Security for the Rest of Us

Good fictional account of an average computer user and how people understand and view security.

Related: "Real World Use Cases for High-Risk Users."

Posted on August 6, 2015 at 2:26 PM • 21 Comments

Comments

GREASYTILEAugust 6, 2015 2:58 PM

Nice. I've got an alternative story:

Meet Ben. He was a geeky kid who liked maths and science at school. He was bullied by his classmates. As he grew up, he figured out that he was good with computers. Friends and family would often ask him to fix their boxes. They would say to him "don't explain to me how it works, I'm not interested -- just fix it!" Ben would spend his afternoons reverse engineering software and finding vulnerabilities in websites for fun. He once found a major security whole in the website of a big retailer. He e-mailed them but never heard back; a few days later the police knocked on his door. Today Ben makes a living designing ransomware.

bickerdykeAugust 6, 2015 3:12 PM

Good question in the article: "Was it Jessicas 'sin' not to know that she needs to uncheck toolbar install prompts during Java updates?"

What about the sin of bundling essential software with junk in the first place? Other updates. With automatic installs changing the look and feel of probably well known software, is it a surprise that people try to avoid automatic updates?

John SchillingAugust 6, 2015 4:51 PM

"And who built this world of freedom, a world that has so well served 17-year-old Jessica? You did. We did."

If that sentence is targeted like I think it is, "we" didn't build this world for Jessica. We built it for ourselves, and for fellow geeks like Josh, and to a large extent we did it on our own time and our own dime. And we tried to make sure we knew how to use it safely and effectively.

Then a bunch of people who are Not Us noticed that what we had built we were offering free of charge, so they put a shiny wrapper on it and charged for the wrapper, telling Jessica that this was the new, cool, and safe way for her to get naked with Alex. That was a lie.

It might be nice if there was an internet that was safe for non-geeks to use. Maybe someone will build one someday. For now, "we" are having a hard enough time trying to make one safe enough for experts to use.

FarmvilleAugust 6, 2015 5:04 PM

Consumer software is a snakepit, right. But this is not unique to IT. Health insurance is a snakepit. Financial services, a snakepit. Education - public, for-profit, and increasingly private - a snakepit. This is one more manifestation of a predatory culture.

zAugust 6, 2015 5:24 PM

As most people see it, the cost of security is an overwhelming process of learning confusing terminology, using cumbersome passwords, and a whole host of other things. The cost of a virus is reinstalling Windows.

When it seems (or is) easier to deal with getting owned than to avoid it, we shouldn't be surprised when that's what people choose.

tyco bassAugust 6, 2015 7:26 PM

Undoubtedly a far greater percentage of men/boys are tech-savvy than women/girls. Nonetheless this "story" has a vaguely condescending and sexist tone.

Clive RobinsonAugust 6, 2015 10:28 PM

I've stopped supporting friends and relatives who fall into that "not computer illiterate or security wise" band. Because they endlessly prove the old saw about "A little learning is a dangerous thing"...

The problem this story highlights is the difference between normal real life hurt and cyber unreal life hurt. In normal real life when you do something to hurt yourself the pain shows up at the same time, so you learn fairly quickly not to do that again, usually long before you are big enough to realy hurt yourself. Further in normal real life you don't get to meet many out and out nasty people.

Contrast that with unreal cyber life, when you do something to hurt yourself, the pain can take days months or years to turn up, thus you can do a lot more harm to yourself in the "mean" time. Further to operate a computer you are usually big enough that the pain is going to be bad but there is a cognative disconnect in others... When a baby/toddler trips over their feet people help you up, when you are over six they ignore you, laugh or tease you, or tell you not to be so stupid. All computer users are seen as being adults or atleast over six... thus you don't have a chance to take baby steps... But you connect your computer up to the Internet, it has all the apperance of a fun fare on the surface but a kill or be killed world under the surface, you often don't get the chance to be anything other than "roadkill on the superhighway". And whilst the number of nasty people as a percentage is only slightly higher on the Internet than it is in real life, the internet makes them all appear to be hiding behind your garden fence just waiting for you to open the garden gate.

So in most cases it's just luck as to which nasty educates you, and thus how much pain you feel. The advice at the end of the1980's cult film War Games still stands, in that in a no win situation it's best not to play... but sometimes life does not give you that opt out option.

