Monday, November 12, 2007

the user is part of the system

dave lewis posted a short observation on how XSS gets discounted and in the process touched on something much bigger... a lot of people want to discount anything in security that depends on the user...

daniel miessler more or less this very thing when he wrote about the new mac trojan and marcin wielgoszewski seems to have agreed with him... then there are those who discount the notion of user education as something that doesn't work or is wasted effort... more ubiquitous than that are the security models and software designs that do their best to exclude or otherwise ignore the user in order to devise purely technological solutions to security problems...

perhaps this is something that not everyone learned in school (like i did) but the user is part of the system... sure the user can be considered a complete and whole thing on it's own, the user is a person, an individual who can exist and be productive without the system if need be, but can we say the same about the system? does the system do what it's intended to do without the user? does the work that the system needs to complete get done without the user? if the answer is no (and it generally is) then the system is not complete without the user... that means security models that ignore or exclude the user are models of systems missing a key component - and so-called solutions designed to work without regard for the user wind up getting applied to problem environments that don't match the ideal user-free world they were designed for...

including the user in one's analysis is hard and messy, i know, but excluding the user trades that difficulty in for another in the form of reduced applicability to the way things work in practice... after all, treating user-dependent risks as second-class security problems certainly doesn't make a lot of sense when social engineering is proving to be more effective than exploiting software vulnerabilities in the long run...

10 comments:

Vess said...

Face it - if user education was ever going to work, don't you think it would have worked by now?

For every user we manage to educate, thousands of new stupid ones appear. One can't educate them as a whole. They don't want to be educated. They don't want to become security experts - they want to be left alone doing their jobs and surfing the 'net for porn.

A good protection model shouldn't ignore the user. It should assume that the user is actively working to bypass it and should do its best to counter idiot's actions.

kurt wismer said...

"Face it - if user education was ever going to work, don't you think it would have worked by now?"

that really depends on how you define what it means to have worked... if one defines it as having turned everyone into lesser vesselin bontchevs, then no, it's certainly not going to work... on the other hand, if you define it as having learned not to do certain things we were trying to get them to stop doing then there's an argument to be made that it has worked to an extent as there are some positive things that have crept into the computer using public's behaviour...

"For every user we manage to educate, thousands of new stupid ones appear. One can't educate them as a whole."

well, it's certainly true that you can't educate them in the conventional sense, but there's more to education than books and classes (and their online analogs)...

"A good protection model shouldn't ignore the user. It should assume that the user is actively working to bypass it and should do its best to counter idiot's actions."

that's worse than ignoring the user - you would have people treating the user as the enemy rather than as a part of the system... you cannot protect a device from the device owner and by trying you commit the same mistake of arrogance that DRM peddlers make (and we know how far that's getting them)...

Vess said...

Well, define it as you wish, but we couldn't even educate, as a whole, the users not to do such simple stupid things as double-clicking on executable attachments! I think I can train even a hamster not to do something so simple and obvious - but, no, it's apparently beyond the grasp of the average user. The only reason why e-mail worms spreading as executable attachments declined (didn't disappear - Netsky is still raging out there) is because we stopped hoping to educate the user and started blocking them at the e-mail gateway and because the bad guys found more efficient ways of making money.

And, yes, the user *is* an (involuntary) "enemy" to the security system. The goal of the security system is to protect from threats. The goal of the user is free and easy accessibility to anything he feels like wanting. These two goals often contradict each other. So, the users do all kinds of stupid tricks to get around the restrictions imposed by the various security systems. Therefore, a well-designed security system should at least try to prevent the user from bypassing it. Yes, nothing can prevent a pro from disabling something they have installed in the first place - but we're talking about the mass of uneducated users here, who are acting against a protection system probably installed not by them but by their employer.

kurt wismer said...

"Well, define it as you wish, but we couldn't even educate, as a whole, the users not to do such simple stupid things as double-clicking on executable attachments!"

and school systems can't seem to educate everyone on the proper spelling of 'potato'... uniform impact of education is not a reasonable expectation to place on education...

at the end of the day, the question is not whether user education solves a particular problem but whether it helps/makes things better...

technology is no more capable of solving these types of problems... the one thing it does have going for it is uniformity of impact (within the scope of the technology's deployment)..

"The goal of the security system is to protect from threats. The goal of the user is free and easy accessibility to anything he feels like wanting. These two goals often contradict each other."

and you think it better to work against the user's wishes than to try and bring the user's wishes into better alignment with his/her best interests? i think there's more potential in working with users than there is in working against them...

Vess said...

school systems can't seem to educate everyone on the proper spelling of 'potato'.

This is a flawed example. Just because the school system failed to teach proper spelling to one moron doesn't mean that it cannot teach spelling. However, if it did fail to teach proper spelling to the vast majority of people, it would mean that it doesn't work to solve the illiteracy problem - even if a few intelligent people managed to learn how to spell correctly.

Trying to educate people about computer security consistently fails to make the masses more security-aware. Ergo, it doesn't work as a whole - even if it does manage to educate a few intelligent people.

the question is not whether user education solves a particular problem but whether it helps/makes things better...

No. The question is whether it is worth it. If by spending a lot of efforts and resources on some system makes things better only a little bit and only for a few people, then that system is not worth pursuing - your efforts and resources are better employed for other things.

