Security Analysis of Children

This is a really good paper describing the unique threat model of children in the home, and the sorts of security philosophies that are effective in dealing with them. Stuart Schechter, "The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button!" Definitely worth reading.

Abstract: Children represent a unique challenge to the security and privacy considerations of the home and technology deployed within it. While these challenges posed by children have long been researched, there is a gaping chasm between the traditional approaches technologists apply to problems of security and privacy and the approaches used by those who deal with this adversary on a regular basis. Indeed, addressing adversarial threats from children via traditional approaches to computer and information security would be a recipe for disaster: it is rarely appropriate to remove a child’s access to the home or its essential systems; children require flexibility; children are often threats to themselves; and children may use the home as a theater of conflict with each other. Further, the goals of security and privacy must be adjusted to account for the needs of childhood development. A home with perfect security -- one that prevented all inappropriate behavior or at least ensured that it was recorded so that the adversary could be held accountable -- could severely stunt children’s moral and personal growth. We discuss the challenges posed by children and childhood on technologies for the home, the philosophical gap between parenting and security technologists, and design approaches that technology designers could borrow when building systems to be deployed within homes containing this special class of user/adversary.

Posted on July 2, 2013 at 12:08 PM • 21 Comments

Comments

Snarki, child of LokiJuly 2, 2013 12:38 PM

I childproofed the house THREE TIMES, but they keep getting in!

LurkerJuly 2, 2013 12:45 PM

A delightfully humorous paper. A lighthearted reminder to consider the agents involved carefully. I'm sure i missed some of the wordplay and such.

Camilla FoxJuly 2, 2013 2:08 PM

I was peeved when I couldn't keep (more precisely, get pushed upstream without excessive effort) a screensaver mod to unlock to a hashed password on disk rather than PAM. I really did want a separate, weak, password for my screensaver... because nursing a child means typing one-handed, and all I wanted in a screensaver was to keep him from clicking on all the X's to tidy up my desktop.

Then the Gnome Screensaver people added the screensaver feature of leaving a message for the logged in party... and I came back to find my screen flooded with popups full of gibberish.

FigureitoutJuly 2, 2013 2:50 PM

Getting spanked and reprimanded can convey the message better and cheaper; assuming the parent's morals/judgements are "normal", but there's a pretty gray area. I got spanked a lot lol; but also learned lessons the hard way too. For instance, don't use a boiling pot as a curved mirror to make funny faces, you'll burn your nose. Don't play the "made-you-blink" game b/c you may punch someone in the face. Don't run inbetween a dog and a brick wall b/c you may get knocked into it headfirst. My bro one time was sagging his pants, acting like a "gangsta", dad asked if he wanted a "low-five yo dude", bro said yes, and got a big spank and sent to bed lol. One time I got spanked for falling down the stairs (dad thought I was messing around), so I can definitely empathize w/ injustices.

Just get the kid a bunch of legos and don't let them get caught up in a stupid scam like beanie babies. And don't get them anything motorized like a goped/moped; thus they have to ride their bike or walk if they want to go somewhere (the horror!).

Mitch ThompsonJuly 2, 2013 3:04 PM

"Sorry, the selected publication is not available."

Bummer.

paulJuly 2, 2013 3:10 PM

It gets even worse when the kids get older and start trying to figure out passwords. (And so many devices really don't have any serious provision for limited-privilege accounts.)

BO773HJuly 2, 2013 3:59 PM

Toss your prism powered passport and use bassboat to fish. The first thing the kid did was hide it. Instinct. Security by obscurity. They won't find it, it's mine and I'm keeping it. War's hell and hell's no luxury.

Coyne TibbetsJuly 2, 2013 7:39 PM

Perhaps most interesting is a comparison between the recommendations and the government approach; the latter as implemented through such policies as Zero Tolerance.

