Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Humans Not Evolved for IT Security

ScuttleMonkey posted more than 6 years ago | from the wait-it-guys-have-emotions? dept.

Security 302

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

cancel ×

302 comments

It's a fair cop. (0)

Anonymous Coward | more than 6 years ago | (#21103425)

We're all guilty as charged and you know it.

Where is the story? (0)

ArsenneLupin (766289) | more than 6 years ago | (#21103463)

Clicking on the link only gets me the intro. Where is the rest of the story?

Re:Where is the story? (0)

Anonymous Coward | more than 6 years ago | (#21103795)

Where is the rest of the story?
tldnr

Open letter to God (4, Funny)

EmbeddedJanitor (597831) | more than 6 years ago | (#21104353)

Better luck with Humans V2.0.

Anyway you should only trust Humans V1.0 after SP1 has been released.

Lets think about this. (1)

bigattichouse (527527) | more than 6 years ago | (#21103449)

So the modern equivalent is "What I can't see won't eat me" ... seems to be the same mistake. More likely, if 99.99% of your senses tell you that you are safe, then worrying about meteors or lightning strikes is a waste of energy. Plus you gotta think "selfish gene". Is I *feel* "secur-i-ness", I can proceed with making babies... while you're so worried about lions, you fail to impress the ladies.

Re:Lets think about this. (2, Interesting)

Opportunist (166417) | more than 6 years ago | (#21103923)

So that's why my common sense tells me I don't need to hide under my bed from the bad, bad terrorists, it's just that I can't see them anywhere and not that it's overblown hype.

I'm kinda scared now.

Re:Lets think about this. (1)

lazy_playboy (236084) | more than 6 years ago | (#21104225)

No, no, it really is overblown hype ;-)

really (5, Funny)

snarkh (118018) | more than 6 years ago | (#21103455)

As a species we got really good at estimating risk in an East African village 100,000 years ago.

I wonder how many days would that guy last in an East African village 100,000 years ago.

Re:really (1, Informative)

Anonymous Coward | more than 6 years ago | (#21103497)

There were east african villages 100,000 years ago?

Probably (2, Insightful)

sharp-bang (311928) | more than 6 years ago | (#21103747)

There were in South Africa [about.com] anyway.

Re:really (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21103501)

I wonder how many days would that guy last in an East African village 100,000 years ago.

Or today for that mater.

Re:really (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21103577)

100,000 years ago, there were not massive bureaucracies dedicated to uttering total falsehoods, prevarications, and generally suppressing information. When agencies of the modern state exist only to generate fear and ignorance in the population can it really be a surprise "emotion" gets used instead of facts? Schneier, and others, who think humans are mal-adapted are either ignorant of human behavior and evolution, or simply (intentionally or not) shilling for the state.

Re:really (0)

Anonymous Coward | more than 6 years ago | (#21103665)

About as long as a white rich guy in Harlem after nightfall.

Re:really (4, Funny)

apparently (756613) | more than 6 years ago | (#21104065)

Last time I walked through Harlem, the hoodz said I had to fucking PROVE my wealth and whitenses before they would even consider robbing me. I showed them paystubs, my Discover card, even an ATM receipt, and still they doubted how rich I was! And don't get me started on the "white" thing, apparently they don't go by complexion any more, you gotta keep a DNA sample on you with a notarized letter from a scientist stating that he confirms your race.

Us white, rich folk never had it so tough.

Also, you really ought to be awarded with some sort of "waste of a condom" trophy.

Re:really (3, Funny)

Gabest (852807) | more than 6 years ago | (#21104053)

depends... raw, smoked or cooked?

do you want to check my shoes? (4, Insightful)

User 956 (568564) | more than 6 years ago | (#21103459)

He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved.

Which is why, a lot of times, you end up with security theatre [elliott.org] , instead of real security.

Re:do you want to check my shoes? (5, Informative)

Kjella (173770) | more than 6 years ago | (#21104093)

And don't forget CYA security - security rules that aren't being followed and aren't being enforced either - but that exist solely so that when shit hits the fan, the bosses can say it was against policy. These are usually extremely draconian, impossible to implement or practicly impossible to follow while getting work done. But hey, it looks good on paper...

