Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bruce Schneier Talks Brain Heuristics and Security

CowboyNeal posted more than 7 years ago | from the just-because-you're-paranoid dept.

Security 83

ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."

cancel ×

83 comments

Sorry! There are no comments related to the filter you selected.

Its all in your.. (3, Funny)

scoot80 (1017822) | more than 7 years ago | (#17852604)

head.. as a matter of fact.. this reply is all in your head too.. it doesn't exist..

Re:Its all in your.. (3, Insightful)

Dark Kenshin (764678) | more than 7 years ago | (#17852784)

I think that's the general synopsis of the book. If you really, really, really believe you are secure, then you are... till you get hit by a bus or something.

A slightly different analogy. (1)

khasim (1285) | more than 7 years ago | (#17853428)

You really really believe your wife is monogamous ..... then she's busted in a prostitution sting. With your best friend. And now she wants a divorce. And she'll take 1/2 of everything you own.

Re:A slightly different analogy. (3, Funny)

MillionthMonkey (240664) | more than 7 years ago | (#17853642)

He's got herpes. She doesn't. They take VALTREX to keep it that way. So her neocortex is all hot for him. But her amygdala isn't convinced. Because he has herpes.

Re:A slightly different analogy. (0)

Anonymous Coward | more than 7 years ago | (#17855482)

*LOL*

I tend to believe that people take Valtrex so they can continue sleeping around without using protection while eliminating the risk of a partner noticing their open sores. I mean, how'd they get herpes in the first place?

Re:A slightly different analogy. (1)

MillionthMonkey (240664) | more than 7 years ago | (#17855704)

I tend to believe that people take Valtrex so they can continue sleeping around without using protection while eliminating the risk of a partner noticing their open sores. I mean, how'd they get herpes in the first place?
That's assuming they have it. Smart people take Valtrex so they can start sleeping around without using protection while eliminating the risk of a partner giving them herpes in the first place. But of course, the pharmaceutical industry lacks the balls to produce the obvious commercial, and prefers to delude itself with talk of wholesome couples instead.

Re:A slightly different analogy. (1)

Sique (173459) | more than 7 years ago | (#17856218)

I got mine at age five. So what? :)

Re:Its all in your.. (1, Interesting)

aeoo (568706) | more than 7 years ago | (#17853882)

Ultimate security cannot be guaranteed through protection from ill will. Once ill will has formed, there is insecurity already.

The best path is to prevent ill will from forming. That is done by convincing the disenfranchised people that they are cared for.

Re:Its all in your.. (1)

kfg (145172) | more than 7 years ago | (#17853108)

I just saw Cypher. Don't mess with me.

KFG

Encryption and ease of use. (4, Insightful)

Kelson (129150) | more than 7 years ago | (#17852656)

At one point in the article, Schneier comments on email encryption:

"Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.

Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.

Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.

Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.

Re:Encryption and ease of use. (3, Interesting)

Em Adespoton (792954) | more than 7 years ago | (#17852950)

The interesting thing about this is that I tend to at least use digital signatures now, and started for one big reason:

I have to enter my passphrase before I send something I might regret. This has been a boon to me on innumerable occasions. It means I send fewer emails than I otherwise would, but I don't tend to send anything I'll regret years down the road.

Re:Encryption and ease of use. (1)

maxume (22995) | more than 7 years ago | (#17853578)

It will be interesting to see if it is too late already. Most people aren't interested in the fuss and bother of managing an identity(and it might be a chore to make the difference between an address and signature clear), and at this point, there are many, many, many emails that people are going to regret down the road, so perhaps the end result will that social mores will evolve a bit, where people aren't taken to task for stuff they did 15 years ago.

Re:Encryption and ease of use. (0)

Anonymous Coward | more than 7 years ago | (#17856774)

Funny thing is I tend to be overly cautious in communicating and yet I'll still send boneheaded things from time to time. Wish there were better lameness filters for me. Luckily on slashdot I can just post anonymously and then if it turns out I was being a moron no one will know/care (especially since I tend to post late in the discussion so no one sees it anyway :)

Re:Encryption and ease of use. (4, Insightful)

owlstead (636356) | more than 7 years ago | (#17853170)

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).

Re:Encryption and ease of use. (1)

h4ck7h3p14n37 (926070) | more than 7 years ago | (#17855304)

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

I have to disagree with this statement since end users could use a notary to manage this identity. Specifically, I'm thinking of a website that allows users to send and read encrypted messages. One would create an account on the site which would then generate the necessary crptographic keys; the user could then send encrypted email by using the website. The website would also manage other peoples' keys for the user.

