Slashdot Mirror
Humans Not Evolved for IT Security
Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"
We're all guilty as charged and you know it.
So the modern equivalent is "What I can't see won't eat me" ... seems to be the same mistake. More likely, if 99.99% of your senses tell you that you are safe, then worrying about meteors or lightning strikes is a waste of energy.
Plus you gotta think "selfish gene". Is I *feel* "secur-i-ness", I can proceed with making babies... while you're so worried about lions, you fail to impress the ladies.
meh
As a species we got really good at estimating risk in an East African village 100,000 years ago.
I wonder how many days would that guy last in an East African village 100,000 years ago.
He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved.
Which is why, a lot of times, you end up with security theatre, instead of real security.
The theory of relativity doesn't work right in Arkansas.
Clicking on the link only gets me the intro. Where is the rest of the story?
Looking at the number of people falling for Nigerian scammers, I'd say that our ability to "estimate risk in an East African village" is not so hot either. :)
If you open yourself to the foo, You and foo become one.
Technology evolved ten thousand fold in the last few hundred years. No species ever evolves that quickly.
Thank God I was intelligently designed for this kind of thing ;)
Knowledge is power. Knowledge shared is power lost.
Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures. Personified risk -- Osama Bin Laden is scarier than a faceless threat How in the hell does this relate to IT security? I think IT administrators are more afraid of the people they don't know hacking their systems then the people they actually employ doing the same. In the end, I'm sure more attacks come internally or from an ex-worker than someone unknown. Maybe the face you know should be more scary than the face you don't at the office? Risks that could be controlled -- The DC sniper caused a few deaths but the response was way out of proportion. Please elaborate, I know of the John Lee Malvo incident but I have no idea how this relates to IT security. Are you telling me that shutting down a system to protect a database from a possible threat or virus is overkill? I would respond with that varying on a case by case basis but at my job, offline databases are worth maintaining the integrity of the data inside them.
I know I'm really coming off as a jerk when I say this but I don't think this article helped me in anyway. All I saw was someone over simplifying a complex problem--thereby making them seem smarter to the people they were explaining it to.
Don't read this article, it has nothing to offer you. If you don't know this subject, I believe this article will only add to your confusion and lack of understanding.
My work here is dung.
As a INFOSEC person, I see this kind of mentality on a daily bases. Still, there is a realization of the costs of outages due to attacks and that I see. Slowly but surely it's changing. Compared to evolutionary changes tho, it's a blink of an eye.
We're not evolved for space flight either. You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.
It's perhaps more accurate to say that only a few people are capable of truly understanding this stuff at all, and for the rest it's just black magic. Of course they don't appreciate the risk. I guess B.S was trying to find a rational reason why people just categorically don't understand security when applied to technology, but I think it's more just that they're doing well to be able to use the tech at all. We're going to have to have a lot higher skill level among users before we can expect them to truly appreciate security.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Finally, its official. 'nuff said.
In many ways, we need to go back to square one. We need to teach ethics to the younger generation. Hackers and phishers will always remain one step ahead of the security community in developing new methods to bypass security measures. The problem is, we should have to erect so many virtual walls. The real question we should be asking ourselves is: why is this behavior acceptable -- even lauded at times?
We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.
"Only human."
--Agent Smith on IT security
My brothers Smith and Wesson would beg to differ.
... if it really must be Schneier, read: "Why the Human Brain Is a Poor Judge of Risk" ( Wired ), but better immediately turn to Kahneman .
CC.
TaijiQuan (Huang, 5 loosenings)
I disagree with the use of the term 'evolution' to discuss the inadequacy of emotional responses to threats. People can be successfully trained to overcome these issues. As a security professional, I know my spidey-sense has altered considerably over the years due to training and experience, and I would think that others in fields where risk assessment is all in a day's work have largely had the same experience, and, to a certain extent, this is extensible to the population at large. (For example, I find that younger employees are typically a lot more savvy about safe online usage than older employees, which is not a matter of evolution, but acculturation to technology.) The evolutionary advantage of rationality outweighs the primacy of fight-or-flight responses in trained individuals.
