Slashdot Mirror
What Non-Experts Can Learn From Experts About Real Online Security
An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.
Reader's Digest is going to sue for the Cliff's Notes version of Reader's Digest, nutshell summary.
Security experts care about confidentiality and integrity. Normal users care about availability. Film at 11.
Taking advice from elitest experts is un-American.
I've been out of the field for 10 years, but what I've learned since then is that "experts" don't care if the clients can actually use the system. AV? Take it or leave it, but for software updates, well, the cost of breaking corporate software with an update (they just took out our scheduling program for 4 days) is very measurable and affects everyone in the company, while the cost of a security incident is not nearly as measurable and doesn't affect everyone.
If you want to win these fights, you have to present defensible numbers in units that the PHB's understand: Dollars or Euro. The cost of breaking the scheduling program is easy about 6 hours of salary for the entire fucking company due to lost productivity. The cost of cleaning up a security incident needs to be measured and presented. How much lost productivity did this cost, how much tech time did it cost, what's the cost of the stolen data, etc... IT, and security in particular, will always be a cost unless you show, in dollars, that it's worth keeping.
That's missing the point. Identifying 1 or 2 differences in approach between experts and non-experts shows 1 or 2 things you can tell the non-experts to do to greatly improve security overall.
In this case, the take away action would seem to be to make sure you keep all the software updated.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
.
For example --- software updates:
- do the experts use "custom" installs to avoid the installation of unwanted browser toolbars and adware, and that is why they are more likely to install updates?
- do the non-experts use the "default" installs, which pull in toolbars and crap adware, leading the non-experts to avoid updates?
I think the article is a good one, but there should be some more depth to it.
Write a program and then realize you screwed up. Debug it. And do it over and over and over again.
A very slim chance you got a 0-day exploit.
Expert: How many other made the same mistake? Can I write a program to search for those mistakes?
I know it's not really what this article is about, but when you consider a system buggy when it doesn't give you access. You debug it.
Any system that depends on users doing the right thing has ALREADY failed.
1) If it's difficult or complicated, users won't do it.
2) If your security organization's working strategy is, "break stuff, walk away and tell the user it's their problem," your strategies will be subverted from within so users can get actual productive work done, for which *they* get *their* bonuses.
In short, users need productivity to get their extra money. Security people need a lower number of intrusions to get theirs. These two goals are always at odds, mostly because current security strategies burden nontechnical, uninterested users.
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time. NOT training users not to download suspicious executables or engage in fantastic feats of memory regarding passwords.
Please do not read this sig. Thank you.
Tic Toc
Now that's something the non-experts have something to learn from the experts.
Mordern users have security using apps.
That's missing the point. Identifying 1 or 2 differences in approach between experts and non-experts shows 1 or 2 things you can tell the non-experts to do to greatly improve security overall.
In this case, the take away action would seem to be to make sure you keep all the software updated.
The other take away is to figure out why the non-experts don't use the expert approach already. Are the password managers poorly advertised or otherwise unwieldy? For instance I know a lot of sites have login windows that the Firefox password manager doesn't recognize.
I stole this Sig
As much as people want to believe, in the age of unattended Windows updates and package managers, that updating is painless and causes no problems, there are many famous examples of times people installed updates that proceeded to destroy or seriously disrupt operation of production environments.
In the paper, the authors reported that experts recommended using anti-virus software more frequently than using a password manager.
If I were to make recommendations to a novice user, the first would be to use anti-virus software followed by anti-malware and I would guide them to Major Geeks.
Here's what you can learn from this security expert. If you click on those attachments we told you not to click on it will take me 2 days with your laptop to "analyze the threat" if you get infected. If it's not the first time then we were unable to recover your files and it will take 3 days.
is thoroughly jaded about the wilful woolly word salad-y uninformativeness of updates.
It's like *cough* a certain producer of shoddy software *cough* wants very much to paint themselves entirely untrustworthy by wasting your time with lots of maybe, potential, possibly and other weasel word verbiage, when they could start with tersely explaining the technical detail and then adding a longer description for less technical people that is nonetheless still to-the-point, topical, correct, and not at all trying to waste your time by stringing along words until nothing but long strings of meaningless words are visible.
Although the password keeper point struck me as interesting, I take issue with the "experts" stance on updates.
