Great Debate: Security's greatest threat? Dumb users vs. dumb design

Closing Statements

Save dumb users from themselves

Ryan Naraine

End users have gotten smarter about using technology but human vulnerability will always be the weakest link in the security chain.

The inquisitive nature of human psychology will always push us to click on that strange URL or open that e-mail attachment. Cyber-criminals make a living out of using social engineering to infect our computers and use your resources to make money.  Dumb users will remain dumb but we have an opportunity to make software design decisions that can reduce the effectiveness of social engineering.  

Our software products must start making decisions for end-users and remove the temptation of the lure.  It's already happening.  Modern e-mail clients have started to automatically block harmful attachments.  Modern web browsers are putting up roadblocks to malicious web sites. Modern operating systems are using things like ASLR and DEP to block vulnerability exploitation without the end-user ever seeing anything.

We need to get to a world where the errant click means very little.  We need software developers to bake security into design decisions to save dumb users from themselves.

You can't blame users - fix it!

Justin James

Modern exploits are getting better and smarter all the time. Can you blame users for clicking on something that looks legit and was sent by a contact? And let’s not forget just how many exploits do not even need user intervention to do their damage. User action may often be the catalyst for a successful attack, but it is simply the final step in a long chain of events.

 

Decades of computer usage have shown us that users cannot be trained very well. And the training is expensive, causes inflexible work patterns, and is overall a mess. If you want to kill the ROI and productivity gains on technology, throw in a heavy-duty training requirement. 

 

The only solution: Make better, more immune systems -- such as iOS and WP7. Even the much-vaunted *Nix security model pales in comparison, because it maintains the myth of trusted applications and trusted users. The new smartphone operating systems take a zero trust model and combine it with a restricted API that does not allow system-damaging calls to be made. The result is a stable, highly secure environment with a limited, standardized set of features that even a small child can master.

Security's greatest threat? Dumb design

Jason Hiner

This is one of those debates that has been going on for as long as human beings have been building tools that they weren't going to just use for themselves but share with other people. In tech, this debate would have been a lot different even a decade ago, when virtually every tool in the computer industry required a manual and some training (or, at least a trial-and-error period). Today, the user expectations are different and the resources and capabilities of our product builders are a lot better.

Doc's final thoughtsIN PARTNERSHIP WITH Ricoh

Doc has to agree with Justin on this one and take Ryan to task for thinking so poorly of users. The bad guys are getting better and better at luring folks into their schemes, and Doc doubts very much that many people are falling for the old “Brittany Spears Naked” bit these days. You know, Ryan, that it’s not that simple anymore, and Doc’s willing to bet you’ve been fooled into opening something you thought was innocent.

Justin has it right – it’s time to put even more effort into security and shore up our information resources. In other areas such as our food supply and our drug supply, we’ve built in systems to protect the manufacturing and distribution chains so that problems are relatively rare. Why should information be any different?

Yes, there will always be bad guys and mischief makers out there trying to game the system. But private enterprise (perhaps with a little more government support) is pretty resourceful and should be able to keep one step ahead of those wishing to bring systems down. Of course, users need to exhibit some basic common sense, but in the end, technology should be as foolproof as possible. Don’t let the manufacturers of our software and hardware off the hook here – they need to step up the effort and provide stable, hard-to-hack products.

Now please, Ryan, can you send Doc that link to the Brittany Spears photos?