So why is it that a "Home computer systems" is unsafe because of lack of user training, and "Mobile phones" are not? A modern smart-phone is as powerful as a networked computer of a few years ago.

And if we limited the "Home computer systems" to "Apple Computers", there would be little left of the paper. Same question as above.

Somehow, I think we cannot really blame the hapless user.

How can you understand why MS Windows and the AV-industry fail without a deep understanding of the software market and its history. A sieve will sink, irrespective of how much paper you put on the outside.

Bryan FeirMarch 22, 2011 10:02 AM

I was taught that the multi-column layout really boils down to the idea that if lines are longer than about sixty to seventy characters, they become too wide for the eye to resolve individual letters and still keep the entire line length in the peripheral vision. The result is that the eye is more likely to lose track of which line it is on when reading quickly. Hence the old standard 8.5" paper, 10 cpi font, 1" margins on both sides typewriter manuscript format.

That said, I agree that the standard page layout doesn't work well for computers (where a 'page' is likely taller than the usual landscape-mode screen, requiring scrolling up and down multiple times to read it all) or E-books (which usually have narrower 'pages' to start with). Which is why electronic release documents really should be using something more like Epub which can reformat to fit the device rather than PDF which is hardcoded to an output paper size.

No OneMarch 22, 2011 10:52 AM

@Winter: If you have an iPhone then you're only buying walled-garden apps. In this case the end user isn't really administering his phone. Apple is. The user, in this case, just selects from a pre-approved menu. (If you've rooted your Apple and started adding third party-apps, you're no different from an Android-based phone.)

If you have an Android-based phone then you have the risk of the many, many malware apps that have popped up. Apps that call 900 numbers for you. Apps that waste all your bandwidth. Apps that try to spy on you and phone home with personal information.

If you eliminated non-Apple home computers from the paper then you've eliminated 95% of home computers. That's not a good way to run a survey. If you eliminate non-Apple home computers from reality then the malware authors would start targeting them more.

And you can easily make a sieve float by adding paper if you also add a little bit of waterproof glue... Or just bail decently.

karrdeMarch 22, 2011 11:11 AM

Sounds like a good way to get fleeced for $80-100 (depending on your shop) each time, plus served up a heaping helping of bullsh*t about how you need to purchase Upsell X, Y, Z, and Q in order to keep things safe. Oh, and having all your music/videos/personal photos/etc cloned to a machine in the back and combed through for anything worth keeping.

(Why no, I don't have a poor opinion of big-box retail outlets, why do you ask?)
------------------------------------------------
True.

Some people have a similar opinion of auto repair shops, at least about the upselling part. (Or about the labor rate...)

On the other hand, you can ask the auto-repair shop if their technicians are certified. There is a fairly-mature certification environment for such technicians, especially in the dealer-run repair shops.

My conclusion is that the field of computer software upkeep (and hardware repair) is too new to have such controls in place. Also, computers aren't big investments in the way that cars are, so the pressure towards such an environment will be less.

Is it possible for such an environment to grow? I would hope so, but I'm not too hopeful.

JasonMarch 22, 2011 11:20 AM

This paper will make future discussions with my parents about their lack of computer security much less frustrating.

Joe GoltonMarch 22, 2011 11:32 AM

@karrde: I think computer security is more analogous to door locks and other forms of home security. You can embellish the analogy with bad neighborhoods (Windows) vs. good neighborhoods (Mac).

People think about the innards of their door locks and home alarm systems (and what could defeat them) about as much as the intricacies of their security software and password management system, I would imagine. And that's reasonable - people can't be be expert in everything.

I think the study would have been much more interesting had they also studied the exact same people's attitudes towards door locks and home alarm systems and understanding of their mechanisms. I just had the door locks change on our new home and found out just how little I knew about it and how easy it is to break into most homes, thanks to a geeky locksmith. I took the opportunity to educate myself and now our 3-pin mushroom lock doors will not be our home's easiest point of entry.