People don't shun (non-OS) updates because they "might" install malware - They shun them because they do install unwanted tag-alongs (if not outright malware). Flash tries to install its partner-of-the-week every time you update it. Chrome just added push notifications. Java... Let's not even go there. And let's not overlook the fact that most users can't tell a legit update prompt from a drive-by installer.
Security experts have a bias here because they:
1) can usually tell the legit updates from the bogus ones (and know enough to get the bloat-free version of the update); and
2) can themselves remove or repair the occasional spyware that slips through, without needing to pay BestBuy $150 for five minutes' work on a machine only worth $300 in the first place.
Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates.
"Experts" are much better equipped to work around an update that makes a mess, and "Experts" are better able to pick up UI changes than "Non-Experts". Security is a good reason to update/upgrade, but every non-expert I know whose phone got the Lollipop update described it with obscenities, and would have been perfectly fine with a 'security patch only' update. The problem is that there's no consistent way for non-experts to know whether this will be a "transparent security fix" kind of update, or a "this will f'k up my s't and rearrange everything for no good reason" update. Even updates that don't make a mess of the UI cause other problems. Windows XP, circa 2001, needed 256MB of RAM to run acceptably. by the end of its run, the UI hadn't changed, but somehow, it required at least 1GB of RAM when it was (supposedly) the same OS. Admittedly an obscure example (but the only one I can think of at the moment), an Intel wireless NIC driver update I did once removed the ability to specify my own MAC address. A router firmware update I did once notably decreased the throughput of the network traffic it was processing. We all remember the Slashdot outcry when Sony removed OtherOS from the PS3. "Update" has a long history of having mixed impact on end users, so any "Expert" who both unilaterally applies updates and doesn't understand why "Non-Experts" don't share this practice may well have a thorough understanding of computers, but a piss poor understanding of humans.
Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down.
Many password managers use Teh Cloud (tm). There's a damn good reason to be reluctant to store all of your passwords on somebody else's hard disk. Local password managers solve that problem, and now we're back to the classical problem of 'backing data up' and 'single point of failure'. Even at that, who do you trust? Heartbleed was a particular mess from a PR perspective because Open Source ("More secure than Microsoft!!11") had a spectacular failure that was used by "Experts" - people who were supposed to be putting security at the forefront. If such a widely circulated OSS project could have such a problematic bug, what possible hope does a regular user have with respect to betting on the right horse? Even if they do, there's nothing that they can do for the far end doing stupid things - all the password managers in the world won't change a blessed thing if the password was for Sony or Ashley Madison. It's all risky at some level, and ultimately, password managers overcome a shortcoming of computers themselves. Non-Experts have things to do. Writing passwords down in a nondescript password book, kept in a room separate from the computer itself, with each of the passwords changed annually, is probably the simplest and cheapest way a non-expert can put themselves comfortably in the third standard deviation.
Another Iteresting thing to point out is that non-experts love and use antivirus software.
As well they should. Antivirus software is a layer of security, and one that non-experts tend to use more consistently than any other form of threat mitigation. It's not a cure-all (more likely the problem that exists with non-experts using AV software; they throw caution to the wind under the assumption that the antivirus will protect them), but it will be very difficult to convince me that properly updated AV software does more overall harm than good.
Don't depend upon a user's memory. Tell them that it is GOOD to write down their passwords AS LONG AS THEY STORE THEM WITH THEIR CREDIT CARDS.
The REAL problem with security is that the VENDORS do not place a priority on it.
It isn't that we hate to hear that.
We're already DOING that. But it doesn't help much when a CxO installs some infected software on his laptop (which he can because he is so important that he NEEDS admin-level access) and then brings it into the most firewalled section of the network.
Right now I'm focusing on knowing when a site is compromised rather than trying to get EVERYONE to follow the best practices EVERY TIME on EVERY SYSTEM.
A) Anyone using the term 'best practice' has already lost half their audience. Being the 'best' is a hard claim to make.
B) Real world usability trumps ivory tower douchebaggery. Stop making people have eleventy digit passwords with special characters that they rotate weekly. You aren't helping.
C) The world is mostly people who just want to get shit done - as an IT guy, your stuff is an appliance. People don't care about nuance.
