If you’ve worked in InfoSec long enough, you’re probably in a perennial state of wondering if the state of computer security can ever substantively improve, or if it will always be some shade of “fairly awful”. It’s so much a part of the air we breathe, that the stench of fatalism and blame-shifting may start to escape our notice. A recent conversation with a friend who works in tech but outside the security sector brought this into stark relief for me.
This conversation started with a shared idea about adding pop-up messages to authentication interfaces to encourage people to use password managers. My friend thought this was an interesting idea, but he was a bit disheartened by the comments the original poster had received. (What? Disappointing and mean-spirited comments?! How shocking!!)
My take on it was that the idea was OK, but could be significantly improved, and found myself agreeing with many of the (admittedly super pessimistic) points brought up in the comments. Then my friend explained that the disheartening bit was the Eeyore-esque “it’ll never work” tone, which seemed to say “Your average Joe will never care about security, so why bother”.
Oh. Yeah, that.
It hit me, at that point, how much we collectively sound like this guy from the early days of motorized vehicles, talking about all the pedestrians that were being killed in traffic accidents.
It is true that 7,000 people are killed in motor accidents, but it is not always going on like that. People are getting used to the new conditions ... No doubt many of the old Members of the House will recollect the number of chickens we killed in the old days. We used to come back with the radiators stuffed with feathers. It was the same with dogs. Dogs get out of the way of motor cars nowadays and you never kill one. There is education even in the lower animals. These things will right themselves.
“Clearly”, it’s the fault of those chickens and dogs and pedestrians that they get hit, right? Not so much. Cats and dogs and bicyclists and pedestrians and all that are still killed in traffic on a daily basis, and no amount of victim blaming has managed to change this in the last hundred years.
Likewise, blaming victims for being attacked won’t improve our threat landscape. Humans compliantly doing the things that our software encourages us to do (click links, open files, run active content, etc.) is a big part of what causes security problems. Safe online behavior is neither intuitive nor easy, as things stand.
Safe computing hurdles
Have you ever found yourself at one of those Point of Sale machines where you have to wait till the end of the transaction to swipe or insert your card, or the “OK” button is red rather than green, or it’s at the top left of the screen rather than at the bottom right? You’ll undoubtedly figure out how it works before long, but there are those inevitable seconds of “What the heck am I looking at?!” and perhaps a misstep or two, rather than just being a simple and fairly smooth transaction.
That’s kind of where we’re at with security on computers right now. Good security hygiene requires us to stop and think before we connect, it is not a simple and smooth process. Even the most security-savvy of us has accidentally double-clicked, or clicked “OK” when we meant to click “Cancel”, because that was the path of least resistance.
We do seem to be making some strides in this direction, however small, as software makers have seen that there is a profit to be made in closing their ecosystem and vetting app makers. This certainly hasn’t stopped malware authors, but it has changed the nature of the threat landscape. It is possible, and may even be a potential revenue stream, to make users work harder to behave less securely.
We’re at a point now that secure computing should be an opt-out rather than an opt-in choice. Safe choices should not be hurdles to overcome, but the path of least resistance.
I don’t think we can expect this change overnight, or even necessarily soon. But as overwhelming and scary as the current malware situation is to experts and lay people alike, and as perplexing as the existing solutions are to the latter, striking and innovative changes could be quite welcome.