This looks to me like another misquoted/misunderstood Bruce Schneier sound bite. Not much to see here.
#!
I'm estimating my risk in an East African village 100,000 in the future. Forget about London.
Virginia is for lovers. EVE is for griefers.
Schneier is neither an evolutionary biologist nor a neuroscientist. Why is his bad opinion on these matters news?
Are you adequate?
People want the easy way. Security and "the easy way" are often at odds.
Case in point...I was in a hospital ER the other day, waiting in the room (for a very long time), and I looked at the computer in the room. I noticed that someone affixed a sticker to the keyboard tray with (presumably) the windows domain login info. Had I wanted to, I could have logged in and probably gotten to all kinds of medical records. Someone from the hospital's CIS department would probably poop a brick if he saw that.
People are lazy, and security folks constantly have to toe the line between making things hard enough to be secure but not so hard that it's just easier to find the loopholes.
blah blah blah
"Originally from New York City, Schneier currently lives in Minneapolis, Minnesota. Schneier has a Master's degree in computer science from American University and a Bachelor of Science degree in physics from the University of Rochester. Before Counterpane, he worked at the United States Department of Defense and then AT&T Bell Labs."
I don't see anything about "behavioral psychology" or "evolutionary biology" in there.
So, sorry Bruce, but you're not qualified to make that statement with any authority, and frankly, your position as an expert on security should make you more wary of voicing lay opinions about subjects in which you have no expertise.
I only go to buffets for the unlimited soft serve.
I don't think thats the case. I think its just that culturally we fear what we don't understand and are being taught to be stupid and proud of it. Biology and evolution have nothing to do with it. We can learn these concepts we just willingly refuse to for religious and ideological reasons.
He's a security guy, not a biologist. His list (I must not be well today, I'm actually RTFAs) is correct; e.g., 3000 deaths this century in the US from terrorism and 40,000 every single year on the highways, but OMG ITS TEH TERRAISTS!
However, although he's well versed on security his grasp of evolution is even slimmer than mine, and I'm no biologist, either. The only way evolution would come into play would be if computer security had the effect of killing us before we had children. Clearly, the security of your home PC is NOT going to keep you from procreating. In fact, considering the stereotype of us nerds it's arguable that knowing how to secure a PC is counter to evolution! After all, evolution is all about getting laid.
I'll demonstrate with two real people: me, and a woman I know.
It is possible that I have a lot of kids in Asia I don't know about, but for the sake of argument lets say I only have the two girls that came from my ex-wife's uterus.
Both of my children are living, and grown. Neither has children of their own.
Linda, OTOH, had 14 kids, 13 of which are still alive. She trumps me in the evolution game 13 to 2. I lose, she kicks my ass in the Darwin game. But she can't even boot a computer, and while Bruce Schneider could likely root my box with impunity, I built the damned thing from spare parts.
There is no possible way to "evolve" computer security. Schneider should stick to computers and shy away from fields in which he isn't an expert.
-mcgrew
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
There were in South Africa anyway.
#!
Security solutions have to be designed around usability. If usability isn't the #1 or #2 consideration, it will increase the failure rate of the humans involved and you'll end up with an insecure system in practice regardless of the technical merits of the security methods.
The crude animal impulses present in the vast bulk of humanity are masked by the accumulation of accomplishments by extremely rare geniuses. Skim off the top 1% of creative freethinkers, and humanity wouldn't be all that different from any other species on this planet. Our feelings about what is or is not secure are easy to game with scary stories and special effects. Our desire to live peacefully in a democracy can quickly be overwhelmed by a relatively small threat, such as by a group of underfunded Islamic crazies living in a cave with a shoebox full of box cutters and 19 airplane tickets. It wouldn't take much of a jujitsu move for an effective terrorist to scare the bulk of the American people to quickly decide that fascist rule was in their interest. Humanity's easily-meddled-with irrationality is our Achilles Heel. For example, since 9Eleven America has turned away many brainy and creative people who used to contribute to our greatness. Now those people go elsewhere, making other places great.