Education of consumers is often misguided, as the confused answers of the survey suggest. Just like kids grow up knowing to lock doors and close windows before going out, they also need to grow up with several very simple security procedures for computers that should be good enough. The following ought to be good enough:

1) Use a security suite that runs automatically.

2) Be as "net wise" as you are "street wise" re: socially engineered attacks

3) Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.

This last point is much simpler than the standard password advice which consists of a long list of password rules that few people can remember and even fewer will implement. But it stops most forms of password theft (Click on my name above and select "How Attackers Steal Passwords" for a detailed explanation).

I've been trying to educate users on passwords on my site (including helping them develop intuition at least to the level they have with home security). #3 above is the central, simple concept that I think anyone could remember once they understand it. Click my name and then the "password management" category to bring up my list of password posts. I'd be grateful for any comments about any of the password-related posts from all the experts that frequent this site, as I'm always trying to improve this educational resource.

caseyMarch 22, 2011 11:44 AM

This paper is about communication, not security. I think it may be a powerful idea. Security vendors/consultants/experts message is weak because they try to preserve accuracy at the expense of understanding. It is not necessary for someone to completely follow technical details to benefit from a discussion about malware- as long as they have a reasonable amount of trust in the speaker. Unfortunately, trust is gone at the first sign of condescention.

Also, most experts don't think about a user that has had a system for a decade without security software or knowledge of the system being infiltrated. At face value, the security expert sounds like a mystic when explaining threats. When a computer is performing poorly, people assume they need a new one, or that Microsoft is at fault. The models described may not be complete, but I do think that the decision making models of the public and the typical office worker should be taken into account for training and policy making.

Petréa MitchellMarch 22, 2011 12:21 PM

That's an excellent paper as far as it goes, and I hope it is followed up with more complete research.

GSEMarch 22, 2011 12:24 PM

I hadn't even realized how simplistic some of the models would be. I probably shouldn't be so surprised, given how much time I've spent teaching elderly people how to use computers, but I guess it's easy to forget that even things that are blindingly obvious to computer people--like the fact that viruses are written by human beings--are actually absent in the general population. Maybe high schools should be teaching this sort of thing nowadays...


Petréa MitchellMarch 22, 2011 12:30 PM

Clive Robinson:

"Long before we had the Newtonian science model we had the Aristotle model and witch craft / religion. [...] Without them a user has no way to tell the difference between 'folk wisdom' of witch craft / religion and 'Scientific Deduction'."

I'm afraid it's worse than that. Even in this modern scientific age, while most people have the general idea that facts associated with science are supposed to be more trustworthy, the scientific validity of an idea has approximately zero relation to how most people decide whether to believe it or not. Even among people who are generally scientifically literate, it matters less that you (or they) think.

Social psychology is a very depressing science...

WinterMarch 22, 2011 12:37 PM

@No One
This is like shooting fish in a barrel.

The paper is about communicating a security model for MS Windows. Most of the problems have no counterpart on other platforms, eg, viruses, worms, IE remote vulnerabilities.

Before you start, yes, there are "examples" known for other platforms. None have been able to wreak havoc in the last decades. And the security model of iOS and Android are such that a user needs to install an application consciously to get infected. That is completely different from getting your computer pwned simply by plugging it into the Internet.

There is no way to communicate a security model for MS Windows without making sure the user knows this security model is a sieve papered over by AV software. And that is the image no one wants to communicate.

Instead of locks it has latches which it "hides".

Andrew YeomansMarch 22, 2011 12:47 PM

It's not just home users - I think those Folk Models are alive and kicking in the IT and Information Security industries as well. (Certainly in the FUD part of the industry.)

And as Clive Robinson implies, this state will continue while we don't have good evidence-based measured practices.

LqqkOutMarch 22, 2011 2:02 PM

Good paper, while I don't 100% agree with the authors' conclusions, it will certainly inform my security awareness efforts in the office.

The main point that I couldn't get behind is that Botnets are designed to take advantage of these models. Something tells me that Botnets do very well because people think in this manner, but that fitting into the models' gaps is purely coincidental.

