Slashdot Mirror
IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)
Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
who writes about the everyday reality that he finds weird, twisted and absurd for which most people accept as being perfectly normal.
for which!
This is not new news. User have forever been a problem.
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
Working as IT in a small business retail store. Customer walks in and asks "Hey, can I have your Wifi password?" - and a non-tech person just handed it over. Said non-tech person also used same password for full admin access on their Windows Server machine.
Needless to say, once I was made aware of this, passwords were changed, and now the wifi password is unique from everything else just in case some bumbling idiot decides to hand it out again.
If I had a dime for every person that asked me "can you just make it work without a password' or "why can't I just use the same password for everything". Usually this comes from manager-types.
I do not belong to the church of the lowercase 'i'
I work at a company with exceptional security and I'm still fairly confident some turd with their password written on a post-it will get us all hacked because they don't know any better and don't care. My computer's too slow, let me turn off disk encryption! Passwords have to be TWELVE characters ugh, I have to write that down!
Seems fairly obvious who the weak links are most of the time anyway.
n/t
We all know it's true; when it comes to technology, most employees are idiots. Management too.
I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.
Back to employees, however; a lot of them don't see the need to increase their skillset. They grudgingly use the technology, but refuse to becoming proficient with it. They adamantly refuse to accept that were they more knowledgeable with the tech they were using they'd do their jobs better.
So these results don't surprise me at all.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
...normal people think IT guys are just the worst, and they're both right from their point of view.
What a scoop...
...passwords and two factor authentication simply because they'd chose such simple passwords to remember.
People hate having to learn something complex to remember, even if it just takes the effort of putting a small note in your wallet for 4 days to help you remember, you'd be SHOCKED if you just knew what passwords even professionals choose, it's hopeless.
So what we did at our big corporate, was to implement an Password A.I guide engine that helps people avoid bad passwords, so it picks stuff from a HUGE database of simpleton passwords (you know, guitar1234567) etc. it will simply explain to people why their passwords are not very good (we're polite, so we don't tell them that theyr'e simple and ...essentially not very IT savvy, they're good at something else, right?)
People just want an easy life, most people working with computers as just a tool to get the job done, don't want a huge advanced routine to do their job, and when the password becomes a chore and hard to remember, it will stop them from doing their job, and since we're nagging people to change their password 4 times a year, with reminders that pop up every day for 14 days before it expires, people simply get seriously annoyed. And they will go through hellfire to find an easy to memorize password before they even try to train for a complex one (Here's a complex one for you, for those who simply don't get what that would be:
J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison.
But...people are ...simple.
What this world is coming to - is for you and me to decide.
Social engineering is the best way to hack. Hell, some people are so dumb they leak shit in their selfies.
Loose lips sink ships
At my previous job, I got a call from a lady saying "microsoft ordered me to call them... they said I have a virus and I need to remove it, but they're asking me to take steps I'm not sure how to perform, can you come help?"
I rushed down to her desk to find that she'd gotten bored between tasks, tried to google something, and clicked the very first link that popped up that had the little green "AD" listed next to it. The person on the other end of the phone was from an off-shore phone farm trying to glean info on our company. I hung up, explained her to her to make sure she's not clicking ads, and that this can easily be avoided... no big deal. Close call, but no big deal.
Not even 10 minutes after I return to my desk... she calls again saying "I'm getting these weird pop ups now, do you think you can come help again?" I show back up to her desk, and she has again googled facebook, to try and get to her login page. As she's walking me through what she did to make the weird pop ups appear, she stops and goes "oh... I clicked the top link that had "AD" listed next to it... I'm sorry".
I know she didn't mean to... it's just, people get so caught up in their routines when it comes to their PC's and how they operate them, that they don't stop to think, and they definitely don't remember what the security groups tell them.
Now that all the tards in my extended family have a Chromebook, I'm never bothered by their "fixit" requests anymore. Chromebook is pretty bulletproof, safe from every retard.
At one company I worked at, we had so many employees opening e-mails that were obvious phishing attempts and they would fall for it. Many, many times. Regular instruction and policies/videos weren't working, so we ended up constructing our own fake phishing attempts periodically to see who would fall for it. We always managed to snag one or more people.
