Users Rejecting Security Advice Considered Rational 389
WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
Wasted time (Score:5, Insightful)
What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.
Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.
Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.
Re: (Score:3, Funny)
Sorry, what's that? Can you speak a little louder? I can't hear you over the sound of all the wasted cycles my Phenom II X4 965 Black Edition is generating. It's a lot.
Re: (Score:2, Funny)
Re: (Score:2)
Yeah, but...can it run Norton 360 4.0 without dropping any frames?
No
Windows Joke (Score:3, Funny)
Why do Employees like Microsoft Windows?
Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.
Why do Managers like Windows?
Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away esca
Re:Windows Joke (Score:5, Funny)
Why do Employees like Microsoft Windows? Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.
Why do Managers like Windows? Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away escaped from the island.
1992 called. It doesn't want these jokes back, and says you can keep them.
Re:Windows Joke (Score:5, Insightful)
Why does IT like Windows?
Two words: Job security
Blunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space. Hey, at home I need to be productive! At work, I need to be certain I still have a job tomorrow. And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time. For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job? Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!
Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for ... well, at least 'til the next generation of system needs to be installed.
Re:Windows Joke (Score:5, Insightful)
Blunt and brutal as it sounds, ... ... I've occasionally run across this reasoning told as a joke, shown it to friends whose business is supporting Windows, and told that it's no joke at all. The typical response is along the lines of: Hey, I've installed linux for a few customers. Each time, it only took me an hour or so, and that's all I got paid for. Then I never heard from them again until they wanted someone for another hour to do an install on a new machine. OTOH, with my Windows clients, I typically get paid for at least a full day to install anything, and then I get called back for half- or full-days whenever the system shoots itself in the foot. We'd be fools to advocate a system like linux when Windows produces two to three orders of magnitude more billable time for us. Of course, we all use linux and/or OS X at home, but that's not where the support business is.
As long as the suckers^Wclients continue to act like they do and fall for the "market leader" sales propaganda, this isn't going to change. It's been like this in the computing industry since at least the 1960s, so don't expect it to change during your lifetime.
Re: (Score:3, Funny)
Then, perhaps a fruit basket to the Symantec gang for producing completely useless and overpriced crap software that overly trusting people rely on.
carry on!
No, really, I am all about helping people and fixing their computers as effectively and quickly as possible, but.... wow.... just wow.
Re: (Score:3, Insightful)
Re: (Score:2)
The fact is that Linux, now, is much less of a hassle than Windows.
I don't know when the last time you used a recent version of Windows, but this mantra is pretty old and worn out. (And, yes, I run Linux as well, which I do enjoy using.) Windows has been continually improving and is actually enjoyable to use (I particularly am a fan of Windows 7). Is it a problem when individuals click "Yes" to everything - absolutely! Is it a problem that IE is full of security holes - yes! But, with the right browser (AKA, not IE), half the issues are solved with Windows and it is v
Re: (Score:2)
Re:Wasted time (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Some media file can pop up a browser window to an infected site that will install malware on your computer especially if you use older software versions.
There was even gif and jpeg exploits made public in the past, it probably occurred with other media files as well...
http://isc.sans.org/diary.html?storyid=2997 [sans.org]
http://news.netcraft.com/archives/2004/09/17/exploit_for_microsoft_jpeg_flaw_is_published.html [netcraft.com]
Re: (Score:2)
If you are the first person-- sure.
But after 15 or 20 people post "it's clean as far as I can tell" then no.
Likewise, if the first person posts "this ate my machine" or "my virus scanner detects "BLAH" in this" then it's not safe.
I've only used RAR type programs personally. Everything else I use is free (as in beer) except Dragon Dictate which is reasonably priced for what it does so I buy it periodically. Someday there will be a free text recognition program (that WORKS at least as well with Openoffice)
Re: (Score:3, Funny)
Find a torrent that DOESNT have about a 50/50 to 60/40 split of "VIRUS!!111" and "AWESOME!!11" posts.
Re:Wasted time (Score:5, Insightful)
OK so this is how it works. There are websites out there like these [krebsonsecurity.com] which allow you to quickly check your newly infected EXE against all the main AV products out there. Signature based AV is basically obsolete because there are lots of programs out there that will happily scramble your EXE for you, in the scene these are known simply as "crypters" and you will find many people in the PPI world advertising their crypter as being FUD (fully undetectable). Good article on this here [secureworks.com]. Of course with enough downloads eventually somebody savvy will catch on, unless your work is really good, and then your binary and uploading IP address are usually banned. At which point they do exactly what you'd expect - spin a new binary, get a new IP address and do it all over again.