I haven't entirely thought this idea through, but I'm not aware of anyone having attempted such a thing.

Re:Encryption and ease of use. (1)

caveymon (939902) | more than 7 years ago | (#17859188)

I haven't entirely thought this idea through, but I'm not aware of anyone having attempted such a thing.

Hmm, well, I've been in touch with a company in the Netherlands, http://www.nedsecure.nl/ [nedsecure.nl] who offer pretty much what you're suggesting.

Transparant email encryption through a webserver/webmailportal. So you can send encrypted messages to your clients, they get a notification mail, and can check the mail you sent online. Bit cumbersome perhaps, but well, technology probably improved from back in nov-2005 that I saw these guys at some InfoSecurity convention.

Unfortunately, the site seems to be dutch only, but dutch ain't too different from english, with some imagination ;)

Re:Encryption and ease of use. (1)

gr8dude (832945) | more than 7 years ago | (#17858252)

E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.
You can use a cryptographic provider [dekart.com] that can store the certificates and the keys on some sort of media (ex: token, smart card or USB drive). When there is a need to use the certificate, the application will ask you to connect your smart card (or whatever it is that you chose to use).

Note: This works with Windows only.

Re:Encryption and ease of use. (1)

owlstead (636356) | more than 7 years ago | (#17867822)

Oh, the same thing exists for linux as well. PGP has support for smart cards, as well as GPG does. The problem is that the certificates of the other users won't be on the smart card, and that the computer you are working on needs to have hardware and middleware installed to use it. Smartcard make things more secure, but not easier to use.

Re:Encryption and ease of use. (1)

gr8dude (832945) | more than 7 years ago | (#17872052)

The tool I mentioned can store the data on a USB flash disk, all you need is a USB port; at least half of the problem is fixed.

All the email clients on my computers are configured to leave the messages on the server for a few days. Once I receive a digitally signed email from a friend, that email will be received by all the computers, therefore the credentials of the other party are available.

And if that doesn't help - the CA should make everyone's data available in a public directory.

MUA makes a big difference. (1)

Kadin2048 (468275) | more than 7 years ago | (#17854228)

I think everything you say is true, but a big part of the problem is that most people's mail-user-agents are set up with encryption as an afterthought, rather than as a core feature. When users have their email set up to use encryption from the very beginning, from the moment that they're issued their computers by their employer, they use it.

The environments where I've seen the heaviest use of encryption are Lotus Notes shops, because Notes was basically designed around encryption. Granted, it uses some strange proprietary public-key scheme (although Steven Levy in "Crypto" alluded that it was developed with some support by the NSA, as one of the earliest commercial ones), but it's totally transparent to the user. Public keys are all managed by the Domino server, and all the user has to do to send an encrypted or signed message is check a box.

Now, there's some sample bias there; most of the places I've seen that use Notes, are also the kind of places that are interested in encryption, and tend to have more technically-oriented employees that are more comfortable with encryption (anecdotally, I've heard that the CIA is a big Notes shop, as are some other USG agencies), but I think how the MUA is designed has a big impact.

It won't be until MUAs are designed around encryption that people will want to use it, but it's not until people want to use encryption, that most MUAs will really pay attention and make encryption a seamless, core feature -- and more importantly, that corporate sysadmins will roll out encryption and key management right along with their mail servers.

Re:Encryption and ease of use. (1)

RAMMS+EIN (578166) | more than 7 years ago | (#17857046)

``Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.''

That _could_ be really easy, though. Just one idea for how to do it: when you configure your mail client, it generates a PGP key pair for you (or allows you to specify one), which it publishes on subkeys.pgp.net. Add a widget somewhere that allows you to select signing, encryption, both, or neither. Now everyone can use PGP.

The real question is why so few mail clients, even web-based ones, support PGP. I was shocked to find that even Thunderbird doesn't support it out of the box.

Obligatory (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17852766)

Rob Schneider is... neurosurgeon!

I Loved Him In Deuce Bigalow (-1, Offtopic)

Real World Stuff (561780) | more than 7 years ago | (#17852828)

Not in *that* way...

Tag !schneider (1)

Nesetril (969734) | more than 7 years ago | (#17852842)

I am tagging this story !schneider.