The flag just makes more sense than the constitution. - Judas Gutenberg
The real problems are, in no particular order:
1) A lot of people are either stupid or uneducated.
2) A lot of people don't bother to think.
3) A Lot of people are sheep and believe what they're told by marketing.
4) A lot of people are lazy.
I guarantee you this covers the vast majority of the problems with IT security. It's not biological evolution, though you could make a good argument for societal devolution being the problem.
What with their careful patch scrutiny that insures things like, oh i dont know, windows desktop search, doesnt get auto downloaded by all my 500 computers, bypassing the policies on the wsus. Its the little things that make me glad I work in a microsoft (tm) security (tm) world (tm) where nothing can possiblie go wrong!
Is there anything on which Bruce Schneier is not an expert? Now he's an expert on evolution? I'm not sure why he thinks his knowledge of cryptography qualifies him to hold forth on every freaking subject on the planet.
What I'm listening to now on Pandora...
research shows that humans are not evolved for
unassisted flight
long periods without oxygen
sustainably conducting large amounts of electricity
only drinking pure arsenic
only inhaling pure chlorine
living in magma
maybe stories like this stand better as support for the idea that we could not have been intelligently designed. if we were, why would we waste time writing or reading articles like this?
Witness the post-it notes under the keyboard to remember a password. :-)
If you read Schneier's regular blog, you'll see that he regularly talks about security topics in general, not just IT security. The tagging of this talk as being narrowly related to that may be a case of inaccurate reporting; given what Schneier regularly talks about, I'd have been surprised if his talk hadn't covered non-IT security topics.
Are you adequate?
I guess people are running around in some sort of Darwinian intellectual enlightenment these days. I've been seeing bad evolution and artificial intelligence references all over the place recently. It's only a matter of time until some jack-off writes about a darwin 2.0 semantic web
Anyway...the issue with security isn't that people aren't "evolved" enough to use it, it's just that the solutions presented to the masses are garbage. You don't implement something in a way which makes it difficult to use, then say that people are just too dumb to use it. The solutions needs to evolve, not the people.
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
Ah. So, unlike Schneier, you are both an evolutionary biologist and a neuroscientist. Thanks for setting the record straight.
Are you adequate?
I'm judging his statements based on his expertise. He has none. That's not "authority" by any measure.
His "authority" never entered the equation.
So you're wrong, and you're trolling me because I proved you wrong previously.
I only go to buffets for the unlimited soft serve.
So I guess it all boils down to the root cause, which is niggers.
Time to get rid of planes (not snakes, just the planes), frozen yoghurt and tv. I can't see how any of that is in our genetic makeup. If we should fly, I'm sure we'd have evolved some wings by now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I suppose we need the repetition though.
In other news, Slashdot readers have not evolved for relationships with the opposite sex, leading to a re-evaluation of evolution as an origin to the species. Creationism is being evaluated as a viable alternative.
He's officially hung up his cryptographer's hat, and is now somehow qualified to critique the TSA and all sorts of related "real-world" security issues.
... it's about the nature of the risk.
We're good at noticing things that are imminently threatening to kill us. It's - unusual, at least - to see people voluntarily putting themselves in the way of obvious, physical harm.
Threats like identity theft or fraud, however, are much less tangible, and they don't have the same impact on our brains.
We're hardwired by evolution, for example, to avoid a heavy moving object, whether it's a rhino or a car. There is no comparable aversion mechanism that instinctively steers us away from Nigerian e-mails - that's something that has to be learned specially.
You do realize that, outside of biology, evolution is usually used metaphorically, right?
Anyhow, whether or not evolution has anything to do with it, his fundamental point is one about security. Something he DOES have a lot of expertise in.
The fact is that we're VERY bad at estimating risks we don't understand. The behaviors we fall back on, wherever they come from, don't serve us very well at all. We're terrible at worrying about the things that are very likely to hurt us and good at working up a fuss over ridiculous and stupid things.
How much money and how much trouble have we expended to go after terrorists? But how few people have they killed? It won't please anyone, but if we spent that money fighting something ordinary, say heart disease (#1 killer, last I knew), we might actually save more lives.