If you're relying on only 15-20 other downloaders to certify something as "clean" and you regularly download warez you probably already have a rootkit on your system and have no idea it's even there.
Re: (Score:2)
I recognize the risks you are talking about. You can never eliminate it (heck- even commercial software and hardware is caught installing virii). The same applies to open source, firefox plugins, etc.
The only reliable risk mitigation is waiting a few months, then checking it again.
I've had one virus ever. That was on my Amiga.
"Something wonderful is happening"
"Your Amiga has come alive!"
Friends told me "bullshit", "no way" for at least a few weeks until someone else saw the screen and it became common k
Re: (Score:2)
I see your point on a public site.
It doesn't apply on a closed community invitation only site.
Re: (Score:2)
Seems like 7 zip didn't support RAR decoding at the time.
Does it do so natively now?
Re: (Score:2)
Yep. There's no reason to use that shareware nagscreeny garbage ever again.
Re: (Score:3, Informative)
The problem is, a couple of years ago, RAR released a new version (which gave it a lead in the industry in compression ratio for a brief time), incompatible with the older versions (old decompressors couldn't decompress stuff compressed with the new RAR). It took all the others between a few months and a few years to include support for it. 7zip being notoriously behind. So while it nominally supported ".rar", it lacked support for the "new RAR" for a couple of years.
Re: (Score:3, Interesting)
Except that when a torrent is bad usually a person will not reseed it. Though it is possible to "fake" seeds generally I've found a high number of seeds from a tracker you trust is a good sign.
Uhhhh what do I torrent? Linux DVD ISOs, duh!
Re:Wasted time (Score:4, Interesting)
Ya see, there's no way to make my soundcard work in *nix, from what I, and my friend who damn well *lives* in *nix can find.
You don't say what kind of card it is, I notice...
There's no way to make my sound card work in Windows. Well, I could download a couple of gigabytes of Windows updates and a driver, and then download a couple of gigabytes of software updates, and eventually I'd have two of the ten channels working. Or, I could just use Linux, where my Delta 1010LT is supported perfectly.
Re:Wasted time (Score:5, Interesting)
Personally, I buy things with the intent of running Linux on them. That means I have to take more care in researching before purchase, but in the end, it makes so many things so much easier.
I never have to hunt down drivers. 99% of my software comes from one place, and the updates are handled automatically. Frankly, when you buy the right hardware, everything just works far better than Windows.
Re:Wasted time (Score:4, Insightful)
Personally, I buy things with the intent of running Linux on them.
I wish I could, but Best Buy doesn't have enough hardware with a cartoon penguin on it. How do you expect the general public to do this sort of research?
Re: (Score:2)
Soundblaster. It's not like it's some obscure no-name brand. The thing's plug-and-play in Windows. There was even an official driver package from Creative Labs. That didn't work. All the ASLA guides on the 'net couldn't make it work. We even tried the alternate open source driver package, and that worked even less.
And exaggerating doesn't help your position. There aren't "gigabytes" of updates out for Windows 7. Maybe after SP1 hits, you might be right. And "gigabytes" of software updates? What the fuck? Ag
Re: (Score:2)
Windows XP took up about 2 GB total install. Now after SP3 it's about 13GB. So roughly 11GB in updates total.
Re: (Score:2)
You almost certainly googled around for information on your sound card before purchasing it. That's the real solution, regardless of OS.
Re: (Score:2)
You almost certainly googled around for information on your sound card before purchasing it.
Exactly. That's why I bought an M-Audio Delta 1010LT, because it's specifically extremely well-supported in Linux. I couldn't care less whether or not it's supported in Windows, since the software I want it for isn't available in Windows.
Re: (Score:2)
Is your sig designed specifically to troll grammar nazis?
Re: (Score:2)
Interesting rethoric. I'm sure you're not implying that Linux support of commercial, current (new to 3 years old) hardware is better than Windows? As in:
- It has the functionalities expected, or even
- It is supported.
