RE: Summary: Growing Bad Practice with Login Forms

["Yvan Boily" <yboily () seccuris com>]

To play the devils advocate, how many people actually take this kind of
responsibility for other, far more critical matters?

Many people do not behave interactively in important situations because
everybody tends to specialize.  I freely admit that I could not fix my car
beyond changing fuses, changing oil and such, not because of ignorance, or
stupidity, but rather because I would prefer to spend my time researching AI
or some other more interesting topic than learning how to fasten two widgets
together with a gasket.  Does this mean I don't take my safety seriously
when driving?  I listen to my vehicle and pay attention for weird noises,
and get it serviced when it, or my mechanic tells me to.  Personally, I
would rather my doctor spend his time reading medical journals and improving
his knowledge so that he can catch whatever bizarre and rare disorder or
bacteria that affects me instead of puzzling over which button to click
where to attempt to understand if a connection is secure.  Specialization is
what has allowed us to develop the technology that we have all started to
take for granted.

Computer users have been trained to trust their computers by the industry
for the previous 20 years.  We have told them (and even though I am only 27
I include myself; I have been guilty of this when I was peddling custom
software as a teenager) that computers will help them work faster, more
efficiently, and safe time and money.  Also we have told them that storing
personal information on their computers is safe as long as there was a
backup (and it was until some gomer came up with the idea of connecting
everyone under the sun to the internet).  Now after two decades of this
behaviour we have to re-educate them to understand that personal information
needs to be protected, and that they need to actually understand what their
computer is doing.  

When you compare this to the challenges presented to the security industry
by marketing and sales it is rather daunting.  You have a small group of
people saying "You need to learn more and work harder to make your system
more secure, and stop being such a stupid user" against an ocean of software
vendors, marketing teams, and profiteers saying "buy this magic bullet to
protect your information and stop evil hackers and viruses with no extra
effort".  People do not pick the marketing people because they are dumb,
they pick the marketing people because they are not being degraded, and they
are not being told that they have to do extra work.

I personally have no problem stomping on programmers when I am performing a
code audit, or flaming network engineers when I am assisting with a VA, but
only if they deny that security is an issue, or disagree (to the point of
ignorance or belligerence) with a perfectly valid assessment of a
vulnerability because it makes them look bad.  Don't stomp on users because
they have not chosen to specialize in understanding computer technology.
They could probably take you to the streets in their area of specialization
and think you are a chump for not understanding what seems basic or trivial
to them.


Regards,
Yvan


> -----Original Message-----
> From: David Telfer [mailto:david.telfer () ostechnology co uk] 
> Sent: Wednesday, July 28, 2004 10:16 AM
> To: webappsec () securityfocus com
> Cc: ivan.hernandez () globalsis com ar
> Subject: Re: Summary: Growing Bad Practice with Login Forms
>
> On Wednesday 28 Jul 2004 14:27, Ivan Andres Hernandez Puga wrote:
>
> > Anyway, there is no application without user. Why don't you 
> try to learn
> > what's wrong with your poin of view instead of blaming the 
> 99% of non
> > techie people?
>
> His point of view has some foundation.  Your personal information is 
> ultimately your responsibility.  A lot people are wary of 
> real word security 
> implications, card skimming and tampered ATM machines for 
> example.  They 
> would not insert their bank card into an ATM machine that 
> looked abnormal.
>
> Many of the public would never check public keys or 
> certificates though.  
> Surely taking some responsibility for your own personal 
> information should be 
> assumed.
>
> On the other hand it is the responsibility of the site 
> developer to be verbose 
> as much as possible in security provisions.  Ways to help the 
> "non techie 
> people" secure their data should be under constant development.  
>
> I am unable to find the post, but the suggestion of pass 
> phrases that the user 
> holds would surely help.  Showing characters x and y to a 
> user and getting 
> them to verify them against a given phrase (provided 
> non-electronically, by 
> normal post perhaps) would allow the user to verify in her 
> own mind that the 
> site is legitimate before entering login information.
>
> > athena () buyukada co uk wrote:
> > > > Users are stupid, unpredictable, and applications would 
> function a lot
> > > > better without their interaction.
>
> Perhaps intended to be tongue-in-cheek somewhat?  None of us 
> deny the point in 
> the technology is for the user.
>
> David Telfer