Also, I wonder how many of the more coherent models formed over time in their owners' minds. For instance - I consider much of the mischievous malware to be part of the background radiation of the internet - echoes of past "wouldn't it be cool" moments that are worth protecting against, but not as actively designed these days.

mooMarch 22, 2011 2:28 PM

@No One:
While I agree with your point about malicious Android apps, lets not kid ourselves--iPhone users are vulnerable to those too. We're just trusting Apple to screen most of them out during the approval process, and/or act promptly to remove ones later discovered to be malicious. I don't have much faith in their ability to do this screening in a reliable and timely fashion. For me, the simplest way to keep my phone is to simply never install any apps on it.

caseyMarch 22, 2011 2:38 PM

@Winter

Do you think the 'MS Windows' security model is to allow installation of applications by any source? The driver behind many of the defects of Microsoft products is business. Business wants the ability to run code from a browser so they can control the user experience for their own benefit. The iOS model is exactly the same, but for only one business (for now). If there is profit in letting another entity run code in your iPad then it will happen. Same for Android. MS engineers did not create security holes on purpose, but the directive to enable running executables from an email was put on their plate and so it was created.

Microsoft's current OS can be configured securely or openly as desired by the user. Just like Linux. A mobile phone will only ever be a pocket cash register for a limited user experience. If you allow iOS to be an unrestricted platform, then holes will appear for that as well.

Security is not the practice of fixing technology- it is always about the trade off of usabilty and safety. The same policy does not fit all users and just because Apple sees all users as the same does not make it so.

Rick WashMarch 22, 2011 2:42 PM

@LqqkOut:

Glad you liked it. I agree with you; I don't think botnet designers intentionally designed their botnets to exploit their gaps. Rather, I suspect (but don't really have any data to know for sure) that botnets evolved -- the successful ones are the ones that ended up exploiting those gaps in understanding, and the ones that didn't exploit the gaps very well weren't successful.

And I agree, that a GREAT question is how these models are formed, and from what information. That is the direction my research is going right now -- looking at model formation and ways we can influence the models.

ericthegrateMarch 22, 2011 2:57 PM

Buying a computer today is like buying a microwave. It is a box that you take home and plug in. Computer security needs to be part of the computer buying process - not as the opportunity to sell anti-virus software - but with the buyer understanding that they need to value and take care of this item. I ask my senior-surfers if they know where their car keys are? And that they should take as much care with computers and their passwords.

Brandioch ConnerMarch 22, 2011 3:30 PM

@casey
"Do you think the 'MS Windows' security model is to allow installation of applications by any source?"

Yep.

"The iOS model is exactly the same, but for only one business (for now)."

I can see how that is valid for some very broad definitions. But I'll let it go for now.

"MS engineers did not create security holes on purpose, but the directive to enable running executables from an email was put on their plate and so it was created."

Yep. Microsoft had always chosen "user friendly" over "security" in all of their decisions. Now they're going with "blame the user". They still haven't gotten to the "security" part.

"Microsoft's current OS can be configured securely or openly as desired by the user."

Grandma can do that? I don't think so. It CAN be done. But it requires a LOT of expertise. So you should replace "the user" in that statement with the word "experts".

The EXTREME difference is that Apple is going into the game KNOWING that their products WILL have access to their users' credit card info.

And knowing that it is easier for their clients to dump an appliance when it sends all their money to Nigeria than it is for them to stop using Windows.

HavaCuppaJoeMarch 22, 2011 4:15 PM

@ Brandioch Conner:

This statement makes no sense:

>>"The EXTREME difference is that Apple is going into the game KNOWING that their products WILL have access to their users' credit card info.
And knowing that it is easier for their clients to dump an appliance when it sends all their money to Nigeria than it is for them to stop using Windows.
. "

Your thought processes are not translating to the wider audience. Please clarify what point you're trying to make.

tommyMarch 22, 2011 6:08 PM

@ All .pdf-width commenters:

The US Internal Revenue Sevice (IRS) does exactly the same with its d/l-able copies of what used to be paper instruction booklets, which are rapidly disappearing. (Grandma can't run a puter? Guess she'll have to hire someone to do her taxes, or even to get and print the forms.)