Or if you are and you just need a hardware model to change your mind, here, take mine:
HP pavillon tablet pc tx2505ca
It's 2, maybe 3 years old. Here are some problems I still face today in my still very loved Linux box:
- Input devices sometimes won't work after booting. Shutting down by holding
Re: (Score:3)
Oh yeah, MY SOUND CARD doesn't work on Windows or Linux. I downloaded a bunch of random crap off the internet for both of them but nothing seems to work. Therefore, both Windows and Linux must be complete pieces of shit for not supporting my sound card.
It has nothing to do with the fact that I just cut a piece of circuit board out of a stereo and jammed it into the PCI slot. A REAL operating system would have detected it and FORCED it to play music.
Seriously. The number of "My sound card works in Window
Re: (Score:2)
Can you do low-latency multi-track recording with it in Linux? If so, what software do you use?
Yes. I use Ardour, running on Arch Linux with a more-or-less stock kernel (the only changes from stock are to enable the missing AX.25 drivers, but that's utterly unrelated to audio - the point is more that I don't bother with any specific low-latency patches).
I can get a latency of about 4ms. If I wanted it any less, moving my head closer to the speakers would help more ;-)
Re: (Score:3, Insightful)
Welcome to the school of tail wagging the dog. What would the ROI calculation have looked like *before* you acquired that sound card when you effectively married yourself to the Windows culture and all that comes with it? Five minutes well invested against the throes of consumption lust?
For that matter, why bother learning about birth control until *after* you discover you're not shooting blanks?
I was looking forward to reading this paper, because there are good arguments to be made about the externality
Yeah (Score:2, Insightful)
Re:Yeah (Score:5, Insightful)
I have a simpler conclusion... Most users are idiots!
Even simpler: most people are idiots.
Re: (Score:3, Funny)
I conclude that most idiots are people.
Re: (Score:2)
That's stretching it. Are senators "people?" What about representatives? Or Wall Street bankers? Or economists?
Re: (Score:2)
Re: (Score:2, Insightful)
Even simpler: most people are idiots.
Yeah, that's a *simple* conclusion, that is.
You know, every single person I have ever heard say "most people are idiots" has never been all that high a wattage bulb themselves. Maybe they were book smart in one or two areas, but get outside their intellectual comfort zone, and forget it. This seems especially true of computer geeks.
Re: (Score:2)
Re: (Score:2)
Actually, 'average' is an ambiguous term which, according to context, may refer to a mean, a median, or even a mode.
Re: (Score:2)
Let me get this straight, Its either
A) users will only do the minimum required.
B) users consider security measures to be a pain.
C) user education is not working.
or D)based entirely on the economics of the process
And NONE of those overlap?
I think this arguement is moot, everyone seems to be shouting the same thing.
No, you missed the point. (Score:3, Insightful)
I have a simpler conclusion... Most users are idiots!
You're only half right. It turns out that most users are *selfish* idiots.
I used to feel a little bad about hating users. I was afraid it might be arrogant to despise the people who, ultimately, justify my salary. But now I see they deserve whatever they get.
Interesting (Score:5, Insightful)
I agree with this assesment. I work at an IT company that supports many different companies and users of different size. We are a small operation (10 techs).
Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers. Smaller businesses and individual users will reject them due to the lack of perceived risk.
Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it. We said no problem and offered to setup a guest network and secure their internal wireless network. No problems with their Cisco SA. They still did not want to do it. Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data? we have nothing sensitive"
They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.
That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.
Re: (Score:3, Insightful)
Re: (Score:2)
Not my experience, not by a long shot. Most people do not care enough about security to learn about it. For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks). We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.
Re:Interesting (Score:5, Insightful)
And 99% of the time they're right to ignore it. Its quite simple- unless a site is getting my financial info, what do they have to lose? Nothing, unless they're stupid enough to use the same password as their email. And thats a rule you can get many of them to follow.
I'm a computer programmer, and except when I'm coding I've stopped giving a shit. I use the same default password everywhere except email and finance places, because I don't care. Oh no, you can now edit my slashdot and video game forum accounts. How can I live? I don't download files from untrusted sources, so I don't bother with antivirus. I don't bother with updates because they break stuff more often than I see any benefit to it. If I actually started dealing with all that shit it would take serious effort. It's just not worth it.
You can get 99% of the benefits with 5% of the effort- don't use the same password on your email as anything else, don't use the same password on finance stuff and anything else, don't download anything you aren't 100% about, don't trust any links in email. That's all you need to do.
