Ugh. You know, sometimes in security there are heavy issues you just don’t want to have in front of your face, but then you walk away and come back and see them again, and it instantly brings the pot back to a boil (not an angry boil, just a boil).
That is how I feel when I write and erase and rewrite about articles about Cormac Herley’s [pdf] paper last year. I walked away to lunch, decided not to post, and started closing my windows until I got back to the originator for today: the Boston Globe with this tagline: “You were right: It’s a waste of your time. A study says much computer security advice is not worth following.”. (via Liquidmatrix) Yeah, I knew the moment I saw this paper, that it would make misguided headlines just like this (to its credit, the headline is the worst part, and likely not even written by the author but rather an editor).
It is not so much the article as it is the 120+ comments atttached to it, which lend importance to the topic…most of whom have no idea about the costs involved in building an infrastructure correct the first time versus how pretty much all of them are built today: grown. Over time. Over years. A one-off app written 4 years ago suddenly gets a few late features added which makes it mission critical for 75% of your staff…and so on.
I agree with what Chandler Howell (NewSchoolSecurity) said; actually two things he said. First, the paper seems incomplete, or at least basically tries to monetize the bitching of users, but doesn’t seem to have any idea what to do about it (like so, so, so many other
Of course, that means tipping the scale between user education vs technological (in this case, what I read as transparent) controls closer to the technological controls side. Larry Pesce also opined (Fudsec) about this in regards to the futility of user education. Perhaps user education does still have a point. The paper makes an attempt to demonstrate that user “stupidity” is a rational behavior. But would user education actually demonstrate why that rational behavior is in fact wrong? (“Rational” is being used in the “justified” sense.) Is it rational for users to open email messages, or should that actually *not* be the rational action when the user knows and accepts that someone from Nigeria probably wouldn’t be emailing them?
Nonetheless, read the comments on the Boston Globe article for the “user” viewpoint. Read the comments on the other articles I posted for security professional opinions. Yes, something is wrong, but I think much of it still has to do with: people making mistakes; economics (which has various influences here!); cost (again, various angles); and how IT does business fundamentally. (Mycurial had a great comment on the Fudsec article) Really, unless security has true demonstratable value to your organization, it *has* to be lagging behind attackers, technology, implementations, and IT in general. (I know, that’s an arguable point!)
Anyway, this is me sharing my growling. 🙂 …and adding another rant! I can rant about people ranting who don’t have any solutions, but I’m answering back with more ranting with no solutions as well. I guess the most I can hope for is some cathartic release!