Back OT with an example: One particular instruction booklet, on one sub-topic, is 120 pages long. That's a lot of scrolling, but the real annoyance is the two-column layout, *when the page length requires scrolling from the bottom of Column 1 to the top of Column 2*. (Not to mention how many times it says, "See instructions for Line 43 on page 27" -- and "page 27" in the booklet may not be pg. 27 in the .pdf. You could be dizzyingly sick from trying to follow that back and forth, easily.)

I'm sure this came from the days when non-tabloid newspapers were almost an arm-span wide, when fully opened. Columns that wide would indeed be distracting. And heavy reading, like textbooks, is a bit less intimidating in two narrower columns *on paper*. But the eye "scrolls" much more easily and accurately than does the display screen, with the eye trying to follow. Plus, so many different resolutions, screen sizes, aspect ratios... I made them send me as much as they could in paper.

Always a sore spot this time of year, as the US Income Tax for individuals is due by mid-April of each year. But yes, add me to those who wish that when you convert your .doc or .odt or (whatever) research paper to .pdf, that you leave it in single-column page layout, 8.5" wide.

(Come to think of it, one rarely sees Word-type text docs with two columns, does one? Gee, I wonder why?)

TommyMarch 22, 2011 6:36 PM

@ Richard Walsh:

Given the above, couldn't make it through your paper (sorry - got a text version available for d/l?), but the eye did catch this:

"However,no one seemed to understand the advice about web scripts; indeed, no one seemed to even understand what a web script was. Advice#8 was largely ignored because it wasn't understood."

And *that* is a *huge* amount of the problem - executable content from the Web in general (js being only the most prominent example). Let's say there are a billion (10^9) SOHO computers in use, which is probably way low. About 83 million d/ls of NoScript to date, and 80-90% of users who d/l it uninstall/disable it, or just check "Scripts globally allowed (dangerous!)" {actual wording}, because "it's too much trouble" ... despite an attempt to make a user-friendly beginner's guide, which has been read just more than 5,000 times:

http://forums.informaction.com/viewtopic.php?f=7&t=268#p960

(Ignore the vague similarity of names between that author and this one.)

So we have maybe 1% or less of all unique users using the only tool that has a chance to stop the junk that your firewall willingly allows (because its the browser process, which *can't* be blocked or tagged as evil) and which easily slips past AV.

Did you not take the trouble of taking some driving instruction from someone before driving a dangerous vehicle? Pilot's license? Your bank account and non-botnet status are sort of important, so aren't they worth a bit of effort? Users *want* the dancing bunnies, and so won't go back to a text-only web even if the site designers would (advertisers *love* the eye-catching/distracting stuff), so make a NoScript-type tool a default part of every *computer OS* (so someone doesn't just get a non-equipped browser), and let the user understand that until they know how to use this, they ain't gonna get to the Web.

Davi OttenheimerMarch 22, 2011 6:42 PM

It seems some of the conclusions might be a result of how the subjects were interviewed and viewed.

"some respondents had a mental model where not harming the computer wouldn't make sense."

Is that really different from asking people about the physical world? Take for example someone sneaking inside their home to stay for a night.

The typical homeowner would think first about *motives* related to their own safety (theft, assault, etc.).

Do we really expect them to as quickly recognize (or care about) motives related to proxy attack -- use of their home to harm others in the neighborhood or beyond?

Bryan FeirMarch 22, 2011 7:06 PM

@tommy:
My point still stands, though. Translating documents to a digital format, especially if you want to consider E-books and mobile readers, PDF is simply a bad idea, even if you do it in one column. So is DOC/ODT/etc., if for different reasons. (Even Microsoft can't reliably open a DOC file and produce precisely the same layout every time, and I have documents that make Word crash within five minutes of opening them. And then recover, save the recovery, and crash again.)