Coyne TibbetsAugust 7, 2015 12:16 AM

I think I'm reading a lot of people shrugging off responsibility for what's been done.

Let's consider a recent article here, the one about Brinks Smart Safe. Kind of looks like the only way that safe is safe is if you buy a mechanical safe and put the Brinks Smart Safe inside it.

This is actually typical of the entire computer industry, a pattern repeated over and over. Security? Security is hard. Security is expensive. Cheaper and easier to pretend we did security and then blame the customer for incompetence if a vulnerability is exploited.

"Be more concerned with your character than your reputation, because your character is what you really are, while your reputation is merely what others think you are." - John Wooden

The computer industry likes a reputation for security, but that is not its character.

GeorgeAugust 7, 2015 8:56 AM

It's the school's fault. Getting an understanding of all the ignorance should have been required already. It's also her mom's ex-boyfriend's fault, for not explaining how the computer works. It's also Oracle's fault for making Java so crapped up.

Slime Mold with MustardAugust 7, 2015 10:49 AM

We do, all of us, understand that the spear phisher was Josh?

Clive RobinsonAugust 7, 2015 11:18 AM

@ Slime Mold with Mustard,

We do, all of us, understand that the spear phisher was Josh?

The fake email strongly suggests it was a person that knew quite a bit about her domestic situation...

So yeh, Josh, one of her mum's ex-boyfriends or school employees etc would be high on the list of suspects.

Afterall whilst "josh" cold be even more creepy than the founder of FaceCrook --the stories about him tell you that it's not just the money when it comes to invading other peoples privacy-- there is no direct evidence it was him, and he would in all probability not know much about her domestic situation, where as the school admin, advisors and councilors would have known as she was trying to get a scholarship.

And recent history tells us it might also be somebody in authority at her school, who insists on certain "exam software" that backdoors students computers including the keyboard, mouse, camera, mic and network connection to supposadly stop cheating... or VPN software or if you remember the case of the --supposed-- "security software" that took regular photos to stop laptops being stolen and sent them to the school IT person to view...

So there is a que of potential suspects just standing in line, to get her very much illegal selfies, or take a few "getting ready for bed shots"...

Geordie StewartAugust 7, 2015 2:03 PM

The wider picture here is the pollution in the realm of security awareness which places users at risk. For example, users are often instructed to switch off anti-virus while installing software while hyperbolic warnings for the inane mean that users find it difficult to discern what is actually important. “Failure to properly set up, use, and care for this product can increase the risk of serious injury or death”. What was it? A chain saw? An 88mm anti-aircraft gun? No, a Microsoft Wireless Mouse.

http://www.risk-intelligence.co.uk/blog/issa-security-awareness-column-march-2013-lowering-security-awareness

Sam SkuceAugust 8, 2015 11:32 AM

Granted there's no silver bullet, but if we made computers so that the user doesn't run as Administrator by default, and had to enter the Administrator password to modify drivers, install software, etc., it seems like we could prevent a lot of this kind of hijacking virus.

I know, UAC on Windows is very much like what I'm talking about, and it was completely trashed by everybody everywhere, but maybe something like that is actually necessary if we want to make computing safe for people like the hypothetical subject here.

EggoAugust 10, 2015 12:54 AM

Not going to lie, every single one of those was cringy.
Yeah, the shelter staff are _totally_ going to wipe her laptop and help her install tor. That's definitely a thing that happens on a regular basis among tho--... us normal people.

EggoAugust 10, 2015 1:07 AM

Also, for all the flaws of computer security professionals, replacing them with people who talk about "performance of post-hetero Socio-Sexual Identities and Intersectional chaos magic" might not be the best idea.

Anarchists are crazy, news at 11.

HJohnAugust 10, 2015 3:10 PM

One of biggest dilemmas is not deciding what to tell people, it is deciding what not to tell people. Too many messages, people will just click past without ever reading them. Too few, and they say "you didn't warn me or I would have known better!" (even though they would have just clicked past the warning anyway).

It's understandable why computers often run with too much authority by default. It's less of a headache for the manufacturer. That's no small concern. Imagine all the complaints and calls and bad reviews if the user couldn't even get it working well enough to google some advice.

These decisions aren't simple. I remember a wise man once said that security is an economics problem, which is true. This is one of the many trade off decisions that must be made (or not made).

Best,
HJohn

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.