Re:Interesting (Score:5, Insightful)
For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks). We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.
This is actually one of the examples from TFA. The contention is that the statistics show that a majority of the certificate errors that users run across are false positives and ignoring them is perfectly harmless. And the TFA goes on to point out that a phisher would be pretty damn stupid to go to all the trouble to setup a fake domain and then put a broken certificate on it to throw up a warning and cause a potential victim to take a second look at the site and make sure it isn't something suspicious.
And IT people need to remember that what sounds like a "basic, unintrusive guideline" to us often sounds like babble, pointless rigmarole to make their jobs harder, or an IT person pulling an ego trip to the end users. The last one is especially bad because many users can't tell the difference between "arbitrary rule handed down by IT that makes their jobs easier while making my life harder" and "good solid advice handed down by IT for a very good reason." When they can't tell the difference, they'll just assume it's in the first camp and ignore it. If you're going to make their lives harder, you better have a damn good reason for it.
Re: (Score:3, Insightful)
But in that instance they're just being dumb. All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.
They feel they're not a valuable enough target, but are they right? Maybe - it's hard to say for sure. But what's the cost of being wrong? For a smallish salon, almost definitely enough to put them entirely out of business.
And the cost being $50? They're simply being stupid. None of this bullshit "analyzi
Re: (Score:3, Insightful)
All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.
That would only do that kid any good if the salon keeps the customer credit card numbers in their database. What competitive advantage does the salon gain from storing their customers' credit card numbers? I bet it would cost them a lot less than $50 to not store their customers' credit card numbers
Re:Interesting (Score:5, Insightful)
Re: (Score:2)
I think you're wrong, most of them don't fully understand the issues, they just think "me not big rich company with lots of sooper secrit datas, me no waste money on intarwebs man" (yeah, I'm an ass) even though they may very well have good reason to avoid getting themselves hijacked by some random bot or kid (Just because you don't have millions in the bank doesn't mean you're not interesting to a criminal or that it wont hurt for you if all your money disappears, or how about "oh, and what's this $200k lo
Re: (Score:2)
"who would want to go to the trouble of accessing our data? we have nothing sensitive"
Every computer has something sensitive on it or passing through it. The user probably accesses his Internet banking accounts from it, or his webmail. What really pissed me off when trying to convince users to do things more securely was that even after telling them that the bad guy doesn't care who they are because in many cases the bad guy is just a computer program that goes looking for low hanging fruit, they still used that same argument.
There is no helping some people. Security warnings are a pain for
It's a fundamental human value calculation: (Score:5, Insightful)
prevention is more expensive than repair/recovery/treatment
How? Any prevention effort requires some kind of cost, very often a continual and on-going cost.
Whereas the cost of recovery is only necessary once the negative effect occurs. And since it only happens to other people, that means that the cost of not preventing is 0. Clear win.
Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.); economics (victims of fraud, high-risk investors, etc.); software development practices ("Release NOW" rather than quality).
Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.
Or, as others in this thread have put it, people are idiots.
Re: (Score:2)
The thing is, that's often true. We shouldn't have a Bear Patrol [wikipedia.org], even if there really are occasional bear incursions.
Bad summary (Score:2)
Of course it's economics. That's what every cost/benefit analysis is. Economics is just another word for the other "researcher's ideas", not any kind of challenge or refutation of them.
Are there no remarkable findings in the linked article worth reporting? Sure sounds like it to me.
This is not a "new" interpretation (Score:5, Insightful)
I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics. How much does it cost to implement? How much do you stand to lose if your security is broken and your "stuff" stolen? At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.
And in this context, time, effort, and inconvenience all have a significant cost that must be counted.
The average idiot computer user is not always as dumb as you think they are.
Re:This is not a "new" interpretation (Score:5, Insightful)
One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both. An $80 external HDD can substantially reduce your risk of losing files to disk failure. A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental. The risks just aren't in their face; but the price tag is, so they don't do it.
