<ecksor> I settled down to read the holsta christmas diary special and
was bitterly disappointed :(
Photos Show George W. Bush Seriously Ill Physically
What the fuck? liebach!
Tonight was dedicated to a serious dose of metal. First Dimmu Borgir's Death Cult Armageddon and Enthrone Darkness Triumphant back to back, then all of To Welcome The Fade by Novembers Doom and finally Nymphetamine at full blast. It's at the same utterly fantastic level, maybe even slightly higher, of Cruelty and the Beast. The title track, Nymphetamine (Overdose), really gets under my skin. I also really enjoyed Gilded Cunt, Gabrielle and Mother of Abominations. This is the first time I really listened to that album properly. Big mistake. Next on the playlist were various songs from Flowing Tears, most notably Godless, Sistersun and Lovesong for a Dead Child.
Opeth and I have a hot date with Allan next week.
Technical analysis of the UN bugging device.
Blabbering Web Usability Specialists Are Not The Answer to Security Problems.
Jakob Nielsen claims User Education Is Not The Answer to Security Problems. This is the most preposterous statement I have heard in a very long time. To make matters worse, the statement is backed up by (horrible) analogies to the old Wild West and cars. The summary is a little more cautious: 'users cannot defend themselves at all times' - I agree. It makes sense, for example, to use central mailscanning tools that silently dispose of spam and known malware without ever bothering the user. There is a fine line between being able to reliably recognise known junk and providing a false sense of security, and it seems to me Nielsen is not aware of this.
Let me address the article in full:
"Security experts are advising companies to better educate users" says Nielsen. I cannot recall the last time any mainstream media or large corporation said anything but "firewalls and anti-virus" in relation to information security. I am delighted to learn there are alternate views being presented.
Nielsen goes on to claim that user education does not work. In general, I think the last 2000 years of human evolution proves him wrong, but I want to avoid analogies as much as I can. The primary reason user education in information security does not work is because, in most cases, it is not done. At all. In the rare cases where users are subjected to some kind of training, it is usually based on Fear, Uncertainty and Doubt. I have personally had great success with teaching people who were motivated to listen and learn. Indeed, it does require the user to be motivated to listen and learn. This motivation may originate in the fact that they like to keep their data to themselves, or that they may get fired if the company security policy is violated.
Somewhere down the line I hope much of this motivation will originate from the fact that negligence in information security has been made illegal, much as it is today when it comes to taxes, automobile and building safety and so on. If a user's negligence subjects others to risk by allowing criminal abuse of their PC or wireless access point, I think it would be fair to introduce some sort of consequence on the responsible individual.
Nielsen agrees that you can tell people not to click on attachments but then notes malware will disguise itself as being from people you know. This is exactly where user education should kick in. I too receive lots of attachments to my work account. Almost always can this be immediately traced back to a project I am working on or a recent discussion about something. I do not receive attachments out of the blue with no explanation of why a particular file should be relevant to me. Do you? Is it unacceptable to expect a human-readable introduction if people expect you to be able to evaluate and prioritize your workload?
User education puts the burden on the wrong shoulders, Nielsen claims. As this is not a movie, I will not comment on the Wild West analogy but simply conclude that he presents no arguments for this point of view. Users already carry the burden of so many other things they probably do not understand very well, but they understand it well enough to know there are consquences if certain rules are not followed - and in most cases they know where to purchase assistance in complying with these rules. Automobile mechanics and tax attorneys come to mind but I really hope you see the point without me having to conjour up some silly analogy.
I agree that security problems will scare users and cause slowness in adopting use of the internet as part of their daily lives but I fail to see how this ties in with the rest of the article.
Speaking about users and the Web as the seedy part of town, Nielsen comments: "We can't continue to deprive them of protection". This sounds like something Bush would say. There is only so much 'protection' to offer. I am not going to bring any more examples into this discussion as I want it to stay focused on the important aspects. Suffice it to say, if you do not exhibit common sense (in real life) you are at greater risk (of financial ruin, injury or death). People simply need to be taught what common sense is, in the world of computers.
Nielsen spends some time hating the Lock Your Car analogy and then says: "the average household need only protect itself against average burglars" - I am not entirely sure what that means but allow me to retort with: "The average PC user need only protect themselves against average IT criminals".
We are rarely dealing with masterminds who find and exploit security bugs in widely used software before anyone else knows about them. The majority of attacks classify best as 'anklebiters' but because users have not been trained to ignore this (or because their protection technology has not been updated for 3 months) these attacks succeed. As software becomes more resilient to automated network attacks, the user is going to become an even bigger target which is what the flood of phishing attempts show.
Most users cannot defend themselves against unpatched software vulnerabilities except by using software designed to not leave them completely at the mercy of a attackers when flaws occur. Windows still is not such a piece of software. Even worse, most personal firewalls, anti-virus software and protective middleware that sits between, say IE and the rest of the world, does not constitute "defense in depth". Defense in depth requires the attacker to get through several layers to complete an attack. Today's security software is not only vulnerable to the exact same problems they are "protecting" against but the current class of such software is not designed to contain an attacker, should he attempt to exploit a security flaw in the protective software.
