Security Common Sense

Tue, 18 Dec 2007 15:53:23 GMT

During the last couple of years we have seen major developments in terms of securing the server as well as the desktop, though it has been mostly the desktop that has caught our interest due to its "vulnerable by default" nature. The desktop has become the primary target for attackers and it seams that this trend will continue to grow during the upcoming 2008. Some my argue that we have done well, as a community, and the desktop and the server a lot more secure then before, but only a few will admit that what we have achieved is not exactly what we've wanted. 2007 was the year in which we've destroyed the "Security Common Sense".

What is the "Security Common Sense"? The common sense in security is the thing that moves the wheels. Even when the Net is more hostile then ever, the common sense is what keeps you protected. But how one can preserve the common sense when all defensive technologies we've build work against it? Let have a look at Microsoft Vista and MacOS X Leopard operating systems, for a moment, although I must admit that my experience with Leopard is quite limited.

Secure by default, both Vistas and Macs are a step back, IMHO. "How come?" - you may ask? Aren't they more secure? Although technically speaking, they are more secure, this security superiority is not real. It is fake. The entire security model is based around the idea that the user knows what he is doing. It is easy to put the responsibility of the entire security model on the users but we all know that users don't know what they are doing. Why the user should be responsible for staying secure. Without no doubt, their lack of common sense, when it comes to security decisions, will fire back.

We basically train a bunch of monkeys to click the "yes" button for every security warning.

It is really a very common experiment often performed on labrats. These types of experiments are even performed on the client-side security models as well. Almost every single technology out there relies on the fact that the user will make the right decision when the time comes: "should I download or not, should I open that or not, should I install this update or not, should I click on run or not, should I approve the warning or not?" This is what destroys the common sense from inside. We want every user to be a security expert. How is that feasible?

These are not secure technologies. We need something that requires less decisions. In fact, less decisions = more secure. A secure technology is something that keeps the balance between the security and accessibility. People will get hacked, no matter how hard you try to prevent it from happening. People will die on the road no matter how good the road system is. But keeping the balance is what makes everything work. Unfortunately for us, we've taken on the wrong way and it might be too late before we realize what we have done wrong. Is your "Security Common Sense" still in tack?

Please take may rant lightly. It is really something that I believe we just need to pay more attention on.

Thomas RoesslerThomas Roessler
Well, seems like this is "there's relevant W3C work" comment day for me... There's a Working Group going on, called the Web Security Context WG, that tries to attack precisely this point - security usability, for the kinds of security interactions that commonly go on on the Web. We indeed train a bunch of monkeys to click the "yes" button these days -- in particular since we ask the user precisely in those situations in which a decision may be really hard to make. Unfortunately, these are the situations in which things are usually even worse for users than they are for browser developers, and in which users will be unable to either understand the consequences of what they do, or to understand how they should even make a decision. What remains, then, is the feedback whether or not "it works". Of course, "it works" when people click "ok", and "it does not work" when people click "cancel". Guess what they do. Working Group home page: http://www.w3.org/2006/WSC/ Current Working Draft: http://www.w3.org/TR/wsc-xit/ Enjoy!
Shoaib YousufShoaib Yousuf
I agree with your thoughts pdp, The best example is when we goto ebay.com, paypal.com or any of our financial intitution website to login..All saying same stuff; Our organization will never send any email asking about your credentials... Still ppl are replying to phishing emails and still getting victim. I liked your idea of Security Common Sense. Doesn't matter whatever we do, if we will not use our common sense we will continue to support bad guys indirectly. Cheers Shoaib
CGCG
valid points but the fix, just like in life, isnt by taking responsibility for their actions AWAY from the monkeys, its making the monkey's responsible for their actions. i dont have technical way to accomplish this but we dont have a way to accomplish this in life either but we certainly need both!