::scr Internet Explorer - Danger in numbers?

[David Cantrell]

On Wed, Mar 06, 2002 at 04:32:18PM +0000, Simon Wistow wrote:

> The big problem, in my opinion, is that they put usability before
> security.

Not really.  Security needs to be designed in right from the start, but
once it is, it need not get in the way of usability*.  Microsoft's problem
is that they didn't design it in from the start.  Unfortunately, because
they have such a huge legacy code base and because their 'current' apps
and OSes are nothing more than re-hashed versions of older ones with maybe
a few extra features bolted on, they can't easily make them secure.  That
would require a from-scratch re-design and a rewrite.

>           The Mac-heads here will be chuckling about Windows and it's
> HCI problems (at which point I could just *cough* trash can to eject a
> cd *cough* glare at them)

That's far from the worst failing of the Mac OS interface design :-)

> Basically there's a paradox (schism? difference of opinions?) - to use
> security effectively you must really understand it

This is true.  However, they could ship their products so that they are
at least not dangerous by default, and give the users the option to turn
bits of it off.  Still wouldn't be secure, but it would be less bad.

You're right in realising that any security is doomed to failure if the
people using it don't know about it and value it.  Technology can't solve
this problem alone (DJB's ultra-secure DNS and mail servers *can* be
configured to circumvent most of his safeguards).  Technology *can*,
however, put you in a position where you are guaranteed to fail (hello
all you Exchange lusers!).

>                                                    but part of using an
> interface is that you shouldn't have to understand it - it should just
> work.

No, no, a thousand times no.  A computer is a tool.  I see no problem with
people having to learn and understand their tools before use.  You wouldn't
expect anyone to be able to pick up a multimeter and debug the wiring in
your flat, or a stethoscope to debug your heart, so why on earth should the
tool that sits on your desk be different?

> This paper : 
> 
> "Why Johnny can't encrypt" http://www.cs.cmu.edu/~alma/johnny.pdf 
> 
> is really interesting on the subject. Essentially it talks about how
> security is useless if it's not used properly and how a new conceptual
> model is needed.

It's a very well-thought-out paper.  But I'd find it more useful if it
had some suggestions as to how to be both secure and as easy to use as
modern desktop software is alleged to be.

> So, is useable (intuitive?)  *and* secure software an impossibility?

Useable != intuitive.  Useable implies easy to learn and consistent.
There's nothing intuitive about computers at all.  Security will never
be intuitive, cos we're not used to stuff being secure in the real world.
At all.  Even in supposedly secure environments which we're all accustomed
to, like dealing with ones bank, I see egregious errors.

Here's an example: earlier this week, I rang $credit_card_co to pay a bill.
I bounced around the 'orrible menu system for a bit, typed in my card
number, bounced around the menu a bit more, then was asked for the 1st and
3rd digits from my pass code, which I put in.  Then I got lost in the menus,
couldn't back out, so hung up.  I rang 'em again, bounced around until I
was asked for the 2nd and 4th digits of my pass code, which I put in, and
eventually paid the bill.  Each of those two calls, taken in isolation, is
sufficiently secure** to satisfy me.  Together, they contain enough info for
someone to deduce my four digit pass code and highjack the account.  All it
requires is one disgruntled BT employee with a tape recorder hanging off the
line to $call_centre.  And such BT employees do exist.

There are several solutions to this, at least some of which should be
obvious to all presently assembled.

* - postfix, for example, is designed to be secure, but is remarkably easy
to set up and use.  At least for an MTA - compare to the pigs breakfast
that is sendmail, the bizzarity that is qmail, or the undocumentedness that
is exim.

** - there is of course no such thing as completely secure.  A desktop OS
which doesn't come with umpteen gazillion sploitable features turned on
by default could well be sufficiently secure for some users.

-- 
Grand Inquisitor Reverend David Cantrell | http://www.cantrell.org.uk/david