For dealing with the E-book and mobile fields where the creator has no real control over the presentation, you need to go for something like Epub, which sets out the structure and lets the device handle the presentation. Instead of referring to page numbers, you have internal links.

This ties back to comments from other people more on topic: a lot of the problem comes from businesses wanting precise control over their presentation under situations where a looser control would actually be more beneficial to all concerned. And more useful for working with devices like Braille readers or text-to-speech translators. And more forward-looking, because you can't always know what type of device is going to be looking at your document next...

NZMarch 22, 2011 8:17 PM

@Brandioch Conner. iOS had (at least) two vulnerabilities that allowed execution of kernel-level code.

Rick WashMarch 22, 2011 10:44 PM

@davi_ottenheimer

One of my colleagues suggested as a title "What's that Meth Lab Doing In My Basement?" -- which is exactly the analogy with the physical world that you suggest.

And yes, absolutely, a careless interview can lead to erroneous conclusions. I went to a lot of effort to ensure that my interviews didn't bias the results in the way that you describe -- both in conducting the interview, and then after the fact in the analysis. That's one of the big reasons the analysis took me over a year. I hope and believe that that conclusion is not a result of my interview technique.

FrancesMarch 22, 2011 11:31 PM

Accomplished readers do not read word for word, they take in whole lines at once, sometimes whole paragraphs. Too long a line makes the eye lose its place. Thus, to make this work, one needs lines which are just the right length. Standard book widths do the job very nicely and newspaper columns make whole paragraphs easy to take in, especially if the writer has been properly educated about newspaper writing.

A .pdf file like this one are designed to be printed not read online. The double columns would be fine in print, since they are not too wide and the page length would be more or less irrelevant . Online, the columns are fine but the page is too long, requiring one to scroll up and down. Websites often make the mistake of using too wide a column or page, making for difficult and exasperating reading.

So those of you who write for the public, please take note.

WinterMarch 23, 2011 2:27 AM

@casey
"Do you think the 'MS Windows' security model is to allow installation of applications by any source?"

What else is a computer virus? And for what other platform does a virus even exists?

And why can untrained Apple/Linux users be almost completely safe without any extra information? Including 50 million iPhone and Android users.

More

Study: Unpatched PCs compromised in 20 minutes (2004)
http://news.cnet.com/Study:-Unpatched-PCs-compromised-in-20-minutes/2100-7349_3-5313402.html

Unpatched Windows PCs compromised in under 5 minutes (2008)
http://www.ditii.com/2008/07/15/unpatched-windows-pcs-compromised-in-under-5-minutes/

And this is the Windows 7 security primer (part 1)
http://www.windowsecurity.com/articles/Windows-7-Security-Primer-Part1.html

tommyMarch 23, 2011 3:13 AM

@ Bryan Feir:

I don't think we're very far apart. But consider a business document, say, a contract that you need to e-mail to someone. You *want* that control over it, and .pdf provides that. But contracts have all kinds of formatting and indenting and sub-paragraphs, etc., so typewriter-page standard layout is a must. Yet as others have pointed out, Word and other text editors are unreliable. I haven't had much problem with re-opening my own, but e-mail seems to corrupt them -- usually minor, but any change is unacceptable in this kind of situation. So, .pdf is the standard here.

Someone, some day, will probably print this contract out. If I wrote it, I probably printed it out to proofread it before sending, because you catch errors on paper that you don't catch on an LCD display. (Go figure, but you do, no matter how many times you proofread the darn thing on disk.) And they just are not difficult to read.

It's a matter of appropriate font style and size (for easy readability, not because the writer is bored or being jazzy), and of not-excessive length. The IRS booklet in question, at 120 written pages, is just too darn long to read electronically under *any* format, because you have to zip around constantly from Subsection 1(b)(iii) to ... you get the point. And I'm not about to print out the stupid thing. They're my tax dollars, and the IRS can buy paper and ink in bulk much more cheaply than I can.

For an e-book, no argument here with your second paragraph. For a research paper that will be published on the Web as well as distributed on paper, (thinks a minute) ...