That word. . . (4, Funny)

Skadet (528657) | more than 7 years ago | (#17852942)

Bruce Schneier once again is turning security on its head -- literally.
That word. . . I don't think it means what you think it means.

Re:That word. . . (2, Informative)

poopdeville (841677) | more than 7 years ago | (#17853176)

Please look in a dictionary. Only one of the five to six meanings for the word 'literal' is opposite in meaning to 'figurative.' The rest are orthogonal. Indeed, the primary and secondary definitions are "conforming to the exact meaning of words",[1] and adverbial forms of 'real', 'factual', and 'unembellished'.

Really, it's good that you paid attention in high school. You learned a lot of great rules of thumb that will help you avoid making grammatical errors. But they're just rules of thumb. They don't make you qualified to correct other people's errors in domains in which the rules you learned don't apply.

[1] Before you throw a hissy fit about the use of the words 'exact' and 'meaning,' read this. [wikipedia.org]

Re:That word. . . (3, Funny)

rkanodia (211354) | more than 7 years ago | (#17853328)

So your validity-seeking tweed jackets propose that the word 'literally' has no semantic content. I can't wait to hear other ways in which emergent online paradigms can synergistically leverage new value-adding phenomena!

Re:That word. . . (1, Informative)

poopdeville (841677) | more than 7 years ago | (#17853650)

Did I say that?

There are plenty of perfectly good uses for the word 'literally'. I counted 6 when I looked in my dictionary.

The "tweed jackets" (nice flamebait there, by the way. I happen to wear tweed every day) have shown that one of the commonly used meanings for the word is vacuous. To paraphrase Wittgenstein, the meaning of a phrase is in its uses. And this possibly figurative meaning can be perfectly exact. Ergo, a phrase can be meant literally and figuratively at the same time.

Re:That word. . . (1)

kv9 (697238) | more than 7 years ago | (#17857098)

Ergo, a phrase can be meant literally and figuratively at the same time.

Schroedinger's cat[chphrase]?

*whoosh*

Re:That word. . . (1)

RAMMS+EIN (578166) | more than 7 years ago | (#17856682)

IANAMD (I Am Not A Marketing Droid), but I think the answer has something to do with AJAX and Web 2.0.

Re:That word. . . (1)

Mprx (82435) | more than 7 years ago | (#17853398)

So if "literal" doesn't mean "literal" anymore, what word should we use instead. I oppose the degradation of language.

Re:That word. . . (1)

poopdeville (841677) | more than 7 years ago | (#17853952)

Keep using 'literal' if you want. Like I said, the rules of thumb we all learned aren't wrong. They're just incomplete.

Re:That word. . . (0)

Anonymous Coward | more than 7 years ago | (#17855284)

Can you explain what significance "literally" actually means in this sentence, then? I'll buy that it's not wrong but it does seem spectacularly useless if that's the case.

The sensible meaning would be the modern slang use of "literally" as meaning "strongly", but you imply that there's an actual dictionary meaning which makes sense here.

Re:That word. . . (1)

poopdeville (841677) | more than 7 years ago | (#17856382)

Presumably, "exactly in accordance with the meaning of the phrase" or the adverbial form of 'unembellished'. Context makes me think the latter was intended, but you make a case for either (especially since the two are already closely related). Note that the latter is also similar to an intensifier, like 'strongly.' However, there is a crucial difference. Consider:

"The cat was very sleepy" and
"The cat was literally dying to sleep".

Obviously, in the first case, 'very' acts as an intensifier, intensifying 'sleepy'. The second sentence contains no intensifiers -- the work of making the sentence sound like an exaggeration is done by the phrase "dying to sleep." This is figurative language, but we should know that "dying to sleep" means something along the lines of "very sleepy". The 'literally' in the second sentence tells us that "The cat was very sleepy, and that is no exaggeration".

Schematically, given a phrase P, let M(P) denote a phrase with the same meaning in the context in which P occurs. Then the sentence "Bob is literally P" means the same thing as "Bob is M(P), and I mean that exactly in accordance with the meaning of the phrase M(P)." Tricky -- I don't like trying to divide meaning up into equivalence classes of phrases like this. But I hope you catch my drift.

I would tend to agree that 'literally' is more-or-less useless. It definitely doesn't do the work our high school teachers intended, except in very narrow contexts (like English class). It's about as useful as 'very' and 'really'. If you look up 'very' in the dictionary, you'll see that its secondary meaning is 'truly.' 'Really's primary meaning is 'truly', though I hope you can now see why it can be seem to act (be used) as an intensifier.