I am not saying that trying to educate the users about security is harmful and will never work for anyone. I am saying that it is a waste of efforts and will always fail to educate the masses as a whole. The past two decades prove that I am right - despite all the efforts to educate them, the users, as a whole, are just as stupid and ignorant as ever (if not even more, because the technology and the threats have become more complex).

technology is no more capable of solving these types of problems.

The only progress we have achieved in this area (decline of boot sector viruses, decline of macro viruses, decline of e-mail worms, etc., etc.) came as a result in advances in technology, not in education - although, regrettably, not necessarily as the result in advances in anti-virus technology.

you think it better to work against the user's wishes than to try and bring the user's wishes into better alignment with his/her best interests?

I think it better to work against some of the user's wishes than to try to make him not have these wishes, yes. My long experience in the industry has taught me that the users will do stupid things no matter how you try to educate them and the protection you offer better be prepared to guard itself from them. Doing otherwise is doomed to fail. Always has, always will.

You'd notice that the others who have such a view are also from the industry and those who do not (like you) don't have to make security products that have to withstand user stupidity all the time.

I do realize that I'm not going to change your mind - but you're wrong nevertheless. Feel free to waste your time, trying to educate the masses. You will fail, like all those who have tried before you. Me, I'll concentrate my efforts in more productive directions.

kurt wismer said...

vess, you've got so much to say, i think you should start a blog...

"Trying to educate people about computer security consistently fails to make the masses more security-aware. Ergo, it doesn't work as a whole - even if it does manage to educate a few intelligent people."

trying to educate people doesn't even reach the masses, it never has, so setting the bar of success there is not reasonable... the only reason school systems reach as many people as they do is because of rules that say everyone has to go to school... security education is much more of a voluntary form of education so it's unlikely to directly impact nearly as many people...

that's not to say that there aren't ways to impact larger sets of people and have a positive effect, there are, they just don't look all that much like what one would conventionally think of as education...

"You'd notice that the others who have such a view are also from the industry and those who do not (like you) don't have to make security products that have to withstand user stupidity all the time."

actually, that's not what i notice at all... the industry is not without some user-education believers... as for me, i do make software that has to withstand user stupidity all the time, it's just not the same kind of software you're involved in making...

"I do realize that I'm not going to change your mind"

and i'm not going to change yours so i guess we're at the point where we agree to disagree...

Anonymous said...

I'm not sure who you're referring to when you say perhaps this is something that not everyone learned in school (like i did) but the user is part of the system..., but the title of my post was "Operating systems aren’t any more secure than the idiot using it." I do agree with Daniel that the Mac OS X "trojan" isn't much to get worked up over since it requires the user to let it install. Contrast this with viruses that infect computers upon showing up in the preview pane in Outlook.

kurt wismer said...

@marcin
i'm talking about the two things from your post that you repeated here...

1) that the threat isn't a big deal because it requires user input - which treats user-dependent threats as second-class threats despite the fact that they're now the primary malware threat for the windows platform...
2) that the malware in question wasn't trojan-enough to say trojan without the quotes - which belies a fundamental misunderstanding of what trojans are... they require user interaction by definition... if they were automatic then they wouldn't have to pretend to be something they're not, which is a fundamental part of the definition of trojan...

worse, in your comment here you contrast them with email worms that execute automatically when the email is viewed in the preview pane... if you really want to contrast them then consider this - automatic execution from the preview pane was a successful strategy for a relatively short time whereas social engineering was successful going back at least as early as the original trojan horse and is still successful to this day...

you don't think malware that requires the user to let it install should be a big deal? the people of troy probably didn't think opening their gates and bringing a wooden horse into their city that was large enough to carry men inside was a big deal either and look how that turned out... people continuously underestimate user-dependent threats and as a result history keeps repeating itself...

Anonymous said...

Kurt (and Vess),

Education of users is one of the few tools that the enterprise is left with because there are not internal controls inherent in system design. What would the attitude of users be if internal controls had been present from the get-go and we all only used to only having the system resources necessary for our work function?

Play time (e.g. music downloads, surfing porn, chatting, playing games etc., which have no place in a productive work setting anyway) would be (should be) reserved for personal systems at home.

I think that when security technology better maps directly to business problems and data flow, a lot of these arguments are going to go away. Education alone will not do it, because something has to protect users from themselves, even those that are not so stupid most of the time, as errors are made.

kurt wismer said...

@rob lewis:
"What would the attitude of users be if internal controls had been present from the get-go and we all only used to only having the system resources necessary for our work function?"

probably the users would have a lot less job satisfaction...

"Play time (e.g. music downloads, surfing porn, chatting, playing games etc., which have no place in a productive work setting anyway) would be (should be) reserved for personal systems at home."

this line of thinking will go far with pointy haired bosses that have no empathy for their employees, but only until someone suggests the same principles should apply to them too...

"I think that when security technology better maps directly to business problems and data flow, a lot of these arguments are going to go away."

ah, if only businesses were the only thing we had to worry about...

"Education alone will not do it,"

and no one here is talking about education being the whole solution on it's own... frankly i don't think there is a solution (and just as frankly, i'm fine with that), but i do think there are a number of things that can make the situation better and education is one of those things...

"because something has to protect users from themselves, even those that are not so stupid most of the time, as errors are made."

you can't really protect the user from him/herself... you can try, but if you think you'll succeed then you have an amazing faith in technology...

perhaps you've heard this quote before:
"Programming today is a race between software engineers building bigger and more idiot-proof programs, and the universe trying to build bigger and better idiots. So far the universe is winning" - Anonymous