Everyone at the top level always makes exceptions for themselves, which open vulnerabilities that can easily be leveraged, and they're also the most vulnerable to social engineering attacks.
-- Tigger warning: This post may contain tiggers! --
A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
Well, yes and no.
Yes, you shouldn't trust that Nigerian prince, you idiot. Or give your password to someone who emails, etc.
No, because systems (in general, IT or otherwise) need to be resilient against a certain amount of human mistakes.
Any system that can be completely brought down with general calamity for the company just because Betty the cat cursor loving secretary makes a mistake isn't a very robust system.
We've forced our workforce to use advanced passwords and two factor authentication
What you've actually done: Doubled the workplace's sticky note budget.
If you are doing two factor why torture everyone with bullshit complexity requirements? For the LOLs?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Being an "IT Professional" is now one of the most dangerous professions in the entire world and is a complete waste of time.
You're liable and responsible for everything from attacks coming from your own Nation / Other Nations / Administration / HR / Users not to even mention the actual hackers.
Companies even deploy SIEM's to catch and prosecute their own internal mistakes / accidents to the full extent of the law.
I call for the great IT Strike of 2020! What are they going to do when you won't run their infrastructure? How much more will they pay you?
Fuck being an IT professional... Programmers get to work with computers, not so much people...
I was a Systems and Network Engineer and switched to independent development, with my 16 programming languages and various open source stacks.
Fuck working for a horribly run corporation with their bullshit security and policies.
I would rather work for and with myself than with a Team of Incompetence!
A few points:
- Users are "unwashed" compared to IT personnel? Have you *worked* in IT?
- The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.
- That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
We have loads of security guidelines for everything from using heavy machinery to closing the door and turning on the alarm when you leave the building. Everyone thinks this is perfectly normal and that you are to blame when you do not follow them, regardless whether you understand the reason, or how it inconveniences you.
There is no reason for this to be different when it comes to IT security.
On one hand, users are complete idiots. Like, fundamentally, there is no securing that. We have workarounds and trick psychology, but, fundamentally, users are a very weak link.
On the other hand, too many (bad) security people blame every problem on the user. "Can't remember your password because we make you change it every 90 days? Git good, luser." That's a common attitude, which only exasperates the problem.
As a security professional (for embedded systems, so I usually don't need to trust my user very much fortunately), I'll one up the thinking that normal people are just the worst, because I'm lumping the average IT and security professional in there too.
Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.
There are really only two choices now: 1) disconnect from the Internet and don't face these risks 2) expect risks and pay to avoid incidents and/or clean up after them.
IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.
Nobody seems to want to do 1) because overall there are profits to be made by being Internet connected. If your place of business wants to do 1) but not 2), then just run for the exits before it's too late.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It is fundamentally incorrect to call in-house desktop support people "IT Professionals." These are desktop support technicians, not IT Professionals.
IT Professionals do not work "in house." We all work in consultancy, because we can. Nobody who is worth their salt as a Pro Neckbeard needs to work as an in-house lackey.
They are not "technophobes", afraid of technology. They are merely annoyed with it. You see, normal people do not think the way we do. To them, "increasing the skillset" means having to memorize more boring and pointless stuff. In school, the teachers only teach the test, and that habit continues throughout every normal person's life. To learn to use some program, a normal person, like my mother, will write out the exact sequence of steps needed to complete each particular task. Move the mouse there, click twice, select third option in menu, click OK, click I'M SURE DAMMIT, type "abracadabra" and press Return. Another task, another list. All these lists are followed precisely and without any conscious thought. If the UI changes, the procedure breaks and a new list must be created and memorized. This is how normal people do EVERYTHING. Understanding how the program works is not even conceived as an option.
Too many 'normals' today haven't got a penny to their name, think texting while driving is safe, believe in subjective moral reasoning and have withdrawals if they can't check their FB messages every 5 minutes.
Normal? These people have serious mental problems.
A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.
Clickbait, and bullshit.
This one's both rolled into one. Just like msmash likes it.
Professor Oak, director of the Ponemon Institute, had this to say about security bugs: "Gotta catch 'em all!"