Re:That word. . . (1)

Skadet (528657) | more than 7 years ago | (#17860518)

Okay, so I took your advice and looked in a dictionary. Likely nobody but you will see this, but for posterity's sake. . .

Wordnet says (and if Princeton isn't good enough for you, then I don't know what else to say):
Noun

* S: (n) misprint, erratum, typographical error, typo, literal error, literal (a mistake in printed matter resulting from mechanical failures of some kind)

Adjective

* S: (adj) actual, genuine, literal, real (being or reflecting the essential or genuine character of something) "her actual motive"; "a literal solitude like a desert"- G.K.Chesterton; "a genuine dilemma"
* S: (adj) literal (without interpretation or embellishment) "a literal depiction of the scene before him"
* S: (adj) literal (limited to the explicit meaning of a word or text) "a literal translation"
* S: (adj) literal (avoiding embellishment or exaggeration (used for emphasis)) "it's the literal truth"
Could you point out to me which of those definitions fits the atricle's usage?

Re:That word. . . (1)

poopdeville (841677) | more than 7 years ago | (#17869098)

Any of the first, second, or fourth are appropriate interpretations. Of course, the three are very closely related. See this analysis [slashdot.org] , based on the American Heritage dictionary, as used by Answers.com [answers.com] for an explanation.

Re:That word. . . (2, Funny)

vertinox (846076) | more than 7 years ago | (#17853478)

Actually, security is a man named Steve at the front desk. Bruce has been getting him in a head lock and pile driving him in a wrestling move during the company get together.

Re:That word. . . (1)

Michael Woodhams (112247) | more than 7 years ago | (#17853628)

He's changing the direction of (turning) security, taking as fixed* what goes on in people's brains. It is pretty close to literal - the main problem being that it isn't (as implied by the phrase) security's head but rather the heads of people needing security. I think you'll find the journalist has a paid-up poetic license for this sort of minor stretch of truth (even though it doesn't rhyme.)

* That is 'immovable', not 'repaired'.

Re:That word. . . (1)

Darxon (955152) | more than 7 years ago | (#17853690)

Dane Cook meets Mandy Patinkin!

It's just the usual social engineering (1)

elucido (870205) | more than 7 years ago | (#17855778)

I think everyone already knows that humans are always the weakest link in security.

Bruce Schneier is my homeboy (5, Funny)

bigredradio (631970) | more than 7 years ago | (#17852954)

More facts about Bruce. http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

Re:Bruce Schneier is my homeboy (1)

TheDreadSlashdotterD (966361) | more than 7 years ago | (#17853752)

I love that site. He's the cryptographic Chuck Norris.

Re:Bruce Schneier is my homeboy (0)

Anonymous Coward | more than 7 years ago | (#17855448)

classic one: When he was three, Bruce Schneier built an Enigma machine out of Legos.

Random Bruce Schneier fact! (0, Redundant)

Anonymous Coward | more than 7 years ago | (#17852972)

Perception (5, Interesting)

bwthomas (796211) | more than 7 years ago | (#17853016)

Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."

In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.

This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.

But they will, with a probabilistically determined frequency.

Re:Perception (2, Insightful)

Yartrebo (690383) | more than 7 years ago | (#17853142)

We also have a major bias towards catastrophic risks that we have no control over mundane risks that we think we have control of.

Take the risk of getting wiped out by an asteroid vs. the risk of getting framed and sent to prison. The former is far less likely (less than 1 in a million), but it also gets people a lot more scared. Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime (at least in the USA, the odds are far lower in countries with lower incarceration rates), but it doesn't evoke the same kind of fear.

Re:Perception (1)

maxume (22995) | more than 7 years ago | (#17853614)

Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime

That's a rather extraordinary claim. Do you have extraordinary evidence to back it up with? [overcomingbias.com]

Re:Perception (1)

jonadab (583620) | more than 7 years ago | (#17857780)

The other poster is merely confused, not deliberately making that kind of extraordinary claim. The figure he presumably *intended* to quote is that 1 in 100 prisoners was convicted improperly -- a figure I have seen numerous times before (usually in conjunction with poorly constructed arguments against capital punishment, of the kind often seen in high school "persuasive" English papers and on usenet). While the figure is probably exaggerated, it is conceivable, at least vaguely plausible, and not nearly so extraordinary as the way he stated it. It's also totally irrelevant to what Schneier is talking about, but this is slashdot, so you expect a certain amount of that.

