Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Non-Experts Can Learn From Experts About Real Online Security

Posted by timothy on from the use-camo-stickynotes dept.

An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.

5 of 112 comments (clear)

  1. What Experts can learn about reality by Voyager529 · · Score: 5, Interesting

    Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates.

    "Experts" are much better equipped to work around an update that makes a mess, and "Experts" are better able to pick up UI changes than "Non-Experts". Security is a good reason to update/upgrade, but every non-expert I know whose phone got the Lollipop update described it with obscenities, and would have been perfectly fine with a 'security patch only' update. The problem is that there's no consistent way for non-experts to know whether this will be a "transparent security fix" kind of update, or a "this will f'k up my s't and rearrange everything for no good reason" update. Even updates that don't make a mess of the UI cause other problems. Windows XP, circa 2001, needed 256MB of RAM to run acceptably. by the end of its run, the UI hadn't changed, but somehow, it required at least 1GB of RAM when it was (supposedly) the same OS. Admittedly an obscure example (but the only one I can think of at the moment), an Intel wireless NIC driver update I did once removed the ability to specify my own MAC address. A router firmware update I did once notably decreased the throughput of the network traffic it was processing. We all remember the Slashdot outcry when Sony removed OtherOS from the PS3. "Update" has a long history of having mixed impact on end users, so any "Expert" who both unilaterally applies updates and doesn't understand why "Non-Experts" don't share this practice may well have a thorough understanding of computers, but a piss poor understanding of humans.

    Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down.

    Many password managers use Teh Cloud (tm). There's a damn good reason to be reluctant to store all of your passwords on somebody else's hard disk. Local password managers solve that problem, and now we're back to the classical problem of 'backing data up' and 'single point of failure'. Even at that, who do you trust? Heartbleed was a particular mess from a PR perspective because Open Source ("More secure than Microsoft!!11") had a spectacular failure that was used by "Experts" - people who were supposed to be putting security at the forefront. If such a widely circulated OSS project could have such a problematic bug, what possible hope does a regular user have with respect to betting on the right horse? Even if they do, there's nothing that they can do for the far end doing stupid things - all the password managers in the world won't change a blessed thing if the password was for Sony or Ashley Madison. It's all risky at some level, and ultimately, password managers overcome a shortcoming of computers themselves. Non-Experts have things to do. Writing passwords down in a nondescript password book, kept in a room separate from the computer itself, with each of the passwords changed annually, is probably the simplest and cheapest way a non-expert can put themselves comfortably in the third standard deviation.

    Another Iteresting thing to point out is that non-experts love and use antivirus software.

    As well they should. Antivirus software is a layer of security, and one that non-experts tend to use more consistently than any other form of threat mitigation. It's not a cure-all (more likely the problem that exists with non-experts using AV software; they throw caution to the wind under the assumption that the antivirus will protect them), but it will be very difficult to convince me that properly updated AV software does more overall harm than good.

  2. Re:What Security Experts Can Learn From Non Expert by khasim · · Score: 3, Interesting

    NOT training users not to download suspicious executables or engage in fantastic feats of memory regarding passwords.

    Don't depend upon a user's memory. Tell them that it is GOOD to write down their passwords AS LONG AS THEY STORE THEM WITH THEIR CREDIT CARDS.

    The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time.

    The REAL problem with security is that the VENDORS do not place a priority on it.

    It isn't that we hate to hear that.

    We're already DOING that. But it doesn't help much when a CxO installs some infected software on his laptop (which he can because he is so important that he NEEDS admin-level access) and then brings it into the most firewalled section of the network.

    Right now I'm focusing on knowing when a site is compromised rather than trying to get EVERYONE to follow the best practices EVERY TIME on EVERY SYSTEM.

  3. Re:As a former expert by Mr+D+from+63 · · Score: 4, Interesting

    There are different kinds of experts (applies to all areas....). There's the 'professor', that understands it all, is glad to tell you how much you don't understand it, but has never implemented a useful solution. There's the 'painter', who knows how to find it and cover it up and make it look and sound good, there's the 'mechanic', who'll go in and work on it for you, but you may not know what he really did or if he really helped you, and there's the 'mentor', who will take time to make sure you understand and can do the right things.

  4. "Security Experts" are mostly fraudsters by Anonymous Coward · · Score: 2, Interesting

    "Security Experts" are mostly fraudsters working for the anti-virus industry. You don't get security from anti-virus software. You compromise it by running additional proprietary applications which can't be inspected. This is not to say the sources being available make it secure, but it is a critical found for which any failure to do so is the equivalent of building a house on sand. It might work, until the earthquake hits. The lack of security is the result of holes (bugs) and user-related design issues. If your looking at code and reporting bugs your a security expert. Anything short of that and your a fraud.

  5. Re:Experts know more than non-experts by thsths · · Score: 3, Interesting

    This is the key problem. Only experts are able to assess the risk of a password manager and use it appropriately. How can a normal user know whether a password manager is trust worthy? Do any of the big web sites recommend a trust worthy password manager?

    The only viable solution for a normal user is SSO. Login in Facebook, Google, Microsoft Live, that is the way forward. 3 accounts are easy to remember, and it would also be faster to detect suspicious activity. But does any bank offer SSO?

    No, of course not. In fact my bank requires me to remember 4 PINs, 3 passwords and one user ID. How idiotic is that?