#DeleteChrome
" They see people almost being denied a supreme court seat because they once had a beer while in school." - No, he perjured himself under oath. It's not the beer, you lying faggot. IT'S THE LYING, YOU LYING FAGGOT.
YOU TELL A LIE UNDER OATH AND YOU ARE A CRIMINAL. That he basically ATTEMPTED TO RAPE A CLASSMATE also didn't really rise to the occasion of a lifetime appointment to the SCOTUS without investigation.
But with TRAITOR SUPPORTING DISHONEST FAGGOTS LIKE YOURSELF in charge? He sailed right through anyway, to lie another day.
Dry your eyes, traitor. Your little perjurer didn't get caught - yet!
https://tech.slashdot.org/comments.pl?sid=13577626&cid=58274188
no one company is willing to train their employees properly. they just assume you are proficiency in everything 'basic'. part of the wealth generated is by by-passing training to save a few dollars.
...the robots replace all the dumbest end users.
The guy which will ask to tie everything down so that you can't have drive, connection to outside, or anything executable, limiting you to text file and nothing else. Seriously all proposal I have seen from the guy tending our PC is non sense tying them down until their usefulness is down to secretarial work. I work in *development* I will let that sink in. They were setting up our PC so idiotically that the java directories or utilities (e.g. mysqlworkbench , oracle etc...) and all associated jar setup is scanned by Mcaffee nervously *on access* until the PC breakdown under the fucking 20% cpu or HHD usage from that shitty thing, and those idiot did not want to add an exception for the directory. So instead all of us asked and got an exception to get admin right and we disable mcaffee to be able to WORK. And guess what ? Due to their idiotic antic of not hearing our NEED rather than theirs, well the firm is LESS secure. So fuck that noise. They are here to protect business but keep business working. It isn't business which has to adapt to them but them to business.
If you are alarmed by this result then you should immediately be wondering: is this is merely a perception by IT/Security Professions or are the normal people in fact as awful as perceived?
Anons need not reply. Questions end with a question mark.
You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."
And, I don't understand why the password file cannot be implemented in a dedicated-hardware "lock-box" such that it cannot be file-copied, preventing say 500,000,000,000,000 attempts at it. Using regular-file-based password repositories is just a speed-race to the bottom.
Typically you'd have 2 of these lock-boxes, 1 as a mirror spare*. The only way to get file access would be to break it open, or find the physical key. Otherwise, all access is through a throttled API. The per account throttling would be tighter than the per lock-box throttling. I'm not saying such is completely unhackable, but far less so than a regular server file because it's designed to do one and only one job. (Crap, I sound like Al Gore.)
* If one breaks, the other is physically unlocked and a new spare hooked up directly up for re-mirroring, cable to cable.
Table-ized A.I.
Have gnu, will travel.
Users will constantly say things like "I just don't understand technology." or "I don't care whats wrong, I just want it to work". This used to put me in a bad frame of mind. I find it hard these days not to laugh at them. I wonder how long it took them to learn that fire will burn or not to walk down the middle of the freeway. They live in the same world as us but refuse to put a minimum amount of effort into learning how it works.
No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.
Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.
If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.
I studied for the CISSP and the first thing you notice is how many controls revolve around user education. Users will click on anything they can, unless you educate them not to. It is IT's job to education the users to think before they click. Also teach them how to spot fake URLs and not to click attachment from external sources unless they specifically requested said attachment.
We Real People believe IT and security people are weirdos and that they should not be allowed to exist within society. Guess what, there are way more of us Real People than there are weirdos, and we happen to hold real power. We can make you go away, you know.
But another way to look at it: the challenge for Corp Sec is to make it easier to do things securely than it is to do them insecurely. Itâ(TM)s a big challenge, but itâ(TM)s possible. Things like WebAuthn will help.
My network would run 100% smoothly and without errors if it wasn't for all the stupid end-users.
SQUIRTLE!
I'm burning mod points to post this but I just can't let this go by. A huge part of the problem with security is IT itself. We have learned that long passwords are good and use of weird characters (numbers, capital letters, punct, etc) are bad. Plus most users shouldn't be required to know more than 2 passwords (normal and maybe an elevated one). But many IT personal keep with the same broken password policies from the past that we now know are bad. If you still use these outdated and problematic password policies, you can't blame the users, IT is still at fault...