Re:Perception (1)

Yartrebo (690383) | more than 7 years ago | (#17942970)

No, I believe that you do indeed have a better than 1 in 100 chance of spending some jail time for a crime you didn't do. About 0.7% of the population is in jail at any one time and over 10% of the population has been sent to prison at least once in their lives. If only 10% of people convicted were innocent, then you get your 1 in a 100.

Your odds vary greatly based on where you are, how rich you are, your gender, your race, your political connections, and other factors, with poor black males in inner cities far above 1 in 100 and white rich females having a much lower than 1 in 100 chance of a false conviction in a lifetime.

Re:Perception (1)

jonadab (583620) | more than 7 years ago | (#17946406)

> over 10% of the population has been sent to prison at least once in their lives

Where on earth do you live? Los Angeles?

In any case, that is certainly not true around here. In small-town Ohio, I doubt if 1% of the population, nevermind 10%, has ever done time in prison. I believe 10% is higher than the proportion who have been inside a prison even to visit. I do know a guy who *works* at a prison, and I know several men who have been into prisons at one time or another as part of a ministry... but we're talking way less than 10% of the population here, and these are people who go into the prison voluntarily and come back out the same day.

I can't prove these numbers, but I'm confident they're much closer than yours, at least around here.

Re:Perception (1)

Yartrebo (690383) | more than 7 years ago | (#18001314)

I live in NYC, and yes, the inner city people and people of certain colors (black and hispanic mainly) are far more likely to spend time behind bars than people in small white towns. Even in NYC, middle class whites are unlikely to land in the slammer, but it only takes a few neighborhoods with 50%+ rates to skew the figures.

Re:Perception (1)

jonadab (583620) | more than 6 years ago | (#18038864)

> I live in NYC

Oh. I'm sorry. I didn't mean to be insensitive.

Good points, poor example though. (1)

Kadin2048 (468275) | more than 7 years ago | (#17855892)

You make good points, but I think you should be more careful about your examples. Saying that you have a 1 in 100 chance of being 'framed and sent to prison,' is hardly supportable; saying that you have a 1 in 100 chance of going to prison might be (if on average 1 in 100 people end up there).

But that's still a poor example, because that's a controllable risk. People don't get as upset about it as they do plane crashes or terrorism, because they feel like they have some level of control over the outcome. "Well, hey, I'm not going to prison, because I'm not going to [commit any crimes|get caught]." Therefore, they minimize that (very real) risk, and concentrate on slimmer ones which appear to be outside their control.

Re:Perception (2, Informative)

Sique (173459) | more than 7 years ago | (#17856298)

The same can be said about the terrorism panic. It's still more likely to choke on a fishbone and die than to be hit by a terroristic attack. For Germany [pop. 80 mio] there are about 700 reported dead each year because of choking on a fishbone. I wonder if the number of all Germans ever dying during a terroristic attack since 1947 has ever reached 700.
And the perception still gets it wrong if two risks are very similar: Think about the craze because of the H5N1 bird flu. Worldwide we have now ~200 people who died because of H5N1. Each year the numbers of people dying on whatever flu is currently going around is in the millions. For Germany the estimations are between 10,000 and 20,000.

Re:Perception (1)

mutterc (828335) | more than 7 years ago | (#17863124)

about 700 reported dead each year because of choking on a fishbone

Shhh! If word gets out, the government might spend trillions of dollars in a War On Fish...

Not just knowing the imbalance is there... (1)

oKAMi-InfoSec (1043042) | more than 7 years ago | (#17853212)

The last part of the article poses a critical question that deals with the fact that our perception of security may not be in sync with the logic of security:

How can security customers make sure they don't make bad security decisions that are based on incorrect perceptions?

Schneier says he doesn't know if you can change brain chemistry for this. "My belief is that making you aware of it goes a long way," he says. "If you can understand you are just reacting from fear, you have a better shot at...understanding these human biases. Hopefully you can short-circuit them and improve on them and make it so we are not slaves to this," he says. "Fear is brain chemistry, but so is reason. We have to figure out how reason can trump fear."

Besides just knowing that this imbalance is present, reliance on:

  • thorough planning
  • critical thinking
  • testing and verification
and
  • cold hard facts...

all go a long way towards improving the likelihood that we will follow logic and not emotion.