Ms Abacha? (5, Funny)

Mr_Icon (124425) | more than 6 years ago | (#21103469)

Looking at the number of people falling for Nigerian scammers, I'd say that our ability to "estimate risk in an East African village" is not so hot either. :)

Re:Ms Abacha? (0)

Ravenscall (12240) | more than 6 years ago | (#21103491)

You, Sir, Win the internets.

Re:Ms Abacha? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21103575)

Nigeria is in west Africa you clueless faggot.

Re:Ms Abacha? (3, Funny)

nelsonal (549144) | more than 6 years ago | (#21103963)

But that's a west African villiage, totally different risk profile. Well played.

Duh (0)

Anonymous Coward | more than 6 years ago | (#21103473)

Technology evolved ten thousand fold in the last few hundred years. No species ever evolves that quickly.

Re:Duh (0)

Anonymous Coward | more than 6 years ago | (#21103531)

Fruit flies. Bacteria. Etc. Care to try again?

Humans Not Evolved for IT Security (5, Funny)

Daimanta (1140543) | more than 6 years ago | (#21103489)

Thank God I was intelligently designed for this kind of thing ;)

Re:Humans Not Evolved for IT Security (5, Funny)

gammygator (820041) | more than 6 years ago | (#21103639)

That's because in Soviet Kansas, nothing evolves...

Re:Humans Not Evolved for IT Security (1, Funny)

sm62704 (957197) | more than 6 years ago | (#21103819)

Thank God I was intelligently designed for this kind of thing ;)

Too bad Windows isn't.

Bad Analogies Abound (5, Interesting)

eldavojohn (898314) | more than 6 years ago | (#21103515)

"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up."
Wow, just ... wow. I'm not even a biologist but I know that's a terrible analogy. You can't compare the brain to software. We can control software and decide when it 'goes live,' there are no prototypes in nature or evolution. Every attempt is an iteration of the process and the process is never ending. Furthermore, the existence of an absolute of 'perfectly created' is debatable on any level in regards to any process or system.

Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky
Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures.

Personified risk -- Osama Bin Laden is scarier than a faceless threat
How in the hell does this relate to IT security? I think IT administrators are more afraid of the people they don't know hacking their systems then the people they actually employ doing the same. In the end, I'm sure more attacks come internally or from an ex-worker than someone unknown. Maybe the face you know should be more scary than the face you don't at the office?

Risks that could be controlled -- The DC sniper caused a few deaths but the response was way out of proportion.
Please elaborate, I know of the John Lee Malvo incident but I have no idea how this relates to IT security. Are you telling me that shutting down a system to protect a database from a possible threat or virus is overkill? I would respond with that varying on a case by case basis but at my job, offline databases are worth maintaining the integrity of the data inside them.

I know I'm really coming off as a jerk when I say this but I don't think this article helped me in anyway. All I saw was someone over simplifying a complex problem--thereby making them seem smarter to the people they were explaining it to.

Don't read this article, it has nothing to offer you. If you don't know this subject, I believe this article will only add to your confusion and lack of understanding.

Re:Bad Analogies Abound (5, Interesting)

SatanicPuppy (611928) | more than 6 years ago | (#21103715)

This is actually a hot psychological topic right now; humanities tendency to poorly conceptualize risk. We're far more worried about diseases we're unlikely to catch, than ones we are. Plane crashes are scary because planes aren't familiar to most people; poor understanding of the risks magnifies fear. People always worry about the stereotypical malicious strangers, when most assaults come from people you already know.

I think mostly he's just pointing all this out as background to the tendency to poorly appreciate risk. He's basically saying, "People apply more worry to splashy things that aren't likely to happen, and therefore we have these huge data breaches because who cares about SSNs when the terrorists could be blowing up a nuke plant?"

The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact. It's extremely finely tuned to do what we need it to do...It makes us ferociously competitive animals, and that is proven rather than disproven, by all the security problems that we've been having. If we weren't competitive, we wouldn't have problems. The fact that not everyone works at the same level is irrelevant.