"Those that start by burning books, will end by burning men."
I have been in IT since the 90s. The worst customers by far are other people in IT. They think they know everything, and surely know more than you - the person they have contacted for help. Without a doubt the worst customers I have to deal with are IT people :
- they dont want to follow your directions
- they dont believe the info you give them
- they are rude
- they talk down to you
- they are happy to carry on like this for a long time
These are the worst people IT has to offer. I wish them all a very early death so the rest of the world can breath easier.
Is that person your social media department, or does your company not have an internet use policy?
For anyone not specifically approved for social media access from corporate machines, they can use their phone (on cell data, not wifi) if they want to good off. Then it is their manager's problem if they goof off.
If you try to access a social media that the Board has not approved, per our policy, you get a spoofed logon page that takes your credentials, then redirects to a shady looking "please confirm your password" prompt with the work email already filled in (based off static dhcp reservation lookup). They then get two choices. Hit cancel, and get logged and redirected to the acceptable internet use policy page, or type in a password and hit next, to get logged, a pop under of the internet use policy and a redirect to the (more politely worded) " don't type your corporate password into your browser, you dumb fsck" and a mandatory e-course refresher on security that their manager has to administer a paper quiz for.
Bonus: We get to see who has the dumbest hires and both the manager and the manager's manager gets that data. After all, if your subordinate is hiring idiots who consistently go to prohibited sites during work hours, giving away their work password, on a work machine, from the work internet connection, you need to be aware of that.
And it is worse if they have PhD because they think they are smart about everything when they are basically clueless. Sort like a pilot who is also an M.D. Network and computer security are not intuitively obvious to untrained people.
Everyone does dumb things at their computers, but refusing to listen about real-world threats, with strategies to mitigate them, is a very common failure.
Worked at one company where we didn't have any "IT", we all just handled our own computers and I did all the development servers. They hired a new President ... with a marketing background and we had to hire a fully time Windows Admin just for him. He kept losing files because of failed drag-n-drop efforts.
Passwords on post it notes are a sign that the password requirements are too strict or onerous.
No, they're a sign that the person who wrote it down needs to be fired.
Good luck retaining employees longer than ninety days.
That comment does NOT deserve "insightful" moderation.
It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.
Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.
(Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)
Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.
Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.
(My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)
As usual, time's up, but I bid you ADSAuPR, atAJG.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
What cases is a password manager not available
- Corporate IT forbids installing an unapproved application and declines to approve your password manager.
- The password is to a service accessed through a video game console, set-top streaming box, or other device to which your password manager is not ported.
- You have installed a password manager, but in order to synchronize its database to this device, you'd have to first disassociate one or more of your three or more devices from your Dropbox account in order to associate the device.
How is your day going, APK? You seem very angry even though you said you were in a great mood yesterday. What's wrong?
We live in a world where management "won't let security get in the way of doing business." And my response to that is, "your security budget should have started where your incident response budget will come to an end." If they have to pay $60/year for 3 years for 2,500 credit fraud protection instances who am I to give a crap at this point? They probably deserve it. As for the unwashed mundane masses, "It's true. All of it."
Good passwords are actually phrases of easily spelled words that form a mental image for the user
Exactly! The reason: password strength is exponential in length but only polynomial in the size of the character set. Given a set of N characters and a password of length M one has N^M choices so increasing M has a much larger effect than increasing N. Requiring caps and special characters is minor compared to increasing length.
A pass phrase such as "my stupid sister in law has two real brat kids" has 27^42 ~ 1.8e60 possibilities. (This is roughly the estimated number of electrons in the universe! )
If the rules say use caps, numbers, and special characters, make it "My stupid sister in law has 2 real brat kids!" with no meaningful increase in security, only keeps the PhB happy..
...if it weren't for the customers.
These rules have been in my sig (and are better explained there) going on for a decade now. For how old these rules are, they still apply. Every virus in that last 10 years exploits 1 or more of these rules. The more you are aware of them as an IT professional, the better your system design will be to mitigate risk.
Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will. conversely, if a computer user needs to click on it, they won't.
4) You can patch software, but you can't (legally) patch stupid.
