Slashdot Mirror
Are Usability & Security Opposites in Computing?
krozinov writes "Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words, the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases where both computer security and computer usability went hand in hand with each other and actually improved together. In the last few years security has been the biggest buzzword in computer systems and as such has become part of our computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also do it securely. Can the two continue growing together? This paper argues that it can, as evident by the most recent Indian Assembly Election."
I can make a horrible to use app that is insecure, and with a bit of effort, make a system that is secure, but easy to use.
Take pgp and email. There are TONS of plugins for various emali clients to support signing and encrypting email. Yes, encryption can be broken someday, it's true, but if someone made a plugin that bumped it to 16k keys, it's easy and fairly secure. If people are further educated and enforcfed to not share their password and private key, it's quite possible.
If you make a system that requires dozens of passwords to do things, duh, people will reuse their passwords or make they simple, or worse yet, put them on their monitors.
-
ping -f 255.255.255.255 # if only
Q. Are Usability & Security Opposites in Computer Systems?
A. Yes, for instances where security measures do decrease usability. No, for instances where they don't.
A2. Yes, for instances when software makers don't care about security, nor about integrating it properly. No, for instances where they show they care about security and want to do it properly.
Come on, seriously. Sometimes, various measures for security make things "harder" to use. But there are so many things which define "security". Authentication, authorization, encryption, access, and each at several different levels.
The ultimate answer is, yes, security and usability are opposites when the responsibility for the security measures rests entirely upon the end user. Simple example: Make a user have a password, and they'll make it their dog's name (not secure). Force it to be too complex, and they'll forget it (not usable). Mandate that it be changed every week AND be too complex, and they'll write it down (not secure or usable).
When the security measures are administered by a skilled external entity (such as a knowledgeable and sensible IT staff) or integrated seamlessly into applications and operating systems (by knowledgeable and sensible software makers), they can be "usable". In fact, "usable" is the wrong word: it should be "transparent".
There are ways to make good security - whether it's for an entire organization or a single workstation - usable, and non-intrusive. It just takes someone with the skill, knowledge, and foresight to do it.
Definitively: yes.
Don't base your security on something you cannot change easily.
If your password is compromised, it's a no-brainer to change it. Your biometric data may be harder to compromise, but if it is, how do you change it? Surgery?
The Tao of math: The numbers you can count are not the real numbers.
Norton products are perfect examples of security made so cumbersome as to be useless. Every machine I've ever used with Norton Internet Security has some major function, such as network connectivity, disabled until Norton is shut down. After enough tinkering, you can get Norton to work and still allow yourself to use the internet, or print, or whatever. As soon as you change anything, time to reconfigure Norton. Then there's the incessant popup nagging reminders or alerts. I'll take viruses and spyware over Norton anyday. I just wonder how much longer this company will be able to continue living off their reputation, since it is the only way they can get people to buy their overpriced bloatware.
I don't think they are exactly opposites. There are situations where they conflict; e.g. having to enter a password before you can use a service.
Actually, security and usability often go hand in hand. I don't think email would be very usable if people constantly messed with your account. Another example is Windows vs. GNU or BSD: I think Windows has very low usability, due to the knowledge and action required to keep the system healthy. Part of this stems from the bad security of Windows. (puts on asbestos underwear)
Please correct me if I got my facts wrong.
but of course the windows update page only lets you in if you are on a Microsoft Operating System.
Windows Update, that is windowsupdate.microsoft.com, will only work on MS operating systems using IE. However, patches and service packs are available as binary downloads through the Microsoft Support Center (or whatever they call it) from any browser, any OS. Last time I went to Windows Update, I seem to recall that there was a link to the Download Center where you could download these binaries outside of the 'Windows Update' system. Here is the Download Center.
I however fully expect to have to reinstall everything from scratch in a few months when the next gaping hole is discovered.
Then you've bought into the FUD here. I keep my Win2k box somewhat updated, but strictly firewalled with the unnecessary services turned off. I have not had to reinstall the machine since I got it almost a year ago, and my previous machine ran for years without a reinstall. The only spyware I got was because of my own stupidity when I ran something named "START.EXE" that came along with a crack.. err security patch. I easily removed the spyware with the Adaware/Spybot combo. I use IE only for connecting to sites that do not accept Firefox (my company's webmail and Windows Update). I don't even run AV.. I go to one of the free online scanners every 6 months or so.
It's actually quite simple to keep a Windows box secure, despite what you read here every day.