Friday, November 19, 2010

security: it's almost like it isn't there

one of the ideas i continue to encounter over and over again throughout the years is the idea of liking a particular security product because it seems like it's not even there. it's amazing where one can find that idea being expressed. panda security's own luis corrons said the following about his wife's impression of panda's product:
My wife’s computer also have it, and she loves it, mainly because she doesn’t realize that it is installed :)

liking a security product because it seems like it's not even there strikes me as suggestive that the person in question likes to ignore security or not be bothered by security concerns. for most people this is going to be a recipe for eventual disaster. luis' wife, however, has luis on hand to take care of any malware incidents, so i guess for her it's ok. it's an interesting and probably effective strategy - well played, mrs. corrons, well played.

most people can't marry an anti-malware expert, however, so placing value in product's ability to shut up is the wrong way to think about things for most of us. don't get me wrong, if a security tool is too 'chatty' then certainly that poses a usability problem, but the quest for complete transparency is a symptom of mismatched expectations.

the predominant expectation among consumers is that if they install the 'right' product or combination of products then they can forget about all those nasty threats because they'll be protected. that's just not true, though, and it's never, ever going to be true.

people will actively defend this line of thinking, however, often they say they just want to do X and don't want security getting in the way. imagine if i said i just wanted to get to mcdonald's and didn't want traffic safety to get in the way - would that sound reasonable? not so much, i imagine. part of the reason for that is that most of us realize that following certain procedures on the road actually does keep us safer than we would otherwise be; but another part is that we also recognize that when others don't follow those procedures they put us and everyone else at risk, not just themselves.

what if i were to tell you the same principles apply in computer security? there are procedures you can follow that not only allow you to reach your goal in a reasonably secure way (whether that goal is getting work done or enjoying online entertainment or whatever else you use your computer for). not only that but by not following those procedures, by ignoring security, one actually does put other computer users at risk as well. i'm not just talking about other people who use the same computer, either. back in the days of viruses, when a virus infected a computer that computer joined the set of computers from which that virus could further it's spread. essentially it enlarged the platform from which the virus could attack still other systems. today, in the age of the botnet, the same principle applies. when a machine becomes compromised it get's added to the attack platform and assists in attacks on other systems, whether those attacks are simply sending out spam or sending out more malware or performing distributed denial of service attacks. by pretending like security isn't a concern a user puts not only themselves but all other computer users at risk as well.

now, likening secure computing practices to safe driving does not mean i'm trying to argue in favour of requiring users to have a license to operate a computer (though there are those who suggest that). the fact is that day to day life is full situations where you have to take precautions to increase your safety. just crossing the street calls for the precaution of looking both ways first. even toasters (which i bring up because some people literally think computers should be as simple to use as toasters) have safety precautions you need to follow - unplug the thing before you try to retrieve that piece of toast or bagel that's stuck inside.

i often criticize the security industry for perpetuating the myth of install-and-forget security, but the consumer shouldn't be thought of as blameless. people need to wake up and take responsibility for their own safety and security online, as well as being good online citizens and not putting others at undue risk. seriously, folks, computing without the need for taking active precautions is pure fantasy and it's time you started living in the real world. if you don't take responsibility for keeping yourself safe and secure, you won't be safe and secure - period.


Anonymous said...

You make the point that security is there for your safety and, therefore, you should be willing to put up with the inconvenience. That is true in some cases. Yet, this argument can be used to defend poor usability of any security product. Remember when updating anti-virus signatures, required launching Live Update or its equivalent, clicking next, next again, next again, and then OK? That was poor UI design, but one could defend it by saying that the user should suck it up for the benefit of safety.

Security product designers should always be asking themselves how they can make the product easier and less annoying to use. This is especially important for consumer software. For instance, one could argue that it's important for the personal firewall to prompt the user for any new outbound connection. Most users will find that unnecessary and annoying, and will disable or uninstall the product. Instead, the product designer could make the personal firewall smarter, so it can make reasonably intelligent decisions on the user's behalf whenever possible. As the result, not only will naive users be prevented from making decisions that weaken the system's security, but they will also be encouraged to install the product, keep it active and recommend it to their friends.

Consider the analogy of a well-designed car: Modern vehicles have numerous safety mechanisms built in, yet the driver is often unaware of many of them during the normal operation of the car. (I bring this up hesitantly, because any analogy can be used as a counter-argument.)

Of course, some vendors might design a security product that does nothing and claim that it's the least annoying security tool of all. I'm not talking about such snake oil.

There will always be power-users who will want lots of visibility into inner-workings of the product to derive optimum security from it. From the perspective of the larger market, a strong security product can be made even better by making it as unobtrusive as possible, and then continuing to think about making it even easier to use.

-- Lenny Zeltser

kurt wismer said...

lenny, if you think i'm arguing that people should be willing to put up with inconvenience for the sake of safety then i'm afraid you've missed the point.

you appear to be under the impression that technology needs to change so that we don't have to. that we can add security after the fact in the form of a product (or worse a 'solution').

i, on the other hand, feel that we need to adapt and evolve, not just make increasingly sophisticated tools. we need to fundamentally change the way we think about and use computers. i'm not suggesting putting up with 'inconvenience' because i don't recognize it as inconvenience anymore than i recognize looking both ways before i cross the street an inconvenience. it's not an inconvenience, it just is.

it's only inconvenience for those who expect technology to save them from the forces that disrupt the computer use pattern status quo. my long-time interest in malware guided me towards a post secondary education focusing on computer science, and as a result i no longer expect that technology will do that (or even can do that) for us.

computers are good at automating repetitive tasks that require little context-sensitive decision-making or value judgments. security, however, is full of context-sensitivity and value judgments. informed decision-making on the part of the user simply cannot be replaced by an automaton.