5) The premise of monkey rule: If you can't train a monkey to use it, you can't train a human to use it.
In Soviet Russia, Trojan exploits YOU!
Oh very much, yes.
"Users" are the problem causing security breaches, just like "wheels" are the problem in car accident fatalities. Sure, they're an easily-identifiable point in the causality chain, but there's a lot of underlying factors that need to be considered.
People, including users, generally try to do what's right. In almost every case, the source of the problem falls into one of three categories:
There are levels of distinction within each category, but that just changes the difficulty of the attack... how precisely a phishing page needs to be crafted, or how big the bribe needs to be. To raise that difficulty, a company (or individual) must see investing in their environment as an integral part of their security doctrine. Providing users with extra software tools is a security feature. Having an easy change-request process is a security feature. Having a team outing is a security feature, just as much as telling users to pick a complicated password.
You do not have a moral or legal right to do absolutely anything you want.
You're not wrong... but you aren't right enough to my way of thinking either.
I was reflecting on this just today. What don't regular users get about computer security?
1). The computer doesn't "just know them", but that's what they actually want. "Here I am, it's me, you know me!" So we try to deploy biometrics and that's a whole other story;
2). There is no percentage in computer people relaxing security requirements. We can be right 999 times but if we are wrong even 1 time, your ass will take a scorching from someone, and likely everyone. "Oh those incompetents in IT, don't they know that security passphrases have to be at least 48 characters long, those 36 character passphrases are known to be insecure due to a technology that might not even exist in the wild!"
In security, false positives are a disaster. False negatives result in a call to the Help Desk and while inconvenient, causes no one to lose their job or get a negative performance review.
Make something idiot-proof, and they will build a better idiot.
-- Murphy's Law
The problem is people. The human race has a good chance of going extinct. Then it won't matter. Then again, maybe the last human that perishes on the last day will say, "wait, did I change that password?" And then die.
"Users" are the problem causing security breaches, just like "wheels" are the problem in car accident fatalities.
No, "Users" are the problem causing security breaches, just like "drivers" are the problem in car accident fatalities.
And for the same reasons. Humans who ignore commonly accepted rules and laws when operating a mechanical contrivance on the [Internet super]highway cause crashes.
If you drive a car, you need to know how to keep it secure.
You should be a trained locksmith. Don't forget to rekey it at least monthly.
If there's a vulnerability to a slim-jim, you should be able to patch the vulnerability (weld a tab inside the door to block the slim-jim).
If someone breaks the glass, maybe you should have gotten bulletproof glass.
Did you rig up a sensor to detect if a GPS tracker was covertly installed?
Did you install a screen to keep people from siphoning gas? (Did you know it's not hard to make a punch to break it and siphon anyway? Might stop the amateurs.)
Have you reviewed the code in the engine computer? The entertainment system?
I am sure there's more, but I am not a car security expert.
.. and associated 'national security' stuff?
that's my #1 concern - some idiots think you can have backdoors for good guys and the bad guys won't find them...
The problem isn't users, it's the engineers who think they know better. Every feature or device a user has problems with was designed by an 'expert' and implemented by 'an expert'. That annoying interface in Windows? That was designed by a team of experts and implemented by a team of experts. That iOS feature that everyone hates? Designed and implemented by experts.
If the experts can't make something that users like or can use, who's fault is it?
The twisting... it is... extreme!
Why are things being characterized like this? If you examine all security breaches, the numbers roughly align with what IT security "believe!". All that is happening here is that a survey was done and they found that Security Researchers and IT Personnel happen to "believe" what the numbers actually are.
And yet... all of this is being spun as "IT Security thinks people are the worst."
Why is this being spun like that? What kind of division are they trying to sow? Why is an "article" (for various definitions of article) like this on this site?
Seriously, I think 5% of the world is insane and is working VERY hard to keep the rest of us insane. This article is insane. It makes no fucking sense. Security folks do not think like this. I know, IT Security is what I do.
This "article" is a glowing example of something deeply disturbing about our current "social order". Where observing and acknowledging reality is being spun as something judgemental and therefore to be avoided. What. The. Fuck. is going on here folks? Are the social programmers getting lazy here or what? This is soooooooooo poorly done that it is super easy to see the agenda. I can see behind the curtain very clearly on this one.