Not very emotionally satisfying, though, because people feel strongly that we need to do something, anything, to protect ourselves from terror. Even if it doesn't make any sense. This is why we now take off our shoes in airports, etc.
On the other hand, why *should* we evolve for IT security? It's not like there's a Darwin Award waiting for the dumbest user or admin. There's no evolutionary advantage for comp sec aware folks... unless we start creating some, like opening up safety related systems to the wild. Mmmm, how about wireless interfaces to the internal networks of cars, or to household appliances like gas stoves? Or the charge circuitry of Li-Ion batteries? That'll teach the noobs.
thegodmovie.com - watch it
- Your expensive OS has security flaws that you can drive a mack truck through? Patch it or buy the new version of the same.
- Your mailbox is flooded with special offers on discount viagra? Install a spam filter to block the messages.
- Oops, the filter isn't catching the newer offers for discount software? Update the filter or buy the newest version of the same.
- Oops, the filter isn't catching the new stock offers that are flooding your inbox now? Another update, of course.
When of course, these all have much better solutions, if only people actually worked on the source of each respective problem. Hint, its not filter / firewall rules.Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up." If your brain is so imperfect and patchy, and you know so little about it, why should anyone listen to your opinion? You're using your own beta-mode noggin' to whip up a bunch a baloney, and you recklessly throw it out with such certain authority. Shameful.
"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up." See, even God uses Windows.
:wq
"You do realize that, outside of biology, evolution is usually used metaphorically, right?"
YOU do realize that in this case, WE ARE ACTUALLY TALKING ABOUT BIOLOGY, RIGHT?
I see why you posted AC.
I only go to buffets for the unlimited soft serve.
Sexual reproduction decides when the organism goes live, and marketing decides when the product goes live.
You can't take the sky from me...
Anyway you should only trust Humans V1.0 after SP1 has been released.
Engineering is the art of compromise.
Hm, my troll detector just went off. dharbee? Is that you?
Well done, you've basically said Humans don't know everything at birth! We have evolved in many ways, some in IT security, and others as - well, anything and everything from scientists to engineers.
Plus - evolution takes centuries not decades.
People are very quick to confuse inbred and conditioned behavior, because it can be hard to distinguish.
Calling a behavior inbred is usually a cop-out: if it's inbred, then we can't do anything about it, so we can stop thinking logically about it and just attribute it to bad human wiring. It's the lazy person's way to end an argument.
I suggest to you, that someone who has been brought up in an environment where trust is treated like the complex subject that it is, will do better than someone brought up in an environment filled with deceit and denial.
Our brains haven't evolved a single way to solve problems; That's why we're as successful as we are as a species, is that our brains can evolve and solve new problems as they come up.
This guy demonstrates a severe lack of understanding of the subject, which is odd given who it is.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
I've never said this before (err except in the title,) but someone Mod this guy up! That site was the best laugh all day!
Car crashes are less scary because of familiarity, has you said, but also because you can grab the wheel, yell "look out!", or otherwise act upon your own destiny. And because of vertigo phobia. In a car, you're already on the ground: you aren't going to accelerate towards it inexorably, as planes will if they stall/run out of gas/break/hit another plane/etc.
Familiarity and statistics are just part of it.
You can't take the sky from me...
The first problem I have with this article is that it attempts to discuss two completely different topics, that of security against physical harm or risk and that of security against harm to a computer system. They really are not related. If I see a rhino charging at me I will have fear and get out of the way (if I can). In the case of a computer system, I cannot detect harm such as someone attempting to gain administrator access through a remote connection except by special software or reading logs.
The average human being is not going to dig through log files or read technical documentation to shore up possible security risks. A (sober) human being will most certainly try to get out of the way of a rhino, and it is more common sense than it is evolution: either get out of the way or get trampled to death. When it comes to IT security, the average human computer user will trust the firewall, the anti-virus software, or "that computer guru" to keep things safe.