Ah. (0, Flamebait)

Estanislao Martnez (203477) | more than 6 years ago | (#21103927)

The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact. It's extremely finely tuned to do what we need it to do...It makes us ferociously competitive animals, and that is proven rather than disproven, by all the security problems that we've been having. If we weren't competitive, we wouldn't have problems. The fact that not everyone works at the same level is irrelevant.

Ah. So, unlike Schneier, you are both an evolutionary biologist and a neuroscientist. Thanks for setting the record straight.

Re:Ah. (1)

SatanicPuppy (611928) | more than 6 years ago | (#21104151)

I'm not sure what the hell you're talking about. Are you saying that B.S is an evolutionary biologist? I think he'd be a bit surprised to be so described, since as far as I know, his background is almost entirely compsci and crypto (and physics).

Mine on the other hand is primarily cognitive science, which, as it happens, does include a bit of neuroscience, more than enough to dispel the whole "patchwork" assertion. And while my formal training in evolutionary biology is somewhat lacking, I think the uncontestable claim that humanity is a competitive animal will be seconded by anyone with even the weakest background in biology.

Re:Bad Analogies Abound (1)

eison (56778) | more than 6 years ago | (#21104021)

Plane crashes are scary because we feel out of control. We overestimate our own competence, so if it feels like we have some control over a situation, we assume we can handle it.

Re:Bad Analogies Abound (3, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#21104249)

That's part of it, but you're still more likely to die in a bus or taxi accident, and they're not viewed with the same unreasoning fear though they also lack control.

We are all soothed by familiar routine. This is the purpose of disaster drills, so if your building does catch fire, your mind will move into that pre-built track, and move effectively, without being paralyzed by the need to act conflicting with the fact that you have no idea of what to do. Planes are not only outside our control, they're outside most people's experience, so an event which is no more significant than a bus running through a pothole, elicits a greater level of fear due to it being an unknown, rather than a familiar, occurrence.

Re:Bad Analogies Abound (3, Insightful)

Lurker2288 (995635) | more than 6 years ago | (#21104189)

In the sense that brains in general started off in a much simpler state with no need to handle many of the things it's currently capable of (binocular vision, manual dexterity, doing calculus) and it got to where it is one incremental improvement at a time, then yes, it most certainly is a patchwork. You can see it in the gross structure: you've got the reptilian hindbrain that keeps your body functioning in a narrow homeostatic envelope all the way at the bottom, atop which sits a cerebellum that allows for things like emotion (great for pair bonding and knowing to run away from big things with pointy teeth), and atop all of that you've got the cerebrum that enables most of your higher intellectual activity.

The fact that this magnificent hodgepodge seems to be so perfectly attuned to our needs is almost definitional, as well as being a kind of survivor bias. That is, our brains are great at what we need them to do precisely because they evolved to do those things; brains that were evolved to do other things, or that did the same things, but not as well as ours, died off. Schneier's point is that the modern world has changed a lot faster than our brains are able to, and as a result, we're maladapted for some of the tasks facing us today, like assessing remote risks.

Bad reporting? (1)

Estanislao Martnez (203477) | more than 6 years ago | (#21103843)

How in the hell does this relate to IT security?

If you read Schneier's regular blog [schneier.com] , you'll see that he regularly talks about security topics in general, not just IT security. The tagging of this talk as being narrowly related to that may be a case of inaccurate reporting; given what Schneier regularly talks about, I'd have been surprised if his talk hadn't covered non-IT security topics.

Re:Bad Analogies Abound (1)

antifoidulus (807088) | more than 6 years ago | (#21104043)

Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky

Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures.


Not to mention the whole "I'm such a good driver I can get out of any jam" mentality. Whether true or not, many people think that when they are in a car they are skilled enough to avoid accidents, however in an air plane once that door closes you have about 0 control of your destiny till the plane touches down. That bothers a significant number of people.

Fossils = biological_prototypes + time; (1)

Scrameustache (459504) | more than 6 years ago | (#21104331)

"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up."
Wow, just ... wow. I'm not even a biologist but I know that's a terrible analogy. You can't compare the brain to software. We can control software and decide when it 'goes live,' there are no prototypes in nature or evolution. Every attempt is an iteration of the process and the process is never ending.
Not even a biologist? Are you not even a programmer either? Every attempt of a stable build is an iteration of the process and the process is never ending!