"Security Experts" are mostly fraudsters working for the anti-virus industry. You don't get security from anti-virus software. You compromise it by running additional proprietary applications which can't be inspected. This is not to say the sources being available make it secure, but it is a critical found for which any failure to do so is the equivalent of building a house on sand. It might work, until the earthquake hits. The lack of security is the result of holes (bugs) and user-related design issues. If your looking at code and reporting bugs your a security expert. Anything short of that and your a fraud.
Discuss.
Considering systemd is developed by non-experts...
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time.
All of those things are worthless with a user base that does not respect and actively subverts security. It is like being a doctor of a morbidly obese patient that gets angry and screams when you tell them they need to lose weight. There is only so much doctors can do with patients insistent on killing themselves.
There is only so much security people can do without the users taking responsibility too.
I've known too many self proclaimed security experts out there to buy what they're selling.
Too often the self-proclaimed expert just reads a few blog articles that sound good, claiming "Best Practices", without actually knowing what they're talking about.
Then there are the ones writing the blog articles who pull crap out of their ass, and call them "Best Practices", just because it sounds good.
Lastly there are ones like Jason McNew, who doesn't seem to actually know anything about security. Mr. " I watched people take iPhones into highly sensitive government facilities on several occasions" That's a security violation; you report it. And guess what? Not reporting it is also a security violation. And even flag officers can lose their clearance for security violations at "highly secure government facilities". Also in highly secure facilities, they can even arrest and sequester you while that investigate whether or not you've committed a security violation.
Jesus Christ. What it is it? The news or a fucking film? How am I to plan my life with this kind of vacillation going on? Huh?
http://www.acetonestudio.com
Did he ever actually have one?
Mooo!
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
I suspect the "Password Managers" referred to in the article are third-party utilities like KeePass or LastPass and not the insecure-by-default and feature-lacking password managers provided by the browser.
"Frequently wrong, never in doubt."
I didn't see anywhere in the article that the security experts suggested blindly installing updates without testing them first.
"Frequently wrong, never in doubt."
You pretty much nailed it. The good thing is that we have plenty of tools to help with compartmentalizing info, to the point where it is almost surprising to see them not used.
If it comes to a pissing contest of users versus IT security, the users will eventually win, either by cunning, or just telling PHBs they can't do their jobs... and if it is a guy out of sales who is making the numbers, the PHBs will listen to that guy almost certainly, since they view security has having no ROI, but the "quarterback" making the "touchdowns" is earning real money for the company. In the past, one could scare management by pointing out Sarbanes-Oxley laws, but those are pretty much not enforced (well, unless one is fishing over their bag limit and decides to hide their caught grouper), so that argument tends not to have teeth these days.
Sex Conkers has too much time on his hands, and not just time. Don't let him near cows.
The credit card system works pretty well - so easy to use that family members usually don't have any trouble using each other's cards. Behind the scenes however, there are comprehensive fraud detection systems, as well as clear responsibilities of fraud liability (usually card issuer).
I agree with another poster who mentioned that the onus of security should be mainly on the system - much more than the end user. What this means is that if you're going to setup any kind of password or multi-factor authentication system, it must be relatively easy to use. But then ensure there's an intrusion system in place that works in a similar manner to credit card fraud detection, where anomalies are quickly flagged and escalated for investigation.
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall
Firewalls are not a solution. They're a small piece of a solution, but that's all. Firewalls segment networks, which is good because it reduces the scope of the attacks that have to be considered, but any good security design should assume that attackers will be able to get onto any network that has users.
application sandboxing and/or streaming applications for all office applications
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
improving intrusion detection
IDS is good, but primarily for reducing the duration of an intrusion and trying to estimate the scope of the damage. IDS almost never reacts quickly enough to stop an intrusion.
dynamic virus removal in real time
Preventing the installation of viruses is far better than removing them.
NOT training users not to download suspicious executables
If the users can't install and run what they download, then it doesn't matter what they download.
or engage in fantastic feats of memory regarding passwords.
Totally. Most enterprise password policies are ridiculous. High-entropy passwords are neither necessary nor sufficient for securing systems. Multi-factor auth is more secure, and makes it possible to set reasonable password policies. Say, eight characters, alphanumeric, maybe require one non-alphanumeric symbol. Annual rotation is good, unless there is some reason to believe the password may have been compromised. Users can deal with that.