Re:Not just knowing the imbalance is there... (1)

jonadab (583620) | more than 7 years ago | (#17857816)

Either that, or you could let your android science officer make the decision.

Re:Perception (0)

Anonymous Coward | more than 7 years ago | (#17853416)

Part of the problem is with our perception of probability.
This is also why I never go swimming in the ocean alone. Sure, I can be attacked by a shark, but under the assumption that one person will be attacked and then alert everyone else to its presence (in which they can all escape) so I feel more secure with more people around.

Re:Perception (1)

h4ck7h3p14n37 (926070) | more than 7 years ago | (#17855380)

A very common comment that I hear from people regarding computer security is, "we're not a target". This of course assumes that crackers select their targets based on some criteria other than they can hit your system over the 'net. Sadly, it's been my experience that when such a person's system is compromised they just want it brought back up and the particular exploit that was used remedied.

Re:Perception (1)

RAMMS+EIN (578166) | more than 7 years ago | (#17856694)

You, sir, seem to have hit the nail on the head.

Do you perchance also have an insightful explanation of why we should be _worried_ about Them monitoring us?

Re:Perception (0)

Anonymous Coward | more than 7 years ago | (#17859134)

"randomosity"?

I don't think that word means what you think it means. I think you should choose your words more strategerically and find something more cromulent.

In the future, I'd recommend: randomness

5 tough user-space factors (5, Insightful)

G4from128k (686170) | more than 7 years ago | (#17853076)

I see five factors that make the user-space side of security so hard.

1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
3. Hubris: Most people believe they know what they are doing.
4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."

Some of these five are easier to address but some reflect deeper realities about being human.

You mean, Bullshit in Bullshit out. (0, Troll)

twitter (104583) | more than 7 years ago | (#17853962)

Some of these five are easier to address but some reflect deeper realities about being human.

And all but one of them have the same solution, Education.

  1. Incentives. This is the odd man out because punishing the victim does nothing for anyone. Disconnecting an identifiable problem on a public network, should not be thought of as punishment but can serve as an incentive to fix the problem.
  2. Rarity. Bullshit. One in four computers is part of the botnet.
  3. Hubris. Bullshit. This attitude was created by commercial software vendors who have also made it impossible to secure computers by closing their code off.
  4. Boredom. Bullshit. The user should have a trusted repository of community verified software, like the Debian community provides. Being bored should not kill your computer.
  5. Sociality. Bullshit. People are nice and should be. Mouse links should not kill your computer. Proper training in the workplace makes employees not only more helpful but less likely to help out your mythical intrusion expert. See Bullshit #2 for why intrusion is stupid - why break in when you can remotely own the company's desktop.

With proper education people will get rid of their insecure operating systems and the net will be a safer place for all of us. As the millions of happy Mac, Linux, BSD and other OS users can attest, It's not the user's fault. They have to be given the correct tools, correctly configured in an easy to use way instead of the booby traps that M$, Dell, HP and others sell.

"If you can understand you are just reacting from fear, you have a better shot atunderstanding these human biases. Hopefully you can short-circuit them and improve on them and make it so we are not slaves to this," he says. "Fear is brain chemistry, but so is reason. We have to figure out how reason can trump fear."

People react to what you tell them. As long as commercial vendors continue to bullshit people, bullshit will come out.

Re:You mean, Bullshit in Bullshit out. (1)

Xenographic (557057) | more than 7 years ago | (#17854894)

> Boredom. Bullshit. The user should have a trusted repository of community verified software,

Half of the security problems we face today are because users don't know who to trust.

Me? I'm only safe because I hate the popular but stupid crap and am far too lazy to even try new software until I've heard something about it from several people I respect and I have some reason to believe it doesn't contain any nasty surprises (i.e. spyware or adware). I'm also so anti-advertising that the one time I saw a pop-up a few months back (I let down noscript for just a second and the blasted site launched Java which launched IE which visited some exploit site) that I ran an immediate spyware scan and caught the bastard thing before it even finished installing.

Sadly, I don't think I can convince anyone else to be paranoid enough to stay even marginally safe.

Re:5 tough user-space factors (1)

holywarrior21c (933929) | more than 7 years ago | (#17855030)

True, let me tell you i almost tried to log in on a fake paypal phishing site. I recieve email with link to such sites so often i just delete everything from paypal. I am glad i was using firefox which warned me that this site might be a fishing site.