Not only do I not agree with Nielsen's assesment of the value of user education. I also think he is taking a somewhat simplified view in suggesting solutions.
He states the solution includes 1) encrypt all information at all times, and 2) digitally sign all information to prevent tampering. I am a little ...unsettled by this approach. I cannot count the number of times security professionals have mockingly used a phrase similar to this: "The email attachment you received is encrypted and signed by Somebody. Do you want to launch it?" -- encryption and signatures simply cannot stop a user from doing bad things.
Nielsen also wants to "turn on all security settings by default" whatever that means. I doubt he has any idea what this involves. Something like Windows simply would not work very well if it:
With that said, I am all for making software and their security features more usable, possibly by automating certain tasks such as automated downloads and installation where appropriate.
I do not think, however, it is too much to ask that users follow simple rules about proper computer use on the same level that most people understand many other aspects of their life. I wonder how many people would respond with their credit card details if their bank sent them a posted letter which required a response to avoid having their account closed down.
Whenever I make comments to friends about the usability of their website, I reference Nielsen's work and tell them to go read his notes on the matter. I think it's only fair that he reference mine and that of other security professionals when making comments about information security. He can even read Danish so there is NO EXCUSE.
I feel another rant coming on.
In Service Pack 2 for Windows XP, Microsoft have made various interesting changes to automatic updates but they stopped before getting to the really interesting and flexible parts. You can now define if Windows should download and auto-install security updates for you. Me, I prefer to just be notified and then download any relevant updates myself. Being notified happens using a balloon popup from the Automatic Updates icon in the system tray. This only works for administrator accounts.
Would it have been so terrible to allow administrators to define arbitrary users or groups of users that would be able to make these decisions? It would go a long way towards making the world of Windows users log in as restricted users instead of administrators. Talk about the perfect example of Secure the Interface and Least Principle: authorized yet restricted users would be able to approve/choose which trusted updates from Microsoft they would like to install - and when they would like this to happen.
But noooo. That would have been really useful to power users - or anyone who ever felt like wanting to update their laptop, just not at any point during the next four hours devoted to an important meeting. (Incidentally, this is how the SMS 2003 agent ought to function in corporate networks if it doesn't already. Feel free to assume the user is a complete moron, but let non-morons take control.)
Oh baby. Cradle of Filth are playing Amager Bio next year. Guess who's going.
My wife to be is guilty of the most degrading and cruel treatment you can imagine. For example she starts to giggle when I am fully concentrated on optimizing the location of the food on my plate before I start to eat. This also happens, in public, when she has finished her meal and I am only half-way through mine. This saddens me greatly. As if food related torment was not enough, she clearly finds it amusing when I calmly reach for the car radio and switch it off when crap music comes on. Why do I subject myself to such betrayl, you ask. Good question. I promise to keep you posted!
Speaking of painful experiences that will scar you for life, I accidentally discovered Eric S. Raymond wrote a series of articles called Sex Tips for Geeks. As with anything, I think it is important to consider the source.
There is a particular rant I have kept bottled up inside me and I cannot contain it any longer.
I want you to imagine that you are managing a small team of individuals performing helpdesk duties for several thousand users. You are new to the position and have only taken over the job because senior management finally discovered what a tosser the previous manager was. Your staff understandably does not feel very loyal at all and the misbalanced ratio between helpdesk staff and userbase leaves them quite stressed on a daily basis.
You, as the new and improved manager, must react. What will you do? Will you hire a few more people and train everyone on technical tidbits and how to 'control' calls so little time is wasted on pointless chitchat? Maybe even provide automated solutions to the most common problems your staff faces when handling customer issues? Or will you supply each member of your staff with an audio CD of relaxation music and consider the matter closed?
The helpdesk manager went with the audio CD solution. Yes, this is the same place where the influential people involved in development of desktop systems cannot see the point of revision control, issue trackers and build tools.
miracle survived another remote upgrade the other day, this
time from OpenBSD 3.4 to 3.6. The CMOS battery had been drained so local
assistance was required to press F1 to continue booting. A new battery will be
installed along with more memory at some point, probably around 3.7 release.
A port of Subversion was committed to OpenBSD today.
A few days before leaving Dublin in 2002 I recall a story on the news about a gang who had attached recording devices to ATMs. The devices would read the data from the card as it was inserted into the machine and a camera would capture the pin. The gang then created their own cards and started making withdrawls from people's accounts. An identical case has just gone to trial in Denmark.
I discovered a most enjoyable resource today. The Internet Archive has an audio library with thousands of high-quality concerts by known and unknown bands. For example, there are 19 recorded shows by Tenacious D and 2774 recorded shows of the Grateful Dead available for streaming or download. Completely free. I spent a few hours today listening to Glen Phillips live at Messiah College.
When C|Net acquired mp3.com and decided to get rid of all the MP3s, I know archive.org stepped up and offered to host every single one free of charge. I thought that would be way beyond their capabilities but clearly not. C|Net declined for reasons best known to someone else. Who needs new releases on shitty copy-controlled disks, I ask you.