Sexual reproduction decides when the organism goes live, and marketing decides when the product goes live.

Re:Bad Analogies Abound (1)

Relic of the Future (118669) | more than 6 years ago | (#21104413)

Why can't we compare software to cognitive processes? It's a common analogy, and I'm surprsied you haven't run into it before. Also, "every attempt is an iteration of the process and the process is never ending," which you claim as an example of how evolution is not like software, is a perfect match to how security software (actually, a lot of software) is written these days.

Also, while there are many non-fatal car crashes, more people do DIE in car crashes than in plane crashes, but "fear of dying in a plane crash" is still more prevelant than "fear of dying in a car crash." And that is non-sensical.

It's the money (3, Interesting)

ZonkerWilliam (953437) | more than 6 years ago | (#21103521)

As a INFOSEC person, I see this kind of mentality on a daily bases. Still, there is a realization of the costs of outages due to attacks and that I see. Slowly but surely it's changing. Compared to evolutionary changes tho, it's a blink of an eye.

Stupid. (4, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#21103539)

We're not evolved for space flight either. You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.

It's perhaps more accurate to say that only a few people are capable of truly understanding this stuff at all, and for the rest it's just black magic. Of course they don't appreciate the risk. I guess B.S was trying to find a rational reason why people just categorically don't understand security when applied to technology, but I think it's more just that they're doing well to be able to use the tech at all. We're going to have to have a lot higher skill level among users before we can expect them to truly appreciate security.

Re:Stupid. (1)

aztektum (170569) | more than 6 years ago | (#21104007)

I haven't read the article yet, but I have a feeling your comments would echo my own. I'd add too that, it's not that your average user can't grasp the concepts, but they haven't been "conditioned" to. We fall back on what we know and Windows, as the OS with the most penetration, has worked for over a decade without requiring gramps and auntie em to jump through hoops.

Trying to change the mindset of millions of users is not something that will happen over night.

Re:Stupid. (2)

tkinnun0 (756022) | more than 6 years ago | (#21104401)

We're not evolved for space flight either.
Yet millions of people go to space everyday? Or perhaps a space flight to the ISS requires months of preparation precisely because we truly aren't evolved for space flight.

Microsoft causes evolutionary regression (1)

slashdotlurker (1113853) | more than 6 years ago | (#21103551)

Finally, its official. 'nuff said.

We don't need to evolve (1)

Lucas123 (935744) | more than 6 years ago | (#21103565)

In many ways, we need to go back to square one. We need to teach ethics to the younger generation. Hackers and phishers will always remain one step ahead of the security community in developing new methods to bypass security measures. The problem is, we should have to erect so many virtual walls. The real question we should be asking ourselves is: why is this behavior acceptable -- even lauded at times?

Re:We don't need to evolve (1)

SatanicPuppy (611928) | more than 6 years ago | (#21103941)

I would argue that there is no "evolution" that we can make as a species that will cause this problem to go away...It's a problem of software, not hardware.

Teaching people ethics isn't going to help though...If we could just teach everyone to be nice, we'd have done it a long time ago. Millenia of evolution have taught us about competition for scarce resources, and that expresses itself in all kinds of anti-social behaviours, and it always has. Sure, the instinct to protect the herd is in there as well, but I'd argue that we've been a lot more successful at suborning that instinct. In many people it only seems to express itself in times of extreme stress.

Re:We don't need to evolve (1)

pla (258480) | more than 6 years ago | (#21104391)

We need to teach ethics to the younger generation.

Which will accomplish what exactly?

You can't make everyone into a paragon of virtue, no matter how hard you try. And it only takes a few to prey on the rest (reducing the number of scammers would just increase the profitability per scammer).



why is this behavior acceptable -- even lauded at times?

Because the same behavior in other contexts has largely beneficial effects (even though it offends the establishment - Though that in a way makes it more, not less, desireable).

The same cryptographic skills that let Random Bad Guy get into your bank account also let DVD-Jon defeat various mechanisms for denying people unfettered access to content they have legally purchased. The same firewall piercing technology that allows botnets to work from a home LAN also allow VOIP and most online games to work behind a firewall.

so what? (4, Insightful)

AxemRed (755470) | more than 6 years ago | (#21103581)

We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.