If you don't stop this absurd shit, I will become very angry and you won't like me when I am angry (Hulk reference ;))
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
I am glad at least one other person is seeing right through this "evil" article.
I do kind of wish you had explored WHY it is flamebait, but I am happy enough just seeing someone else call it out. This kind of crap literally (yes, literally literally) drives me towards insanity.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
So imagine if you will a Venn diagram with some it professionals normal and some not normal. So some IT professionals see some other it professionals as the worst?
I'd prefer to avoid the "drivers" analogy, because people cling to the idea that drivers are at the top of the causality chain. Nevermind the effects of dashboard design, maintenance recommendations,
If you want to go with a human analogue, I'd refer to airplane pilots. They're more likely to have a fatal accident in the car driving to the airport than when they're actually flying the plane. That's primarily because every aspect of the piloting experience has been refined (often at the cost of human lives) to minimize errors. Whenever something is more error-prone, the FAA gets involved, headlines are made, and it's generally a Big Deal until the process or tool changes to reduce those errors again.
That's the only way to actually achieve security. Don't just claim that rules are "commonly accepted" and shift the blame to the users, who often don't have any idea what those rules are. Instead, recognize that humans are reactionary components of the system, and start managing the environment they're reacting to.
You do not have a moral or legal right to do absolutely anything you want.
Quite frankly, the main reason employees are a security problem is the way we security professionals are handling our responsibilities: By offloading them onto the employees. What's the usual consequence of needing a secure way to access a computer? Requiring some ridiculously convoluted passphrase that no sane person could possibly remember, with requirements like capital and lowercase (but not more than 2 next to each other), numbers and special characters, at least 16 characters long and no more than 4 consecutive characters may form a coherent word in at least 20 languages. What will they do? Write it down. Duh. Preferably on a post-it note tacked onto their screen.
It seems that some security professionals have that pressing urge to build a security monument that demonstrates their awesomeness. Only to produce ridiculously convoluted and unworkable monsters that people will HAVE TO start to work around to do their job. My favorite example was a security door that had an auto-shut mechanism and required workers to slip a keycard into a reader and punch in a 4 digit code every time they went through. Unfortunately, they had to go through this door CONSTANTLY, usually carrying heavy boxes.
How long do you think it took until a wedge held that door open? Not even 2 hours.
And people will not even have any kind of feeling of wrongdoing because they do it so they can do their work more efficiently. It's not like they circumvent the company firewall to go on Facebook or that they drill a tunnel to their home computer so they can listen to their iTunes library at work. They can perfectly justify their actions with being able to work better.
It's time we start to rethink this, people. It's time that we, as security professionals, do our job right. Perfect security is not a monumental work-denial monstrosity. Perfect security is invisible, because what the worker doesn't even notice, he also cannot fuck up.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Some people feel the need to open every email message that ends up in their inbox and click on the links
Some people will issue payments when requested to do so by email from someone who claims to be the CEO using an external email address that the email system has flagged.
There is only so much that technology can do. We live in a world where we have to empower users, and that means we need to be able to trust them at least a little bit.
You hit the nail on the head when you said users expect devices to just work like their entertainment system at home. Lol.
We had a flood prompting users at a location to move servers, switches, a copier, printers, and 20 PC's to a holiday inn conference room without notifying IT AND EXPECTED everything to just work!
They were shocked and got irked when we laughed at them. What do you mean you can't just move a server, copier, and conference phones AND not JUST WORK?! Appearently they think it's like home where magic and DHCP work with any network with servers. They were shocked it was complex and had to call Holiday Inns IT line and fly a network engineer to get VPN to get everything to function.
Enterprise IT is very complex and not like home at all regardless of IQ users assume it's all simple like their basement.
http://saveie6.com/
I still remember the guy who called me at 3 AM because his code wouldn't compile. He'd visually checked his code and was sure it was correct, and he wanted me to drive in and fix the compiler. (I did no such thing, had a meeting with his boss the following day to discuss service levels. Turns out, the problem was in his code.)
The problem may have also been in the compiler if it didn't give clear enough error messages to help the programmer find where the problem in the code lay.