The other thing, again most likely an artefact of inherited historical limitations to human cognition, is the difficulty that people have understanding the implications of automation for their likelyhood of being attacked. To the degree that joe user has a threat model at all, it tends to be the classic man-is-a-social-animal naive theory that a person is attacking, or might be attacking him. He then shrugs, and says "I couldn't possibly be worth the effort." and does nothing. If cracking PCs was something done one-by-one, with manual labor, furiously typing to guess the passwords and break through the code walls just like in the movies, he'd be completely correct. However, since the vast majority of online attacks are largely automated, the naive threat model is bunk(for physical attacks, the naive model is probably mostly correct. Planting trojans on unattended laptops in public is almost as risky, and far less lucrative, than simply stealing them. Jealous spouses, asshole roomates, fucked-up middle school social dynamics and the like, though, provide ample motive for the sorts of attacks performed with physical access on home machines).
Re: (Score:2)
Humans are, by the standards of mostly bipedal hunter/gatherer savannah dwelling apes
I think you should speak for yourself!
Re: (Score:2)
Well people also misunderstand the whole idea of security; the point isn't really to make unauthorized access impossible. The point is to make it difficult, annoying, problematic, likely that you'll get caught trying to gain access-- in other words, to make attaining unauthorized access "not worth it" to prospective attackers.
So first you want to know who the prospective attackers are, what their skill set is, and how motivated they'll be to gain access. If your possible attackers are very skilled and v
Users just don't care, because it dosn't cost them (Score:5, Insightful)
As I said before, most users don't care because there are usually no consequences to ignoring security directives.
Most users figure that security is the corporation's problem. They just figure that whatever they do will be protected "by the firewall" and they go on with life. It's not their problem if things go wrong.
No Economic Incentive? (Score:5, Insightful)
How about this one... At least in businesses...
Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.
It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.
Ain't reality a bitch?
Some security measures don't seem practical. (Score:5, Interesting)
I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.
I understand the reasoning, and if it was only a handful of boxes .. or rarely used boxes ... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.
I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.
Re: (Score:2)
Re:Some security measures don't seem practical. (Score:4, Interesting)
This is slightly off-topic, but I have to question how useful it is to require people to change their passwords often. Chances are, when someone breaks into your computer, they're going to leave a back door, so they can get in, regardless of the actual password. Anyone have any thoughts on that?
This exists in every facet of life (Score:2)
Some people will always not do the right thing. No matter how obvious it may be.
Some security advice is not rational (Score:5, Insightful)
People giving security advice often have no idea what the threat model is. For example, the typical home user's computer has no chance of being physically attacked. Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers. Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.
Seriously, there is only one kind of threat the home user faces, and that's software attacks, none of which are aimed specifically at him, and all of which are acquired either through his web browser or through infected executables given to him by his friends. If he runs NoScript, disables javascript in email, and gets executables only from reputable sources, there is simply no way he can get infected. If he's on Linux, he's safer than he's ever going to be already.
Re:Some security advice is not rational (Score:4, Informative)
Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers.
Right. Good thing there's no such thing as a software keylogger [google.com].
-molo
Re: (Score:2)
How would an on-screen keyboard help against that exactly?
Re: (Score:3, Insightful)
If somebody wrote a Bank X Keylogger, it wouldn't. They could just watch for you to go to your bank, start tracking mouse movements and clicks, tie it to a screen resolution and reconstruct what you did.
But that almost never happens. A general-purpose keylogger sitting in the background hoping for something juicy isn't going to be tracking mouse movements. For one, it's a hell of a lot of data generated very quickly and you don't know when to start or stop. Two, since you don't know what the user is l
Re:Some security advice is not rational (Score:5, Insightful)
Onscreen keyboards are good for avoiding generic keylogging viruses. Keylogging and looking for passwords isn't too hard (especially if you can look for email address + tab + word with no spaces in + enter) but defeating an onscreen keyboard means either writing a program to search specifically for that implementation or recording/compressing/uploading/watching full videos of all screen activity which is way too heavy.
Of course two-factor transaction signing is even better ....
Re: (Score:2)
For example, the typical home user's computer has no chance of being physically attacked.
Those on-screen keyboards were there to thwart software key loggers. And then they were defeated by malware taking screenshots every second (or more frequently) to get the password that way.
Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.
That's not entirely true, either. Never have houseguests? I do frequently, and I may not want them snooping around on my computer (this is the digital equivalent of a guest rooting through your medicine cabinet.) What if the computer is stolen? Maybe you'll be glad that you encrypted the disk, then.
It's all about tr
Re: (Score:2)
Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers.
Except the investigating police force, which is trying to catch the person who stole tons of money. If the bank loses that money because it was made illegally by another person, they have to foot the costs of the investments that they had made with that money.
