Security's Everyman

Security's Everyman

Monday, October 08, 2007

Automatic Security?

I love and hate the Firefox addon "noscript". I use it to add an extra level of protection to my web browsing but I hate it when a site requires java or some other script to run and I haven't approved that site. It's not a big deal when I first visit the site but when I write a fairly long comment on a blog post and have it wiped out because scripting is required is really irritating. I did that this morning. Mitchell Ashley wrote a blog post on the need for security vendors to do more to take the ball out of the end users hand. I had a great (ok that's subjective) comment and it was a little lengthy but it got wiped out when I went to post it because I had scripting enabled.

So, I decided to take it to the streets. I'm going to rewrite my comment (at least what I can remember) here and see if I can get some good chatter going between Mitchell, myself and any others who may want to jump in here.

First go read Mitchell's post and then come back here. While you do that I've got a meeting to attend.

Ok, so were all back. Here are my thoughts and comments:

Mitchell, I agree with you that we need to make these issues transparent to the user to a point. Some AV/HIPS vendors are already doing this somewhat. They have taken lots of the firewall alerts and answered them "by default" so that the user isn't bothered with answering questions that they don't understand. They are making it easier for updates to be pushed/pulled to the system instead of making the users do this manually. There is still work to be done but.... Where I have a little disagreement is in completely removing the user from the fray. If we do so we may make it easier on them but we are missing out on an opportunity to educate them on the risks associated with life on the internet. We are missing the chance to teach them how to be more secure by giving them information that they can understand and then make a intelligent decision on. What I would like to see is the software vendors write alerts and pop-ups in layman's terms so that a user doesn't have to decide if it's safe to allow lsass.exe and svchost.exe to access the internet. And it gets even more confusion when the internet isn't really the internet but the internal LAN if they have one. I would like to see the vendors provide easy to understand tutorials (via the help button) that explains what the dangers of allowing or disallowing something is. We have conditioned them to click "yes" just to shut up the firewall but they have no idea what they are clicking "yes" to. I agree that User Awareness isn't the silver bullet but it has to be focused on because we can't change users behavior if we don't give them data that will educate them effectively.

Thanks for a good post that gives us something to think about. Thanks for stoking the fire of how can we make a difference and not continue to do things in the same way. What I would like to see now is how can we really make this work. What are our action points for making security transparent yet still making the user be (in the active sense) more secure?

OK, the floor is open for your comments and for you to add to the discussion on your blog. I think there is lots of good stuff here to chew on. Let's get going.


kurt wismer said...

a) i hear you with respect to losing comments... i've had so many problems with comments (often times without any noscript involvement at all) that i installed the google notebook extension to make it easier to save a copy of my of my comments just in case my comment magically vanished somehow i can get them back...

b) i saw mitchell's post but as soon as i read the part about it being fundamentally flawed to rely on users i thought to myself "so he's one of those"... every single one of his examples of the disconnect between perception and reality could actually be attributed to the user's expectation that the protection software already is automatic... they think they installed it, they never bother to check it, so when it becomes disabled or turns out to be something other than it claimed to be (cough rogue anti-spyware cough) they're caught with their pants down precisely because vendors try their best to keep users out of the equation and then market their wares like they're install-and-forget solutions...

automatic security is snake oil, plain and simple... too much of everyday end-user computing is ambiguous enough as to require more than just an algorithmic response... intelligent, context-sensitive decision making is a requirement and it is something that cannot be programmed in...

mitchell said...

Andy, I posted my response back on my blog. (Kinda of long.)

You can find it here:


Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.