The government prefers to require children to be fully formed adults, accountable to adult levels of responsibility; therefore denying the opportunity to grow.

brianJuly 2, 2013 7:55 PM

I am a high school student and I'm Canadian. Canadian mothers are not allowed to punish kids or kids will escape that shtty house. Off the above is true

brianJuly 2, 2013 7:59 PM

I am a high school student and I'm Canadian. Canadian mothers are not allowed to punish kids or kids will escape that shtty house. I'm in Canada which means I don't need to care about censorship like Americans do.


ParentiantJuly 2, 2013 9:41 PM


Time is not on your side.

Parentiant has DETECTED, RESPONDED TO, AND CONTAINED several advanced persistent threat (APT) attackers against critical infra-REM intermittent hibernation.

While details are difficult to confirm, plenty of infrastructure owners are worried that for years they may be harboring budding APT attackers and contributing as host to the “chronic” problem theft of valuable "shuteye" for no apparent economic gain. Such persistent attacks are more of an “acute” problem in the early phases of APT development. Should such an attack against infra-REM nocturnal structure succeed, the consequences could be immediate, costly, and observably harmful.

Thankfully, the same factors that can help mitigate the consequences of a chronic REM-theft attack is also at work in acute catnap attacks. Such factors are time and sound. In chronic catnap attacks by post-toddling APT attackers, intruders are likely to take minutes to complete the sleep kill chain. They need time to perform Houdiniesque feats of crib de-escalation, hallway reconnaissance, gain access to secured 6-wall REM control center, escalate the repose platform, deliver a payload, proliferate pre-dawn REM-theft throughout the target network,and exfiltrate the REM-pattern.

Parentiant routinely sees diminutive pre-dawn intruders take minutes to complete these tasks, although highly skilled and rehearsed APT intruders can shorten that timeframe considerably. Still, time is often on the defender’s side, if he or she is only willing to invest in the visibility to detect, respond to, and contain dimunitive APT intruders in a timely and accurate fashion.

A vigilant defender can use this delay to detect, respond to, and contain an intruder seeking to harm critical infra-REM structure. The bottom line for such APT intrusions is the requirement to have situational awareness.

Parentiant recommends and provides services and products leveraging cloud dreamscape services, slumber inspection, breath logs, and endpoint rest agents to improve enterprise visibility. By acting faster than an APT infra-REM theft intruder, even those who defeat enterprise security controls can be found and constrained prior to achieving their malicious mission. That is the new reality and the true definition of a defensive “win” in the modern parental age.

Parentiant. DETECT, RESPOND, CONTAIN.

SethJuly 3, 2013 3:52 AM

@noseyparkerunit Congratulations! You succeeded in masquerading as link spam.

Or maybe the masquerade was so successful that I was fooled into thinking it wasn't.

Hmmm.

UriJuly 3, 2013 7:37 AM

Funny, I published on the 1st of July a post called "Pray We See" (About cows, dogs, naked women and privacy
, the link included) and here is the segment I wrote about children:

"In sharp contrast to what our judicial system tells us, what economists hypothesize as a core assumption (Mr (Adam) Smith I’m talking to you) and what our wives think man should act like, all “adults” should be viewed as children that learned to play a game we call “socially accepted behaviour”. In the centre of the brain of each and every one of us lies a neuron universe that is driven very much by the same things toddlers find fascinating."

Kids need to play, to experiment. Parents cannot expect technology to be part of their lives without an understanding that a kid will break it limit. So yes, you will protect your child from pornography because of the impact it will have on him as an adult, and you would protect your child from violent movies to protect him from the damage it might cause him. BUT the main point is ALWAYS the relationship between the parent and the child. a healthy relationship will be able to provide children the ability to overcome these dangers, however for that we need to have aware parents, and the sad truth is that most of the "adults" replace an ego-driven, culturally manipulated awareness with true awareness.

FigureitoutJuly 3, 2013 11:01 PM

Parentiant
--Your post was hilarious. I swear, if parents start treating their kids as APT security threats...a military dictatorship w/ nuclear apocalypse is the only future there will be.

Fucking psychotic parents, just relax and let your children grow while you pick the weeds and provide "fertilizer". My parents didn't fail me, I've failed them. It's the cycle of life, a sine wave, and now we're in the negative cycle.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..