Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bruce Schneier Talks Brain Heuristics and Security

Posted by CowboyNeal on from the just-because-you're-paranoid dept.

ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."

18 of 83 comments (clear)

  1. Its all in your.. by scoot80 · · Score: 3, Funny

    head.. as a matter of fact.. this reply is all in your head too.. it doesn't exist..

    1. Re:Its all in your.. by Dark+Kenshin · · Score: 3, Insightful

      I think that's the general synopsis of the book. If you really, really, really believe you are secure, then you are... till you get hit by a bus or something.

      --
      "I only know 2 things: The love for me, and the fear of me."
  2. Encryption and ease of use. by Kelson · · Score: 4, Insightful

    At one point in the article, Schneier comments on email encryption:

    "Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

    This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.

    Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.

    Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.

    Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.

    1. Re:Encryption and ease of use. by Em+Adespoton · · Score: 3, Interesting
      The interesting thing about this is that I tend to at least use digital signatures now, and started for one big reason:

      I have to enter my passphrase before I send something I might regret. This has been a boon to me on innumerable occasions. It means I send fewer emails than I otherwise would, but I don't tend to send anything I'll regret years down the road.

    2. Re:Encryption and ease of use. by owlstead · · Score: 4, Insightful

      "Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

      That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

      Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).

  3. That word. . . by Skadet · · Score: 4, Funny

    Bruce Schneier once again is turning security on its head -- literally.
    That word. . . I don't think it means what you think it means.
    --
    Sony ha
    1. Re:That word. . . by poopdeville · · Score: 2, Informative

      Please look in a dictionary. Only one of the five to six meanings for the word 'literal' is opposite in meaning to 'figurative.' The rest are orthogonal. Indeed, the primary and secondary definitions are "conforming to the exact meaning of words",[1] and adverbial forms of 'real', 'factual', and 'unembellished'.

      Really, it's good that you paid attention in high school. You learned a lot of great rules of thumb that will help you avoid making grammatical errors. But they're just rules of thumb. They don't make you qualified to correct other people's errors in domains in which the rules you learned don't apply.

      [1] Before you throw a hissy fit about the use of the words 'exact' and 'meaning,' read this.

      --
      After all, I am strangely colored.
    2. Re:That word. . . by rkanodia · · Score: 3, Funny

      So your validity-seeking tweed jackets propose that the word 'literally' has no semantic content. I can't wait to hear other ways in which emergent online paradigms can synergistically leverage new value-adding phenomena!

    3. Re:That word. . . by vertinox · · Score: 2, Funny

      Actually, security is a man named Steve at the front desk. Bruce has been getting him in a head lock and pile driving him in a wrestling move during the company get together.

      --
      "I am the king of the Romans, and am superior to rules of grammar!"
      -Sigismund, Holy Roman Emperor (1368-1437)
  4. Bruce Schneier is my homeboy by bigredradio · · Score: 5, Funny

    More facts about Bruce. http://geekz.co.uk/schneierfacts/

    --
    Flexible bare-metal recovery for Linux/UNIX
  5. Perception by bwthomas · · Score: 5, Interesting

    Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."

    In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.

    This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.

    But they will, with a probabilistically determined frequency.

    1. Re:Perception by Yartrebo · · Score: 2, Insightful

      We also have a major bias towards catastrophic risks that we have no control over mundane risks that we think we have control of.

      Take the risk of getting wiped out by an asteroid vs. the risk of getting framed and sent to prison. The former is far less likely (less than 1 in a million), but it also gets people a lot more scared. Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime (at least in the USA, the odds are far lower in countries with lower incarceration rates), but it doesn't evoke the same kind of fear.

    2. Re:Perception by Sique · · Score: 2, Informative

      The same can be said about the terrorism panic. It's still more likely to choke on a fishbone and die than to be hit by a terroristic attack. For Germany [pop. 80 mio] there are about 700 reported dead each year because of choking on a fishbone. I wonder if the number of all Germans ever dying during a terroristic attack since 1947 has ever reached 700.
      And the perception still gets it wrong if two risks are very similar: Think about the craze because of the H5N1 bird flu. Worldwide we have now ~200 people who died because of H5N1. Each year the numbers of people dying on whatever flu is currently going around is in the millions. For Germany the estimations are between 10,000 and 20,000.

      --
      .sig: Sique *sigh*
  6. 5 tough user-space factors by G4from128k · · Score: 5, Insightful

    I see five factors that make the user-space side of security so hard.

    1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
    2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
    3. Hubris: Most people believe they know what they are doing.
    4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
    5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."

    Some of these five are easier to address but some reflect deeper realities about being human.

    --
    Two wrongs don't make a right, but three lefts do.
  7. fear and power by wall0159 · · Score: 2, Interesting

    Seems to me it would be good if more people understood the ways that their gut reaction to fear is often incorrect. It would at least make it harder for politicians to manipulate the populace.

    It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..

  8. Re:A slightly different analogy. by MillionthMonkey · · Score: 3, Funny

    He's got herpes. She doesn't. They take VALTREX to keep it that way. So her neocortex is all hot for him. But her amygdala isn't convinced. Because he has herpes.

  9. Re:People TRUST programs with a LOCK as their icon by jonadab · · Score: 2, Insightful

    > Why do people trust complex programs with colorful symbols and logos more
    > than a simple linux command, where you know what is going on?

    Because end users *don't* know what's going on.

    It's not a question of trusting something complex and inscrutable (proprietary security software) versus something simple and straightforward (open-source command-line software), but more a case of trusting something complex and inscrutable that looks well put-together and comes from a well-known maker, versus something complex and inscrutable that looks arcane and comes from nobody in particular.

    Spend some time around end users, trying to understand their problems. It won't enable you to solve the problems, but it will help you understand what we're up against.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  10. The New Science of Change by screeder · · Score: 2, Informative

    For what it's worth, I wrote an in-depth look at the neuroscience of the brain and its impact on peoples' ability to change for CIO magazine here: http://www.cio.com/archive/091506/change.html.