It's like the Safe Deposit box security in Swiss banks... of course they don't want to lose all that gold and money that the Nazis stole.
Microsoft Researcher using TeX. (Score:5, Interesting)
They aren't kidding when they say that Microsoft Research is autonomous. I would have assumed that Microsoft would at least make its researchers use MS Word.
good advice versus bad advice; costs to others (Score:5, Interesting)
The paper is not entirely unreasonable. However, there are at least some holes in it.
It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice. They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally. Under this hypothesis, people would have perfect information about which security advice is good and which is bad.
The article doesn't talk about costs to others. People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people. On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud. That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.
Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures. E.g., on p. 2 he estimates the economic costs of a particular exploit. But these estimates aren't based on any actual data. That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?) protecting against a particular exploit. What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others. And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures. That's like trusting GM to estimate the economic effects of global warming.
Re: (Score:2, Interesting)
Simple Risk Matrix (Score:2)
What is the probability my password will be hacked (low/medium/high)
What is the impact if my password is hacked (none/moderate/severe)
If I have low probability of being compromised, and the outcome is moderate, than that is a low risk. If I have a high chance of being compromised and the impact is severe, that is a high risk.
The problem with these sort of articles is not determining why people don't care about security, it's failing to take into account that a "low" risk rating on this matrix isn't worth th
And it's often NOT worth it. (Score:2)
Am I going to spend a lot of time on a 7 year old's game PC protecting it from being added to the botnet army of darkness on its latest evil crusade for human souls? Frankly, why the hell would I care?
Re: (Score:2)
Because his compromised computer's bandwidth usage and infection compromises the security of the rest of the computers on the network as well as affecting their quality of service?
Re: (Score:2)
I would care because I'm not an asshole. Don't know about you.
6. Change often (Score:5, Interesting)
TFA:
Rule 6 will help only if the attacker waits weeks before
exploiting the password. So this amplies the burden
for little gain. Only if it is changed between the time of
the compromise and the time of the attempted exploit
does Rule 6 help.
IANASE, but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it. It had nothing to do with the attacker discovering the password then waiting quietly until nobody's looking to profit from it.
In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.
That said, it's an extremelly difficult rule to enforce/comply, unless you have a wonderful "I forgot my password" system.
Re: (Score:2)
Changing your password mitigates a compromise in both of those ways, and one additional one: the one where the attacker doesn't want you to know that your password was compromised, so they don't change it. This could be important in the case where verification of your right to the account is possible (without e.g. security questions, but perhaps by showing up in person with an ID.) For example, gaining access to a user's e-mail account in order to spam can be useful, and the attacker might not change the
Re:6. Change often (Score:5, Insightful)
Yes -- in theory. But people are good at subverting policies like that.
Suppose it takes about four months for an attacker to brute-force your password hash, and you change your password every month. If they get lucky today and discover that as of December your password was "foobar@Dec09", I think they might be able to make a plausible guess as to its current value.
It's obvious (Score:5, Insightful)
It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer. My personal pet hate is the password aging practice. It specifically does one of two things. It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones. The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days. And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember it
One reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.
Re: (Score:2)
I'd love to see a real study on whether password aging actually increases security. Unfortunately, security is difficult to measure.
I used to agree with you ... (Score:5, Interesting)
I used to hate expiring passwords on the financial data systems where I used to work. Then one day the Comptroller was locked out of his own account because he had tried his old password too many times. But it turned out the Comptroller was on vacation and hadn't even tried to log in.
It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later, and then subtly tampered with her own salary. She had also stolen the e-mail passwords of any employee who would have been alerted about the change, and instantly deleted the e-mail notifications as soon as she modified the system. She was sophisticated enough to alter other logs and alerts as well.
We might have locked down our internal systems better to begin with, but I have to say that she might have gotten away with it if it hadn't been for those darn password changes.
Re:It's obvious (Score:4, Informative)
It seems that several year ago, the /etc/passwd file was world readable (since it had to be read in order to log in), and that both the username and password was stored there. (Now the passwords are stored in /etc/shadow which is not world readable.) It was fairly simple for someone to download a passwd file and then run it through a dictionary cracker to find the passwords. In the early 80's it was found that a dedicated mainframe could crack any dictionary word in the passwd file in about eight weeks. If the hacker only had access for a couple hours a day, it could take up to four months. (If a complex password was used, it would take much longer or possibly never be cracked.) Therefore, if a person changed his password every 30 days, he could be sure that by the time the hacker cracked his password, it had been changed.