Why is this blog easy to read? The column width is reasonable, similar to typewriter with good margins; there is only one column, so no left-right zig-zag ... and there are *no page breaks*. TA-DA! My favorite informal *composer*, Wordpad, which has no page breaks. You can insert spreadsheets, tables, pictures, sound and video clips, whatever. But it's a nice single-column layout. And each reader can d/l for themselves and format to their heart's content, or copy/paste into their favorite program or device, as you said, while the author uses the usual office text editors to print copies for physical distribution.

The writer needs to refer to something thirty "pages" lower? Have a table of contents, number your paragraphs or topics and subtopics or whatever, and "find" works a lot more quickly than in .pdfs. For true Web publicaiton, make it an HTML document, with links to the chapters/topics/tables from the table of contents or within.

Bottom line is: No one tool is right for every purpose. The author must consider the intended or probable audience and devices to be used to read it . Thanks for bringing that up.

Jonadab the Unsightly OneMarch 23, 2011 3:39 AM

> Some people have a similar
> opinion of auto repair shops

Indeed. I don't know *anyone* who takes their car into the shop for preventative maintenance. Most people I know dread taking it in for repairs even when the car has obvious problems. You never know what other problems they're going to "find" that did not (as far as you were aware) actually exist. Once they have your car they can hold it hostage and charge you anything (up to the value of the car) and you have to pay whatever they say, no matter how flimsy their explanation of why the repair was necessary, in order to get your car back. If you're very lucky, they *might* also fix the actual problem, but it's not the way to bet.

I find it difficult to imagine a computer repair shop practice that would make people distrust the shop more than they distrust car repair shops. A computer simply isn't worth enough money to get people as worried about what's happening to it as they are with their cars. You can buy a new computer for less than the average car repair.

AC2March 23, 2011 3:52 AM

While this is interesting, I'm not able to accept conclusions from a survey sample of 33 respondents from 3 mid-western US cities... And these respondents were screened by the author...

To be fair the author does mention this in the Limitations and Moving Forward section and then:

"My primary contribution with this study is an understanding of why users strictly follow some security advice from computer security experts and ignore other advice."

DayOwlMarch 23, 2011 6:39 AM

@arfnarf et al:

A 45 character column is considered an optimal line length for readability, comfort, and holding reader attention, hence the two column layout. That is why newspapers set their type this way as well. It doesn't work well on a computer screen because the entire page doesn't fit on the screen.

A lot of people just turn a print file into a pdf and consider it good enough, even if a lot of the components are not optimized for electronic files. It's a combination of ignorance and laziness.

@Chris: I not about to let ANY of those big box idiots anywhere near my computer.

caseyMarch 23, 2011 9:28 AM

@Winter

I do not think we are using the words "security model" and "virus" the same way. I will say that I have seen first hand an exploit on Linux and a variety of Apple products. Untrained users do not have to be unsupported users. If you start an organization with only apple/linux/BSD or whatever and do not incorporate a knowledgable Admin, you are neglecting your security. Most threats are internal, and system independent. The days where MS is the number one security breach has probably passed. Last time I looked it was Adobe. Your company will be defeated by a Facebook or Twitter hack, not by direct assault on Windows 7 ports or Office holes.

I can understand having no faith in Microsoft based on questionable decisions in the past, but that is a symptom of the real problem- MBAs demanding software do something not originally intended by engineers. In the push to be competitive, Apple will make a deal at some point to allow some Advertisments that expose user data. The industry for mobile security is growing not missing.

Fred PMarch 23, 2011 10:16 AM

@casey-

"Microsoft's current OS can be configured securely or openly as desired by the user."

When Windows 7 (or higher) can be configured to do something like SELinux, or has the security record of openbsd, let me know.

As for the problem, I think it's more Microsoft (and many other entities, including Adobe) choosing to make security not a priority than business requirements.

Petréa MitchellMarch 23, 2011 11:05 AM

Dr Wash:

Your colleague has had a flash of genius with that analogy, and I'd love to see what effect using that in security explanations has on user actions.