"how many credit card numbers and social security numbers out there?" I am from Korea and when i was in the united states, my american friends were using korean social security number generator to sign up lineage2 beta and tantra, guild wars, etc. Very surprised. I told them to pick the ones over age 70.

Re:5 tough user-space factors (1)

firewrought (36952) | more than 7 years ago | (#17863022)

I see five factors that make the user-space side of security so hard.

6. Difficulty: Security is hard and unintuitive. How many scams--both online and offline--rely on duping people's epistimology? ("Yeah, I'm a cop. Call this number on the back of my badge to verify.") We're really quite bad at it, and even worse: computers make it especially difficult to tell where a piece of data is really coming from. Did that urgent security pop-up come from Windows, or is it just a GIF on the current website? You and I know (perhaps because we understand that multiple "people" [e.g., processes] are saying different things on our screen), but this stuff is impossible for some people (perhaps because they just see one "person"--the computer).

Re:5 tough user-space factors (1)

travwend (1046596) | more than 7 years ago | (#17869872)

That's why most IT people have such a mean exterior. Maybe if I intimidate the users I'm responsible for, they'll think twice the next time they're being complacent. Okay, not the first time but thats where the intimidation factor comes in that's why I said the "next" time.

"Old news" (1, Funny)

Anonymous Coward | more than 7 years ago | (#17853084)

When one of the reporters asked for a copy of Mr. Schneier's notes during the presentation, he handed her two pages of ciphertext.

Re:"Old news" (1)

oostevo (736441) | more than 7 years ago | (#17854454)

All kidding aside, this guy came to speak at my college. I got a seat in the second-to-front row well before the presentation started. The school photographer came up to him to ask him to sign a silly little photography release so he could take photos. He signed it, stared at the poor guy, and said, "I want three copies of this, okay?"

The poor photographer nodded meekly.

True story.

OT (your sig) (1)

jonadab (583620) | more than 7 years ago | (#17859108)

> In soviet russia, You ask not what country do for you, but what you do for country!

Wouldn't that be, "In Soviet Russia, your country ask not what it can do for you!"?

fear and power (2, Interesting)

wall0159 (881759) | more than 7 years ago | (#17853186)

Seems to me it would be good if more people understood the ways that their gut reaction to fear is often incorrect. It would at least make it harder for politicians to manipulate the populace.

It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..

Re:fear and power (1)

maxume (22995) | more than 7 years ago | (#17853790)

I get the impression that he is talking more about locked doors with glass windows and security theater than he is talking about herd mentality.

Hopefully you haven't been reading Niven.

Re:fear and power (1)

jonadab (583620) | more than 7 years ago | (#17858090)

Locks on glass doors are not entirely without value.

In a home setting, breaking the glass will make a significant racket. That's not good protection (except insofar as it makes your case with the insurance company more straightforward) against theft that occurs while you're away on vacation for three weeks, or even at work during the day, but it *is* useful against petty break-ins when you sleep at night. Indeed, if the thief is thinking (which, granted, is not always the case) he would probably pick a lock rather than break the glass in that scenario.

In a corporate setting, I wouldn't try to protect anything really sensitive with locked glass doors, but if you have non-glass internal doors that lock at night, you can reasonably protect something non-critical, such as a lobby area, with locked glass doors. Indeed, the high visibility from the street created by the glass might in some cases be more valuable than the locks, but you still want the locks, for several reasons: to protect against thieves too stupid to think of the idea of breaking the glass (yes, there are some), to protect against those too smart to break the glass for small gain (just make sure getting into the lobby *is* small gain), to increase prosecutability of anyone who gets caught while trying to break into the rest of the building, and to make your case with the insurance company more straightforward. Locks are fairly cheap, so even small benefits can justify them.

But yes, when you have glass doors, you have to be aware of the fact that they're made out of glass, and plan your security precautions appropriately.

Re:fear and power (1)

maxume (22995) | more than 7 years ago | (#17858300)

People lock their doors and feel safe. The should merely feel safer. That's what I was talking about.

Re:fear and power (1)

jonadab (583620) | more than 7 years ago | (#17869744)

People lock their doors and feel safe. The should merely feel safer. That's what I was talking about.

Oh.

To be perfectly honest, we practically never lock the doors at my house, and I do feel safe. Not that I am not aware of various possible crimes which potentially could be committed -- on the contrary, I am fully aware that those things could happen, or for that matter that the house could burn down, or any number of other dire potentialities. Nonetheless, I feel safe. Nothing has ever happened to me worse than junior high phys ed class, and while there are all manner of things that potentially *could* happen, any given one of them probably won't, and I'm not really worried about it.