The second problem I have with the article are the unproven assertions made:
--we got good estimating risk 100,000 years ago in an East African village
--evolution is true, and how we feel emotionally about security is a result of it
--the brain is still in beta mode
--it is difficult to estimate risk in London in 2007
I think Londoners (as are most city-dwellers I know) are street smart and savvy enough to estimate risks quite well, but maybe because all but the criminals have been disarmed and Londoners don't have the means of self-defence anymore it is perhaps harder to defend against harm?A word fitly spoken is like apples of gold in pictures of silver --Proverbs 25:11
You're drunk, aren't you.
I know I am, and I was just about to post what you did.
" 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'""
So those kids in East Africa with their shiny new XOs should run rings around us westerners?
Oh, wait...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
But in 2007 London? Modern times are harder.
Phew! I'm glad I'm in Seattle.
Comment of the year
I spent years doing technical security, but that eventually turns to box shifting. Sure, there are very clever tools out there, but what good is that going to do my clients if they still leave a laptop ready to be stolen, and use passwords an 8 year old can guess?
:-).
:-). Security is about people, and as long as we don't start from that angle a lot of people will still make a lot of money - but not address the real issue.
And that's again just the technical side. We have a setup which advises on all sorts of security, and doing the anti-kidnap coaching is a serious eye opener for someone who's been living on the command line. It puts it all in perspective (although the driving part is *seriously* cool to do just for the hell of it
IMHO, security is NOT a process (I know this is sacrilege
I've started coaching CEOs on security, privacy and IT, and that works because it impacts decisions in a positive way. But we've got a little while to go yet..
Insert
"IT Security Not Evolved for Humans".
pb Reply or e-mail; don't vaguely moderate.
You illustrate quite well why people should leave out any mention of evolution whatsoever when trying to make a point. Even if you happen to be right, any discussion of whatever you were actually talking about (in this case, that people are bad at evaluating risks) will get caught up in pedantry over exactly how you misunderstand or misapply evolution. Even when it really has nothing to do with your main point.
You ended up taking issue with this thanks to a summary focusing on exactly one minor point made in a much larger discussion of how peoples' sense of risk fails them utterly when facing modern threats. Frankly, it DOES NOT MATTER why, whether or how exactly humans have come to possess the faulty sense of risk they do. That's not the point. We know that a) we collectively are bad at estimating risks and b) something needs to be done about that.
As for the other poster saying the equivalent of "but, but... maybe they found 8 zillion shoe bombs" they also miss the whole point. The example given is not the point. The point is that we focus our energy in ways that are disproportionate to the actual risk. If you think that, somehow, the magnitude of our counter-terrorism efforts is justified by their risk, you illustrate Schneier's point quite well. Worse, not only are we spending a ridiculous amount of money, we're not getting much return on that investment because it's going to "security theater" rather than things which have much better payoffs (human intelligence--though what little there is *was* actually responsible for most if not all of our successes against the terrorists). And believe me, we do actually know. The politicians are very good at crowing about any foiled plot, and like I already said, human intelligence agents were a big part of those breaks.
So the point isn't that we should focus on only one thing, or that we can't or shouldn't focus on more than one risk. The point, which everyone is so very adept at missing, is that our responses should be proportionate to the actual risks. Mind you, on a human level, I do suppose that there's some need for "security theater", but we should understand that it is theater and make it sufficiently non-intrusive, yet visible enough that people can feel safer without forcing people to put up with ridiculous annoyances.
What an ignorant, insensitive ass. Please, do tell, how could the response have been better managed? A shooter on the loose for weeks taking out random targets at will. Response out of proportion?
I think of the woman shot in the head standing next to her husband while loading their car after shopping. Ponder for a moment, the emotion involved in that single death. The intensity of that moment. A few deaths indeed.
There's a reason the Amish don't have cell phones, and it's not *just* because of religious reasons, though that's a big part of it. The Amish see something like this as getting between people. Face it: how many times have you, in person, been put "on hold" for someone on a cellphone? Basically they don't like what it would do to their community.
:>
In this case, the same is true. Metaphorically like giving a hot rod to a teenage boy, you can't always trust'im to be _wise_ or _polite_ as to the operation of the car....and this is a realization of the same thing, on a grander scale.
