Culture : The tale of the inaccurate TV show
As I was finishing up my last article on the almost religious nature of the IT industry, I turned my attention to thinking about the next article. Some people say I should finish up the first one before I move on, that somehow letting my concentration slip at such a crucial time in a litterary masterpieces lifetime is both irresponsible and unforgivable. To those people I would like to say “Shut up”. I’m guessing that the amount of people that fall into that category are so insignificant that the crux of that whole rant was pretty moot anyway.
Man! Digression already and I haven’t even begun to describe the subject of this article yet. I was drifting in and out of thought about the media. I had recently been quite angered by a program which went out to the mass media which featured in a segment, some “hacking” (and I use the term very very loosely, perhaps attempted computer misuse would have been a better term for it) and detailing some steps with which to secure your PC against unwanted attackers.
To call the program irresponsible and deeply flawed is probably an understatement for me, but then I do tend to get pretty excited when something annoys me, usually leads to another article you see. However the program in question displayed a lack of responsibility by detailing information that lured people into a false sense of security. Chumps! I thought. It dawned on me then, why were they doing a segment on computer security anyway, their usual banter was fairly well confined to talking about gadgets and all things technologically niche? Hacking and computer security has gotten a lot of press these days, and in my opinion a lot of bad press. Most instances that are being attributed to computer security breaches are actually due to people being either a) stupid, b) careless, or c) a fantastic combination of both which probably resulted in them being fired quicker than selling fake memory sticks on EBay.
So what exactly does the media gain from this? They rile up society into thinking that hackers are everywhere, then give them false information about how to protect themselves. An example of this was the the program in question talking about how you should put a password on your Windows XP PC as it is then unable to be accessed by people unless they know the aforementioned secret password. Granted it’s a little better than the 98 days of being able to remove the pwl file which stored all the passwords to the user accounts. I mean seriously who would ever class that as a good idea? It’s about as secure as etching your PIN on to your ATM card. Oh I know how about making it really secure, let’s ROT13 the PIN number first* It’s a well known fact that the standard Windows login password, and standard Linux root password come to that, do absolutely nothing to safeguard the files on your PC. I knew people that at 14 were able to boot from a PuppyLinux CD to recover files from broken Windows/Linux installs, and I’m betting there are people even younger than that who know what they’re doing now.
People who advocate the use of a login password to “protect” their PCs data against a large number of threats should be taken aside and lightly beaten with a paddle until they discover the error of their ways. Obviously the more vigorous the beating, the shorter the amount of time taken to learn their lesson, however being an advocate of peaceful resolution, a light tapping would surely eventually give the desired effect, even if the result of all the tapping was mild wood burn leading to infection and finally blood poisoning.
The problem is in effect related to my last article. Time. People want a quick fix. If you tell someone they have to read a 900 page manual before being able to properly use their PC securely, they are are going to politely tell you where you can stick your 900 page manual. However it’s all due to the fragility of our technologies. If we block off enough ports and lock down the OS enough, we obtain a secure system for your average end user and below. The problem with this is that the aforementioned system is so crippled that it’s usage is severely limited. We get to the age old trade off of Security vs. Convenience.
It’s a no-brainer really. Make a system completely open-ended and loose and it’ll have more holes in it than your old mans sweater. Start to secure it, and the usability takes a nose dive. The funny thing is, if I drew an imaginary graph of convenience vs security the graph wouldn’t do exactly what you’d expect. You might expect a nice linear relationship. As the security increases, convenience decreases. Then you hit a magical point I affectionately like to call, the point of subversion. You see, on the convenience axis there is a line, a threshold if you will, the end-user stupidity threshold. If convenience dips below this line, a user will take steps to make the system more usable to them. Oh how helpful, you may be thinking. Nine times out of ten, it’s not. The reason for the name, the point of subversion is that this is where users begin to subvert security. Let’s follow a case study…come on boys and girls, gather round…..everyone got their carton of milk and sarcasm suppression hats?? Excellent, then here we go.
We have a small company, we’ll call them Aturd Technologies. They start off with an office and 4 PCs. As the company grows, they introduce passwords to the system. The graph maintains it’s shape. Then they introduce access control, still the graph roughly maintains it’s shape. Then they mandate password changes every 30 days. Bingo. We hit the threshold. 40% of users are now incapable of remembering their password correctly, and so write it on a post-it.
We obtain our first tooth in the graph, and indeed in the mouth of the end user, determined to bite the IT departments loving and generous hand. The graph continues, security increasing slightly, users being educated, when Aturd Technologies decides to implement proxy servers. Another tooth, as users start to bring in home laptops. You get the general idea.
The key to this is education. Maybe this is what the media is trying to achieve. The problem is, they typically educate John Baggins with information about dangers and threats which aren’t so pertinent to him, ie threats confined to dealing with corporate security, and then try to fix the problem by giving some wishy washy advice which is about as useful as a sledge hammer made from cucumber pulp.
What we need is one of two things, a system that doesn’t break or get attacked (Never going to happen), or an end user that understands about all the avenues of attack and their associated mitigation techniques (Very few of these rare gems actually exist in the real world. Much more common is the “I think I know everything about everything, but I don’t even know what TCP/IP stands for really.”) So again we have to settle for a happy medium. For me anyway that means a) good solid education of users, without introducing false hopes, Product X isn’t the only “real” solution out there, and b) locking a users system down sufficiently well.
It extends into area of blame too. Recently I was on a train whilst a user was looking at a highly confidential report from their workplace. I actually contacted the workplace and made them aware of the issue. The person on the other end of the phone seemed far more interested in finding out who the user was, as opposed to what I had seen and how.
Unfortunately, we live in a dangerous world where security is all around us. It’s part of almost everybodies lives, yet how often people don’t understand the reasons why they have a rotating password, or a captcha on a contact us form. People generally hate doing something without understanding why. This is where a lot of education goes wrong in my opinion. To adapt a well known phrase. “Give a user security advice and they’ll use it, just for a day. But give them the understanding of what the guidelines mean, and they’re far less likely to put your bits and bytes in the hands of attackers.”
* Before I get a deluge of emails telling me that ROT13 doesn’t apply to numbers. What a surprise, I already know. It’s called sarcasm. There was another example of it in this sentence. Can you spot where it is. Answers on a postcard.