ChrisMarch 23, 2011 12:50 PM

@Rick Wash: "One of my colleagues suggested as a title "What's that Meth Lab Doing In My Basement?" -- which is exactly the analogy with the physical world that you suggest."

Sheer brilliance. As the kids say, +1 Internets awarded to him.

Do you think he would mind terribly if I tried to introduce that into company literature regarding why protecting your home PC is important?

JonMarch 23, 2011 7:27 PM

@ Jonadab - I take my car in for preventative maintenance. I do NOT take in my computers to *anyone*.

Moreover, I trust my mechanic. I've worked with him for years, and he doesn't seem to go to huge lengths to sell me stuff. Granted, it's basically a one-family shop, and comes with limitations like that (no courtesy car, no elaborate waiting room, you name it) but I trust him to find what's wrong and fix it before a really expensive catastrophe occurs.

It probably helps that I used to do all my car maintenance. I know what the important bits look like, and most of what they do, and why I'd need a new one.

Today, I don't, because there's specialized tools that I don't have, nor do I have the time and the inclination for my daily driving cars (my old Mustang, however... ;-).

Computers? Not a chance. I do build my own (except laptops) and will cheerfully take them apart to fix what's wrong (even laptops). So I do my own maintenance, I know what they need and when they need it, and I know how to give it to them.

There's only so much damage a mechanic can do to my car. Joyriding? Taking it for a drive-by shooting? All of these come with complete plausible deniability on my part and damages in the mechanic's hands are open/shut court cases for being made whole.

For my computer? Ummm... Not so much. Even proving they did damage it (installed keyloggers? Stole data?) is nearly impossible even if detected, courts don't have anywhere near the case history on these things, and they can do a lot more damage (rifle the bank account? Impersonate me as a terrorist?) than just running it into a lamppost.

And preventative maintenance on cars can save your life, when, say, the tie rod goes flying off at 70mph throwing my old crate into oncoming traffic. It can save huge amounts of money even if it does cost a fortune - If you just wait until the timing chain breaks, you're looking at a new engine. If you replace it on schedule? Still expensive, but a lot cheaper.

On my computer? Not so much. I install various protective devices, behave myself (mostly :) online, and backup regularly. If it breaks, I buy a new harddrive, restore, and I'm back in business for no more than it would have cost to buy the new drive beforehand.

So don't confuse cars and computers. They're wildly different beasts.

J.

Dirk PraetMarch 23, 2011 7:44 PM

Security starts with awareness, education and training. The industry can spit out as much advice and as many products as it wants too, they are basically wasted on anyone that doesn't know or simply ignores the fact that an internet connection is a two-way street. Its your view on the world, but just as much someone else's view on your world unless a minimum of caution and action is observed.

The average user blindly trusts hardware, OS and application vendors to provide them with reliable goods that will shield them from any wrongdoing by 3rd parties. The simple fact of the matter is that he doesn't want to be be bothered with security issues until such a time that his machine no longer boots, becomes incredibly slow, has his pr0n collection deleted or his bank account emptied. And then it's someone else's fault.

It's a bit too simple to blame everything on the unskilled and untrained user, but IMHO it's equally wrong to relieve him of any and all personal responsability and accountability.
Most of my friends and relatives know they are entitled to 1 free visit if they run into trouble with their machines. Subsequent visits are subject to implementation of a number of precautionary measures, actions and behaviour I educate them on during the first one. Failure to observe these results in a stiff fee either to myself or a repair shop, regardless of my personal relation with them. After a while, most catch on.

As long as people don't realise that they too are at least partially responsible for their own security and can't blame everything on corporations that are only in it for the money anyway, botnets and malware will continue to thrive.

echowitMarch 23, 2011 8:22 PM

What's more annoying than a two-column e-page? Oh I dono, maybe an age-old rehash of age-old e-page format comments interspersed in the comment section of a security blog???

echonitwitMarch 23, 2011 11:44 PM

@echowit - Maybe it's the first time some people have seen this discussion, age-old or not. Glad you interspersed your comment in the blog, thus increasing the "noise" about which you complain. The original pdf was apparently annoying enough that multiple readers commented on it, which is unusual.