Three-factor authentication is great, and not actually all that difficult. One factor is the password. Another is some sort of one-time password generator or, even better, a USB dongle that requires user activation (OTPs can be phished -- a user you can social engineer into giving you their password will also give you an OTP, in fact it's even easier to phish an OTP than a normal password). The third is a client-side digital certificate installed on the machine after verification that it complies with corporate security policies. Use Puppet or similar to not only keep the machine up to date, but identify if it gets out of date and if it does, revoke the certificate.
Another crucial key to successful security is single sign-on. I can remember one moderately good password easily. Require me to know several and I'll have to write them down or reuse the same one everywhere. If I reuse the password we have none of the security benefits of multiple passwords and all of the password management headaches. So users should have one, strongly-secured, account that crosses all company systems. This is another benefit of web apps over local applications: You can secure all of your web apps behind a single set of authentication credentials by deploying them behind a reverse proxy server. That server handles authentication and provides a signed, time-limited user ID token to the systems it fronts.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
This is the key problem. Only experts are able to assess the risk of a password manager and use it appropriately. How can a normal user know whether a password manager is trust worthy? Do any of the big web sites recommend a trust worthy password manager?
The only viable solution for a normal user is SSO. Login in Facebook, Google, Microsoft Live, that is the way forward. 3 accounts are easy to remember, and it would also be faster to detect suspicious activity. But does any bank offer SSO?
No, of course not. In fact my bank requires me to remember 4 PINs, 3 passwords and one user ID. How idiotic is that?
I see it every month in my job. They test the standard desktop, but they can't test every use case. However, 5000 employyes test those use cases and find shit that breaks.
Jesus Christ. What it is it? The news or a fucking film? How am I to plan my life with this kind of vacillation going on? Huh?
Film. The phrase came about in the days before mobile trucks with microwave links or even video tape. "On-scene" news was shot on film, which had to processed and edited (yes, manually, as in cut-and-splice), and then readied for broadcast later in the evening.
You want to trust your financial log-ins to Facebook, Google or Microsoft? Hope you keep most of your money stuffed in your mattress, it would certainly be safer there.
That is what VDI is for. It may not be good that the laptop is infected, but if the CxO is mainly using the laptop as a remote control for a secured session, damage can be mitigated, as the session can be hijacked, but the data still is stashed in a separate place.
> All of those things are worthless with a user base that does not respect and actively subverts security.
Framing the situation that way is a mindset that guarantees catastrophic security failure.
Good security helps users to do their job securely. Bad security makes it harder for users to do their job securely.
Recognize that getting the job done is the end goal and make the secure path the easiest path for the user to take and they will stop trying to subvert security.
That is a mantra that is repeated by everyone except those that actually are trained in security practices. Without trust there is no security. Security is not a product you can buy. You can't just hire a security expert, give them an office and suddenly you are secure. No. It takes work. It takes everyone.
Sounds like the people testing software in your company suck at your job. It also sounds like the people writing that particular software suck at their jobs too if it happens monthly. I realize you can't test for every use case but testing 90% of what a user is going to do should limit support calls quite a bit and will be less of a financial risk overall than being exploited by whatever zero day the security update is patching.
"Frequently wrong, never in doubt."
Sure they do. They tell non-experts to install updates. When's the last time you heard about someone's grandmother testing a patch?
Your ad here. Ask me how!
Were any of the patches linked above installed by someone's grandmother?
"Frequently wrong, never in doubt."
> All of those things are worthless with a user base that does not respect and actively subverts security.
Framing the situation that way is a mindset that guarantees catastrophic security failure.
Hear hear! The user base doesn't actively subvert security unless security is obtrusive and overbearing. Subverting security is too much effort.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Does anyone know what's up with the cows/moo thing? Is this just a new Golden Girls theme song thing or is there something more to it?
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
This is presumptuous. You're a security guy. You don't know enough about the myriad and varied work the company's employees do to make birght-line rules about how they must do it. Nor will you with any amount of training.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
You misunderstand. Security isn't cow sh** it's bullsh**.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Updates are often expensive and disruptive to an organization. The security expert may not care because it's "somebody else's problem". (I suppose this works both ways.)
