Just Say No to the Yes-Box
The greatest cop-out in computer security is leaving it to the user. In the old days, this meant telling people what features of their computers not to use. They gave us email attachments, so that we could never use them for fear of viruses. They put all sorts of insecure features into web browsers so that we’d have something to spend time turning off. Every time the security implications of a feature were not thought of by the developers, responsibility was left to the user to decide how much of their software was safe.
We’ve improved from those days, but not much. Now, the software itself does most of the nagging. Windows Vista is now infamous for “UAC”, the technology which causes the little dialog boxes to pop up and ask if you’re really sure you wanted to do that. Really, really sure? Maybe you want to call your parents and ask if it’s okay?
Most people will click “yes”. Most geeks will tell most people to click “yes”, because we’ve basically given up on teaching the world how to truly make this decision. And so, the box becomes a yes-box, a mere, additional annoyance to an already insecure system. Plus,whenever someone is brave enough to click “no”, it usually results in some essential piece of software failing to start. So we train people to click “yes” every time.
But UAC isn’t the only villain here. For a long time, people have assumed that something being digitally signed meant it was secure. True, from a purely theoretical, technical standpoint, good encryption and signing schemes are nearly unbreakable. But this ignores the human component. The average user won’t notice difference between “mozilla”, “moziIIa” and “mozi||a”. This is why the vast majority of phishing scams use typos and names that look like each other to forge their identity, rather than trying to duplicate a certificate.
It’s time to stop pretending this is a solution. Once again, we are simply passing the task onto the user. Teaching computers to recognize software publishers by signature and question the safety of actions means nothing unless their users know how to interpret these messages. We have to move away from this delusion and back to the real essence of security. The anti-virus/anti-spyware/firewall should be able to determine if something is dangerous; isn’t this why we have those? Granted, there is plenty of room for improvement here, but imagine if we could focus our energies on the real tasks and stop chasing hype?
Leave a Reply