However, as computers became more powerful, the time to crack passwords from a passwd file became less and less, a better solution needed to be found. One method was to separate the password from the username into a shadow file, and make sure that the shadow file was not world readable. A cracker would need to break into the computer with root privileges in order to read the password file so that they could break into the computer.
Unfortunately, the above explanation is long, complicated, and goes against "best practices." I have tried pointing that out to several "Security experts" without any success. Pointing out that passwords will be written down if they have to be changed often will not help much either.
Re:It's obvious (Score:4, Insightful)
And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?
I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.
Once they've installed the malware on your machine, it doesn't matter that you changed the locks.
However, frequent mandatory password changes, along with a requirement for impossible-to-remember passwords, will pretty much insure that users will write their passwords down. If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
7. Don't re-use passwords across sites (Score:2)
TFA:
This would appear to include only the cases where
the user is phished (rather than keylogged) or a rogue
employee steals the credentials from A. This appears
a minor reduction of risk for a 3.9x magnication of
password management effort.
Unless the user in question uses facebook. [slashdot.org] Or rather is a rival of the site he's using.
Re:7. Don't re-use passwords across sites (Score:4, Insightful)
I think it's a credible threat. I've had my password compromised (as part of a larger compromise) 4-5 times in my life that I know of. Realistically, it's probably happened more than that. Re-using passwords would have meant that I'd want to change my password at umpteen sites (many of which I probably wouldn't remember.)
What's up with /. Headlines? (Score:3, Funny)
noun gerund noun noun gerund adjective - WTF!?
is sentence structure really that hard? how about
? /. headlines? lately you see lots like this one. It looks like
someone had thrown a dictionary into a blender...
What is up with
Security on the web (Score:2, Interesting)
Its not that, baby ... (Score:4, Funny)
I just can't feel the 'Net if I'm using protection.
Good article! (Score:5, Interesting)
I have to say, the linked [microsoft.com] article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.
"Third, the claimed benefits are not based on evidence:
we have a real scarcity of data on the frequency and
severity of attacks."
This is a very good point. What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords? How much safer do they get if you then say they have to have a symbol as well?
When they make me jump through hoops, I'd like to know what exactly I'm gaining.
Taking a harder line on phishing-friendly sites (Score:3, Interesting)
On the phishing front, it's useful to stop blaming the end user, and blame the site that hosted the phishing page.
For some time, I've encouraged taking a harder line on phishing-friendly sites, sites that host phishing pages. I had a paper [sitetruth.com] on this at the 2008 MIT Spam Conference. At SiteTruth, we take the position that one phishing page blacklists the whole second-level domain. Here's the current list of major domains being exploited by active phishing scams [sitetruth.com].
The free hosting sites and the "short URL" sites show up on the blacklist regularly. After much nagging and some press coverage, most of them are now very aggressive about kicking off phishing pages, and they don't stay on for long. The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up. Currently, Google is in the doghouse, because they've recently entered the "free hosting business" without adequate phishing defenses. See this abuse of Google Spreadsheets. [phishtank.com]
At the moment, "t35.com", a free hosting service, is the site most abused in this way, by a large margin. I've contacted their people. The problem is that they're being attacked by a program, and they're cleaning up by hand. Right now, they're hosting 545 known phishing pages. Nobody else is even in double digits. "piczo.com" (a social network/free hosting service for teenage girls) was the last big victim, but they're gradually getting the problem under control.
A Draconian blacklisting policy may seem harsh, but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem. We're seeing more free hosting sites with a "click here if this is abuse" button on every page. The number of people who have to be educated to deal with the problem in this way is in the hundreds, not the hundreds of millions. So it's a solveable problem.
If you're going to blame the victim, this is the way to go at it.
Re: (Score:2)
By the same token, the dick pill spam could be stopped overnight by a small group collecting "orders" and mailing out poison. After a dozen or so deaths, one would presume that *most* people would be concerned about buying drugs from spam.
Welcome to Slashdot where the solution to lax user security is random terrorism and murder! Aren't they great, folks? Goodnight everyone! Drive safely!
Re: (Score:2, Funny)
A Mac is basically BSD.
I stand by my original post.