Software often depends on multiple layers. Updating one layer often breaks another. Typical steps involve:
1. Keep an eye out for updates
2. Read up on any changes
3. Create a test stack or station to test an update in your org's environment and/or with the other layers.
4. Fix or devise work-arounds for any problems caused by the update found by the testing
5. Schedule the update deployment
6. Prepare a contingency or roll-back plan if there are problems
7. Coordinate and announce down-time during deployment
8. Test production after deployment
9. Educate users of changes
10. Answer questions and/or study new problems or user confusion over new features/behavior.
That's not only labor intensive, but if something goes wrong, managers often ask, "If ain't broke, why did you fix it?"
You can then reply that it reduces security risks to be up-to-date, but the managers or owners often view it as a concrete expenditure and disruption weighed against a fairly unlikely hypothetical, i.e. "being hacked". They are going to want solid evidence of breach probabilities to weigh against the costs of update labor & headaches, which are here-and-now costs and user disruption.
You can't just say, "updates are good for you, like broccoli". The suits often see it as make-work job security games. Better and presentable evidence is needed.
Table-ized A.I.
TFA defines most as anything between 12% and 35%. I don't agree with that definition.
TFA:
While most experts said they install software updates (35%), use
unique passwords (25%), use two-factor authentication (20%), use
strong passwords (19%), and use a password manager (12%), nonexperts
mentioned using antivirus software (42%), using strong
passwords (31%), changing passwords frequently (21%), visiting
only known websites (21%), and not sharing personal information
(17%).
Comment removed based on user account deletion
If you *can* do your job, then they have failed at theirs.
A) "Best practices" are a set. The entire set, which is known to be incomplete, includes all the practices that are candidates for being best in different situations. That is why it is "best practices" and not "best practice." I do admire your dedication to rejecting absurd absolutes, but you missed the mark on this one. That pluralization changes the entire character of the statement. ;) ;) I dunno. Maybe you just meant, IT guys run *nix, so their computers run just like an appliance instead of a torture device.
B) While in general this is a "pet peeve" of mine, you state it way too broadly. There are times and places for various different password policies. Since you make the complaint without narrowing it, it simply fails. Another thing to consider: Assume I run a silly website, but users have to log in. Users who repeat passwords can get their accounts hijacked more easily. It may be that those users aren't important enough for me to take that risk. I might reasonably decide that it is worth the annoyance of a password policy that will prevent password reuse, because it reduces the chance of getting swept up in a broader security breach of people with repeated passwords. See also: use of password managers
C) What does this even mean? Yes, your appliance is an appliance. I don't like pejorative, but I feel like you're talking like an appliance. If the data was important, when they were asked, "Did you back up all your data?" they would have said, "AAHHHHH SHIT, wait, wait, I'll bring it back in a few hours, sorry!" Of course they don't have backups, but did they care? The user is the one who knows if their data is worth caring about. I guarantee you, if they told me what data they had, I would care even less than when I just assumed they had backups.
I keep my money in a mattress in a Swiss bank.
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
This is presumptuous. You're a security guy. You don't know enough about the myriad and varied work the company's employees do to make birght-line rules about how they must do it. Nor will you with any amount of training.
You're presumptuously assuming that I don't understand that there are exceptions.
The approach I recommend will, however, work for the vast majority of employees, assuming the necessary apps exist or can be built (or front-ended... ick, but it sometimes is the best option). Then, with the majority use cases out of they way, the security team can turn their attention to dealing with the special cases -- isolating them, locking them down to the degree possible and monitoring what can't be locked down. Or, in really special cases, training the users and making them responsible for their own security. That last tends to be the best option with developers.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
One does not need password managers. Here is what I do:
0) I don't re-use passwords between sites (should be a given)
1) For non-critical passwords (video game logins, etc.) I just write them down in plain text, on paper, near the computer. If those get stolen, I haven't lost anything of value.
2) For important passwords, I write them down using a cypher of my own invention (sounds fancy, anyone in the know knows that this isn't hard).
3) I keep a scanned copy of my written-down passwords on a cd in my safe deposit box, so I can recover them if there is a fire or whatever.
Yes, there is still risk of physical theft. However, the primary attack vector is digital, not physical, so the risk of that is actually low. And if it does happen, I can set new passwords before the identity thief figures out my cypher (which they won't bother doing; they will just move on to an easier target anyway). I know I am completely vulnerable to the government, but they just backdoor everything anyway so that point is moot.
SSO.. eeew no.
Single point of failure. If your one password is compromised, then every single service you use with SSO is them compromised.
Its great if you are in a corporate environment with plenty of corporate protection.