Of course, we'd probably lock the doors if we lived in a bigger city, or if we didn't have Puff [blogspot.com] .

Re:fear and power (1)

maxume (22995) | more than 7 years ago | (#17869882)

That's fine. I'm talking about feelings directly related to locking the door; that you have piece of mind otherwise is great and probably sane, but in my experience, there are people who actually feel unsafe when the door is unlocked, and then feel safe when it is locked. The emotional investment in and gross overestimation of the effects of the lock demonstrate that many people do a poor job of analyzing security. Sure, the lock has good effects, but most doors aren't sledgehammer proof, which is worth actually realizing, even if that threat is vanishingly small.

It isn't a huge problem, and I find the scare mongering present in stuff like "It Takes A Thief" ridiculous, but it stinks that it is a pain to fly and so forth, mostly because people are in fact so over reactive to their feelings. It was useful to shit your pants and run when it was a tiger(maybe...), today, not so much.

"Security Theater" -- necessary after all? (0)

Anonymous Coward | more than 7 years ago | (#17854556)

Unfortunately TFA was pretty meatless, even though this is a meaty subject.

Schneier has often written against "Security Theater", the stuff that's all for show with not much actual security benefit, like half the BS we go through at the airport.

But now that he's talking about how our sense of security is part rational and part *feeling*, maybe Schneier would admit that we have a psychological need for some of the theater.

Maybe we needed those National Guard troops manning the airports after 9/11 after all. Not for any rational benefit (there was none), but because it made (some) people *feel* safer. It was our politician's way of saying "we're on it".

Security and Linux (0)

Anonymous Coward | more than 7 years ago | (#17854638)

Well its a bit off topic but as security people might be reading this.. I have a question to ask. Its actually prompted by the comment on email.
I would like to lock down my (and my partners) use of the web and our data.

My partner uses windows (due to a requirement to use MS Office at the moment - and no Open office wont do)
So Im planning to use
1) True Crypt
2) Roboform
3) SyncbackSE
and a 4 GB USB Storage Key.

We plan to generate different passwords for each site.
My partner needs to outlook email for the moment.
So do people have other setups they recommend ? For Windows ? I would like to use LINUX actually but would prefer to use close to the same techniques on both platforms if I can to make my life easier (true crypt of course runs on both)
Can anyone point to any great sites on setting up encryption in outlook ? What about LINUX email mail
I actually use Google mail maostly now and use the web interface... is there way of encrypting mail that way ?

Any info appreciated.... (Im thinking of posting this as an ask slashdot question but I have yet to get one posted so .. thought I woudl try here !)

Thanks

People TRUST programs with a LOCK as their icon (1)

wwnexc (1029180) | more than 7 years ago | (#17856006)

Why do people trust complex programs with colorful symbols and logos more than a simple linux command, where you know what is going on?

Re:People TRUST programs with a LOCK as their icon (2, Insightful)

jonadab (583620) | more than 7 years ago | (#17858226)

> Why do people trust complex programs with colorful symbols and logos more
> than a simple linux command, where you know what is going on?

Because end users *don't* know what's going on.

It's not a question of trusting something complex and inscrutable (proprietary security software) versus something simple and straightforward (open-source command-line software), but more a case of trusting something complex and inscrutable that looks well put-together and comes from a well-known maker, versus something complex and inscrutable that looks arcane and comes from nobody in particular.

Spend some time around end users, trying to understand their problems. It won't enable you to solve the problems, but it will help you understand what we're up against.

The New Science of Change (2, Informative)

screeder (851027) | more than 7 years ago | (#17859840)

For what it's worth, I wrote an in-depth look at the neuroscience of the brain and its impact on peoples' ability to change for CIO magazine here: http://www.cio.com/archive/091506/change.html [cio.com] .

Primate psychology (1)

Master of Transhuman (597628) | more than 7 years ago | (#17865092)

is all you need to know to understand "security".

Chimps are afraid of each other. So any time any chimp does anything, it's automatically fear time for everyone else.

As I've said many times before, humans work like this: "If you're right, I'm wrong. And if I'm wrong, I'm dead - and that can't be allowed. So I'm right and you're wrong. And if necessary, you're dead."

It's that simple.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>