Slashdot Mirror
Bruce Schneier Talks Brain Heuristics and Security
ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."
head.. as a matter of fact.. this reply is all in your head too.. it doesn't exist..
At one point in the article, Schneier comments on email encryption:
This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.
Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.
Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.
Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.
I am tagging this story !schneider.
Jesus said to his disciples: "If you don't have a sword, sell your cloak and buy one" - Luke 22:36
Sony ha
More facts about Bruce. http://geekz.co.uk/schneierfacts/
Flexible bare-metal recovery for Linux/UNIX
http://geekz.co.uk/schneierfacts/
Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."
In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.
This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.
But they will, with a probabilistically determined frequency.
I see five factors that make the user-space side of security so hard.
1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
3. Hubris: Most people believe they know what they are doing.
4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."
Some of these five are easier to address but some reflect deeper realities about being human.
Two wrongs don't make a right, but three lefts do.
When one of the reporters asked for a copy of Mr. Schneier's notes during the presentation, he handed her two pages of ciphertext.
Seems to me it would be good if more people understood the ways that their gut reaction to fear is often incorrect. It would at least make it harder for politicians to manipulate the populace.
It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..
Besides just knowing that this imbalance is present, reliance on:
- thorough planning
- critical thinking
- testing and verification
andall go a long way towards improving the likelihood that we will follow logic and not emotion.
Chalmer
You really really believe your wife is monogamous ..... then she's busted in a prostitution sting. With your best friend. And now she wants a divorce. And she'll take 1/2 of everything you own.
Some of these five are easier to address but some reflect deeper realities about being human.
And all but one of them have the same solution, Education.
With proper education people will get rid of their insecure operating systems and the net will be a safer place for all of us. As the millions of happy Mac, Linux, BSD and other OS users can attest, It's not the user's fault. They have to be given the correct tools, correctly configured in an easy to use way instead of the booby traps that M$, Dell, HP and others sell.
People react to what you tell them. As long as commercial vendors continue to bullshit people, bullshit will come out.
Friends don't help friends install M$ junk.
I think everything you say is true, but a big part of the problem is that most people's mail-user-agents are set up with encryption as an afterthought, rather than as a core feature. When users have their email set up to use encryption from the very beginning, from the moment that they're issued their computers by their employer, they use it.
The environments where I've seen the heaviest use of encryption are Lotus Notes shops, because Notes was basically designed around encryption. Granted, it uses some strange proprietary public-key scheme (although Steven Levy in "Crypto" alluded that it was developed with some support by the NSA, as one of the earliest commercial ones), but it's totally transparent to the user. Public keys are all managed by the Domino server, and all the user has to do to send an encrypted or signed message is check a box.
Now, there's some sample bias there; most of the places I've seen that use Notes, are also the kind of places that are interested in encryption, and tend to have more technically-oriented employees that are more comfortable with encryption (anecdotally, I've heard that the CIA is a big Notes shop, as are some other USG agencies), but I think how the MUA is designed has a big impact.
It won't be until MUAs are designed around encryption that people will want to use it, but it's not until people want to use encryption, that most MUAs will really pay attention and make encryption a seamless, core feature -- and more importantly, that corporate sysadmins will roll out encryption and key management right along with their mail servers.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Unfortunately TFA was pretty meatless, even though this is a meaty subject.
Schneier has often written against "Security Theater", the stuff that's all for show with not much actual security benefit, like half the BS we go through at the airport.
But now that he's talking about how our sense of security is part rational and part *feeling*, maybe Schneier would admit that we have a psychological need for some of the theater.
Maybe we needed those National Guard troops manning the airports after 9/11 after all. Not for any rational benefit (there was none), but because it made (some) people *feel* safer. It was our politician's way of saying "we're on it".
Well its a bit off topic but as security people might be reading this.. I have a question to ask. Its actually prompted by the comment on email.
.. thought I woudl try here !)
I would like to lock down my (and my partners) use of the web and our data.
My partner uses windows (due to a requirement to use MS Office at the moment - and no Open office wont do)
So Im planning to use
1) True Crypt
2) Roboform
3) SyncbackSE
and a 4 GB USB Storage Key.
We plan to generate different passwords for each site.
My partner needs to outlook email for the moment.
So do people have other setups they recommend ? For Windows ? I would like to use LINUX actually but would prefer to use close to the same techniques on both platforms if I can to make my life easier (true crypt of course runs on both)
Can anyone point to any great sites on setting up encryption in outlook ? What about LINUX email mail
I actually use Google mail maostly now and use the web interface... is there way of encrypting mail that way ?
Any info appreciated.... (Im thinking of posting this as an ask slashdot question but I have yet to get one posted so
Thanks
I think everyone already knows that humans are always the weakest link in security.
You make good points, but I think you should be more careful about your examples. Saying that you have a 1 in 100 chance of being 'framed and sent to prison,' is hardly supportable; saying that you have a 1 in 100 chance of going to prison might be (if on average 1 in 100 people end up there).
But that's still a poor example, because that's a controllable risk. People don't get as upset about it as they do plane crashes or terrorism, because they feel like they have some level of control over the outcome. "Well, hey, I'm not going to prison, because I'm not going to [commit any crimes|get caught]." Therefore, they minimize that (very real) risk, and concentrate on slimmer ones which appear to be outside their control.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Why do people trust complex programs with colorful symbols and logos more than a simple linux command, where you know what is going on?
> In soviet russia, You ask not what country do for you, but what you do for country!
Wouldn't that be, "In Soviet Russia, your country ask not what it can do for you!"?
Cut that out, or I will ship you to Norilsk in a box.
For what it's worth, I wrote an in-depth look at the neuroscience of the brain and its impact on peoples' ability to change for CIO magazine here: http://www.cio.com/archive/091506/change.html.
is all you need to know to understand "security".
Chimps are afraid of each other. So any time any chimp does anything, it's automatically fear time for everyone else.
As I've said many times before, humans work like this: "If you're right, I'm wrong. And if I'm wrong, I'm dead - and that can't be allowed. So I'm right and you're wrong. And if necessary, you're dead."
It's that simple.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!