Also, from the sounds of it, these "experts" may be well versed in a specific domain but not really expert in everything related to online security.
With websites being hacked daily, you pick the websites you want to deal with based on some set of trust relationship. You wouldn't go to a sketchy looking website and put in your social security number and all your banking information. We a REAL security expert is going to determine whether a website is trustworthy and probably assign it some value as to its relative safety.
1. Do I think this website may be in itself malicious?
2. if the website isn't malicious, does the technology they use to protect their users meet a minimum standard for security to prevent any information i may put on there from possibly being stolen.
3. if the security meets the standards, is it safe for me to share personal information? what does this company do with the information that is shared. From a corporate standpoint, does their business model focus on selling or manipulating user information?. Is information shared outside the company with or without my permission?
4. Should an online entity or company be asking for this (some level of) personal information from me that has nothing do with the the service they offer me or the business relationship we have?
Oh and password managers... for the lazy. Again single point of failure. If a large company like Amazon and Microsoft be hacked with probably some of the more advanced security infrastructures for online businesses, then some piddly little company website is not going to be a match for a determined hacker and then it again becomes a single point of failure.
Use a password locker application on your desktop. Never something you have to connect to remotely.
You should trust and work to make sure the security within your own network and on your desktop meets your standards which should be better than any website you would think twice before sharing information with.
And the cloud... marketing drivel. if you are putting your personal information that you specifically dont want other people to have access too. putting your safety and security in the hands of a third party with unknown ability, motives or skills, then you by definition are an idiot. Services and machines are hacked everyday.
And just so we are clear, 100% of online identity fraud happens because of information about you that makes its way online. Identity fraud numbers have skyrocketed in the past few years. And It mostly correlates time wise with the rapid adoption of facebook and other social networking services.
Notice many of the experts are using Linux and that is why they aren't using an antivirus.
agreed.
I think the goal is really to limit the impact of a user being stupid and being compromised.
A good security policy with very tightly monitored separation of duties and least privilege is a good starting point.
>"Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down."
Yeah, because only non-experts would worry about a closed-source, unknown, third party having access to all their extremely sensitive passwords, stored on a server outside their control, stored with unknown methodology, connected to the Internet, with who-knows what access to the data.
Yeah, only non-experts should be worried.
whoosh
http://www.acetonestudio.com
Useful Solution = Don't Play
Computer Security. What an interesting game.
The only winning move is not to play.
In this case, the take away action would seem to be to make sure you keep all the software updated.
I must admit, I'm skeptical of this. Updates can introduce vulnerabilities as well as fix them. Do updates, on average, make a system more or less secure?
For your bank.
That holds your money (or at least your debt). That you will hold responsible for anything that goes wrong.
Not stupid in the slightest.
Having a different PIN/Password for your card, telephone banking and internet banking as well as a second factor of authentication for internet banking transfers compartmentalises different attack vectors so that someone who overhears your telephone pin cant use that to access your netbank.
These measures are in place because if a scammer empties your bank account or tries to buy a flight in Belarus with your credit card, you'll be demanding the bank return YOUR money. As it is the banks responsibility to secure the funds and credit they hold, it is also the banks prerogative (and duty in many cases) to force you to follow effective security protocols even if you dont like it.
You've gone and provided an excellent example of what the summary was talking about. As a non-expert you are not aware (and are likely to go into denial) of the security risks associated with banking. As an expert I'm aware of why those measures are in place.
Calling someone a "hater" only means you can not rationally rebut their argument.
You want to trust your financial log-ins to Facebook, Google or Microsoft? Hope you keep most of your money stuffed in your mattress, it would certainly be safer there.
Whilst I dont expect that Facebook, Google or Microsoft will deliberately steal money, they certainly wont make it as hard as the banks currently have to.
Beyond this, the possibilities for datamining and targeted advertising is just scary. Roseanne Barr and Margaret Thatcher erotic fan fic scary.
That being said, I'd still not keep money stuffed in a mattress, I'd buy some precious metals and keep them buried in the back yard as metals have the chance to appreciate.
Calling someone a "hater" only means you can not rationally rebut their argument.
What's stupid is that Google researchers publish findings, then a security blog regurgitates the findings and then Slashdot links to the regurgitation instead of linking to the original findings. Of course, some other aggregator will now link to the Slashdot discussion and some other place will link to that and so on and so on.
http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html