On Sep 24, 2008, at 5:45 PM, Perry E. Metzger wrote:
Jim Youll <[EMAIL PROTECTED]> writes:
I think it's got to be said that it's not apparent that the end-users
are the /idiots/ who should be called out for "failing" this study.
"We" gave them these interfaces, protocols and technologies that
allow for things to go so badly wrong. Nothing in the world required
the technology ecosystem to become what it is, except design
decisions that were (and are) made well out of the sphere of
influence of mere "idiot users."
This stuff was designed and shepherded to market by the modern
captains of industry, by rock star developers and wünderkinden.
When a real engineer builds a bridge that falls down, we blame the
engineer, not gravity.
419 scams are not caused by bad interfaces or bad engineering.
Phishing is, but clearly not all con games are, and con games are
remarkably profitable.
The article and the study concerned user vulnerabilities compounded
by poor user interfaces and poor underlying architectures. I was
addressing
my comments toward the study generally, and to the inappropriate but
common tone of the article, in particular, not to other out-of-band
issues. There are many risks in the world. I see in that study some
confirmation
that poor design has made certain of those risks worse.
I was having a discussion over lunch about a week ago with a couple of
pretty well known security people (one of them might pipe up on the
list). We were considering what would happen in a particular seemingly
foolproof system with a trusted channel if someone got a message via
an untrusted channel saying...
"Now, to complete your book purchase, the trusted system is going to
say "If you press "YES", you're going to send all the money you
have in the world to a con man in Nigeria" -- this is
normal. Please press yes when it says that."
...a large fraction of users would just press "YES".
Straw man.
I don't want to claim that there is no place for better human factors
work in security engineering. There clearly is. However, I will
repeat, that is not the only story here, and it is not unreasonable to
note that there are people who are clearly nearly impossible to
protect with almost any level of human factors engineering and
security technology.
Considering the magnitude and frequency of losses that apparently occur
through these technologies, and the fact that the crypto and security
technologies are pretty far evolved and seem to work well if used
well, I
would counter that human factors are just about all we should be
worrying
about right now, if we hope to ever make online activities as safe as
they
should be.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