Security includes human factors. (Disagree? They're the biggest weakness in almost everything.) A paper on security that is less likely to be read because of its format is less likely to improve security, or be thoroughly reviewed, than if it were human-factors formatted so as to be more likely to be read widely.

AC2March 24, 2011 12:10 AM

@Dirk

"Subsequent visits are subject to implementation of a number of precautionary measures, actions and behaviour I educate them on during the first one. Failure to observe these results in a stiff fee either to myself or a repair shop, regardless of my personal relation with them"

Ooooh! Do you spank them as well?

Ronnei SahlbergMarch 24, 2011 6:48 AM

I only got to the first sentence before giving up.
While it is technically true it is pointless to blame the end-user and complain about "untrained users".

That is like saying :
If all content were distributed as C source code, we could all review the code before compiling and running it. If you failed to spot the buffer overflow, its your own fault since you are "untrained in C programming".

For all intents and purposes, for the vast majority of end users today a computer is just an appliance for viewing pictures and movies off the intertubes.

Users should not expect to have to be "trained" to do so safely any more than users need to be trained to use their television set.
A computer is pretty much just a different kind of television set.


Dirk PraetMarch 24, 2011 7:23 AM

@ Ronnei Sahlberg

"A computer is pretty much just a different kind of television set"

True. But operating your computer without at least some basic security training today is the virtual equivalent of having unsafe sex.

ChrisMarch 24, 2011 7:33 AM

@Dirk: "... operating your computer without at least some basic security training today is the virtual equivalent of having unsafe sex."

[obvious sarcasm] Because we all know that since the inception of condoms, unsafe sex has been totally eradicated worldwide. [/obvious sarcasm]

Been to a college campus lately? Great places to pick up a virus by "plugging in" - whether it be at OSI layer 2 or 1.

Peter E RetepMarch 24, 2011 8:52 PM

@ Eats Wombats:
I read a samizdat story shortly after the Chernobyl event,
pointing out that it had been built without hard containment,
using carbon block absorbers, by zek laborors,
some of whom were purged physicists.

In the story, a Checkist uses a rifle butt, and knocks out
the platinum filling of a physicist condemned to the Gulag,
who in turn ces it inbetween the carbon blocks
he is being forced to build into a nuclear pile.
The rest is predictable.

There is both physical design and social design.
Chernobyl plants produce the liquor of forgetfulness,
which affects social design.

BrianKMarch 26, 2011 3:14 PM

W/respect to the PDF layout, I have Acrobat X Pro. I was able to "Save As" plain text. It's easier to read.

The PDF Document Properties security is "Allowed".

Perhaps some of the honorable participants may be interested in -
http://www.plainlanguage.gov/
Not necessarily on-topic, but layout preferences do matter to the reader. Some may listen.

Personally, I prefer web pages with a "floating" or "jello" layout which allows the content to wrap as I resize the view window. For many content types, it enhances utility. Like schneier.com.

Maybe it's Movable Type.

Peter E RetepMarch 30, 2011 8:23 PM

re: @ Eats Wombats: corrected:
I read a samizdat story shortly after the Chernobyl event,
pointing out that it had been built without hard containment,
using carbon block absorbers, by zek laborors,
some of whom were purged physicists.

In the story, a Checkist uses a rifle butt, and knocks out
the platinum filling of a physicist condemned to the Gulag,
who in turn places it inbetween the carbon blocks
he is being forced to build into a nuclear pile.
The rest is predictable.

There is both physical design and social design.
Chernobyl plants produce the liquor of forgetfulness,
which affects social design.


The Japanese thought that by Western methods
they had tamed the monster radioactivity,
yet the tsunami devastation both resembles Godzilla's and
revealed the disaster when safe construction is yakuza-gangster mediated.

asdMay 15, 2011 9:08 PM

There was a interesting paper floating around, about using the mouses x/y coordinates to allow the CPU to compare it to a hash of executable code.
Sorry can't find the link

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..