In a similar vein, what's the first thing that gets illuminated when you hand a child a flashlight? YOUR face.
--- For a good time mail uce@ftc.gov
As much as I respect Bruce, but here he's got it the wrong way around.
If people can't cope with the way something works, then are the people at fault, or the way we built that thing? Or, in more practical terms: Which part can we change? So where should we direct our energy and creative thinking?
Humans are the way they are. The way to change them is called education, takes several generations for any major change, and is fairly uncertain and not yet fully understood.
Assorted stuff I do sometimes: Lemuria.org
So he made fun of you for being a coward instead of answering your question. And now you're stalking him for petty revenge. If anything, this backs up his opinion that AC's aren't worth responding to. Fortunately for him, he can just set his preferences so he'll never see your posts again.
You are reading a copy of my copyrighted post.
Yes, there are too many security efforts evaluate risks badly; that aim to rigorously closing systems to guard against supposed known threats, piling security measure on security measure, while leaving the back doors wide open. The equivalent of people who are afraid of flying, but drive recklessly while drunk.
However, I think that many misguided security measures are inspired at least as much by self-protection as by bad evaluation of risks. People often know that they are not addressing all the real risks. But they assume that as long as they stick to policy, and "even better" ridiculously over-design to cover every possible risk explicitly mentioned in the policy, they can't be blamed when things to go wrong. Some junior technician is not going to challenge policy laid down from above, just because it has giant gaping loopholes. He or she is just going to follow it, and apres nous le deluge. And the policies in turn are often written by people who focus on past incidents, not future risks, because what's behind you is more likely to bite your ass.
Governments regulate aviation safety very tightly because they can get a lot of criticism when there is a fatal accident. But car accidents that cause more casualties overall, are considered a normal part of life, and people rather resent additional safety measures, so governments are much less inclined to take strict measures to reduce them. That's not caused by short-sighted risk evaluation (at least not necessarily on part of the government) but by plain politics.
You can see it any form of modern engineering; measures designed not to reduce risk, but to reduce liability. Of course I don't know whether the same principle was applied in communities of pre-historic hunter-gatherers, but my somewhat pessimistic view of humanity induces me to assume that it did. And I would not be surprised if the same behavior was discovered in chimpanzees.
It is even possible that that behavior actually has a background in the evolution of our brains. The ability to blame someone else when things go wrong, must be of considerable advantage to the spread of your genes.
It is interesting to note that those who are most competent at IT security are least likely to reproduce.
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
I once heard Neal Stevenson give a similar talk. http://db.tidbits.com/article/05951
He drew pie charts labled "threat model" where 99% of the chart was "hyenas."
Today, our threat models are a bit more complex.
http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html#Steph
junpei wikipedia
FYI this is why they check our shoes for explosives. Notice the sheet metal: The explosion literally rips a hole through it!
Life is not for the lazy.
Like many first-generation tools, the internet exposes us to risk. Think electricity, tall buildings, surgery.. we just haven't figure out how to build a safe internet yet.
In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures.
Doesn't the impact happen at ground level either way?
And for that reason you gave, I think we have to conclude that computer UIs suck for security.
For example: Someone gives you a crypto key on a flash drive. You plug it in and look at the contents... a teensy nothing of a file that just opens in a text editor. The OS doesn't try to push any of our evolutionary buttons with regard to this very important object.
Or how about task lists? They'll show you what/who is using the CPU, but won't do the same for a network interface. The user must take it upon themselves to become educated and install tools like nettop and such.
Also, most GUIs won't give you a clue about the data/executable status of a given file (unless you keep opening the properties/info window). So we get lots of trojans posing as jpeg files and proliferating like mad. OSes are only now starting to (inelegantly) deal with this problem.
These are examples of bad design from a security standpoint.
Maybe that's why they're "running scared" from the Storm Worm!
http://it.slashdot.org/article.pl?sid=07/10/24/1532240
Remember that Will Smith movie Independence Day? If that movie is a true to life indication (which I believe it is), then super advanced aliens aren't evolved for IT security either.
Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
Young people learn at amazing rates. Some people keep learning stuff much longer but are a very tiny minority.
We are Turing O-Machines. The Oracle is out there.
This has *NOTHING* to do with brain evolution. Period. It has everything to do with modern attitudes, perceptions, and beliefs, as influenced by modern events, cultures, and happenings.
This is a prime exmaple of someone trying to sound smart about something they obviously aren't.
IT security has nothing to do, even remotely, with brain development OR evolution (other than the fact we had to develop the skills necessary to use/develop computers/machines/technology).
Humans *ARE* evolved for these types of thing, just hardly anybody wants to spend the amount of time necessary to counter every security threat that gets thrown at them.
Idiot.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Outside IT Security (a very narrow field), Schneier is an idiot.
In a car, there are many things you can do to enhance control over your own destiny. Which has a major impact on Darwinian fitness. I.E. those with more control have more descendants on average.
A personalized threat is more likely to target one specifically. Osama is also scary because he's unpredictable. And could come close to controlling Pakistan's nukes if he gets a few breaks. Modern technology gives terrorists awesome power to kill lots and lots of people: Tim McVeigh using fertilizer and diesel fuel, Aum Shin Rykio home-brewed Sarin in the Tokyo Subways, and the DC snipers conducting their own personal jihad for fun and profit.
Moreover the curve is of increasing lethality. The Haymarket bombers in the 1880's killed a few hundred. Osama killed 3,000 and could with nukes kill millions. It only takes one nuke in downtown NYC to kill perhaps several million people. That technology is over 60 years old, well understood, and probably widely available. NOW North Korea and Pakistan are nuclear powers with working nukes (and ballistic missiles). Soon to be joined by Iran. Israel hit Syria's nuke facilities outsourced there by North Korea (and Iran). Morocco, Algeria, Tunisia, Egypt, Sudan, Turkey, Jordan, Saudi Arabia, Yemen, Oman, UAE, have all announced nuclear programs. So clearly the problem is going to get worse.
If anything ordinary people understand every-day non-IT risk very well and far better than Schneier. New Orleans population declines post WWII, for example, and particularly after Camille (and the relative incompetence/corruption displayed) showed that collectively, middle class people voted with their feet elsewhere. Remarkable given New Orlean's geographic advantages (river-Ocean-Rail nexus).
Cars are safer than planes because you have more control. Airlines worry about PC more than anti-Terrorism. Schedules more than storms. Cutting costs more than safety measures. By contrast control means not driving in bad weather, with safe cars, properly maintained (not leaving that to others), and at times when it's safer (i.e. not late at night when the drunks are out).
Schneier is typical of the elitists who sneer at the average person, merely because they possess some specialized knowledge the average person does not. I'd bet Schneier would be helpless in changing his own oil, or building cabinets, manual tasks that "lower class" blue collar types do every day.
Weren't Human 2.0 The Cybermen?
Humans have not been intelligently designed for IT security!
Read the Bible!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Guess what, in a Lemon market, all the Lemons get sold and only a few of the good products, the IT market most often is a "Lemon market", and that explains why the best products don't always come out on top.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
"Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. "
Thank you for proving Bruce's theory exactly. You don't think that automobile deaths are that common, when in fact 119 people die on the roads every DAY. 43,443 people died on the roadways in 2005 alone, and this is only in the United States! Pretty sure airplane deaths are FAR less...
http://en.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year
What do you expect? The human brain is still running on OS "Homo Sapiens 2.0". It hasn't had an upgrade (or even a patch) since the last ice age. Networking is slow and undependable, memory is prone to faults (or even false data), graphics quality varies wildly, it sometimes ignores input and returns the same results constantly, and if you hit it too hard it shuts down and has to be rebooted. The only thing going for it really is very good parallel processing. Sadly, some people are still running on "Homo Erectus 1.0".
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Yes, it's harder. we're competing with ourselves much more fiercely and more often. We're up against our own brains, and that is the fatal limitation.
The eternal struggle of good vs. evil begins within one's self.