Re:so what? (1)

apt142 (574425) | more than 6 years ago | (#21103767)

Well some of us can adapt. Some of us are just dumb.

Go down you local street corner and see how many people can solve the simplest of equations. I'm guessing you wouldn't get a high percentage of people who could. And we've been teaching algebra in schools for a long time. It's a requirement in my state to pass Algebra to graduate high school.

Re:so what? (2, Funny)

apparently (756613) | more than 6 years ago | (#21104193)

Go down you local street corner and see how many people can solve the simplest of equations


Well, for any equations where the solution is "go fuck yourself!", "I got somethin' you can solve, sugah!", or "no seriously, go fuck yourself" the subjects in my test study pass with flying colors.

Re:so what? (4, Insightful)

kebes (861706) | more than 6 years ago | (#21103901)

We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.
Absolutely. But Schneier's point is not that it is impossible for humans to think rationally about IT security, but that it does not 'come naturally' to the average person. The same is true of algebra and other branches of mathematics: humans in general have very advanced knowledge in these areas, but it is still quite easy to construct a mathematical problem that will trip up a layperson, because most people are not formally trained in mathematics, and will incorrectly invoke "common sense" when solving a problem.

The fact is that humans have an in-built "threat and probability analysis" system that was optimized to deal with "real world" situations like searching for food, avoiding predators, finding mates, etc. It is for this reason that gambling "works." People are easily tricked into believing that they can "beat the system" or "find a pattern." They believe that having rolled many sixes recently, they are "due for a 1 or a 2" even though the probability of rolling a particular number on a die is independent of previous rolls. This is because most of our in-built probability estimators assume chains of events are causally linked (which is a reasonable assumption in the "real world"--i.e. if it's been a long time since it has rained, it is indeed "due to rain soon").

In the realm of security, Schneier identifies certain assumptions that our minds make, which are actually fallacies when it comes to modern security (e.g. that a commonly occurring risk is less important than a rare risk).

We are not "built" to deal with modern security. As with advanced math, rather than rely on common sense (and its associated useless rhetoric) to set security policy, we need to have detailed arguments citing well-documented studies. We can indeed rise above our "programming," but far too many people don't bother trying--and continue to rely on common sense even when it is a demonstrably poor predictor.

Smith (5, Funny)

pete-classic (75983) | more than 6 years ago | (#21103615)

"Only human."
--Agent Smith on IT security

Not evolved for security? (0)

Anonymous Coward | more than 6 years ago | (#21103627)

My brothers Smith and Wesson would beg to differ.

Phhhh ... (2, Informative)

foobsr (693224) | more than 6 years ago | (#21103629)

... if it really must be Schneier, read: "Why the Human Brain Is a Poor Judge of Risk" ( Wired [wired.com] ), but better immediately turn to Kahneman .

CC.

oversimplified (1)

sharp-bang (311928) | more than 6 years ago | (#21103647)

I disagree with the use of the term 'evolution' to discuss the inadequacy of emotional responses to threats. People can be successfully trained to overcome these issues. As a security professional, I know my spidey-sense has altered considerably over the years due to training and experience, and I would think that others in fields where risk assessment is all in a day's work have largely had the same experience, and, to a certain extent, this is extensible to the population at large. (For example, I find that younger employees are typically a lot more savvy about safe online usage than older employees, which is not a matter of evolution, but acculturation to technology.) The evolutionary advantage of rationality outweighs the primacy of fight-or-flight responses in trained individuals.

This looks to me like another misquoted/misunderstood Bruce Schneier sound bite. Not much to see here.

daphuture (1)

cthulu_mt (1124113) | more than 6 years ago | (#21103655)

I'm estimating my risk in an East African village 100,000 in the future. Forget about London.

Well... (1)

Estanislao Martnez (203477) | more than 6 years ago | (#21103659)

Schneier is neither an evolutionary biologist nor a neuroscientist. Why is his bad opinion on these matters news?

because people want the easy way (4, Insightful)

hobo sapiens (893427) | more than 6 years ago | (#21103677)

People want the easy way. Security and "the easy way" are often at odds.

Case in point...I was in a hospital ER the other day, waiting in the room (for a very long time), and I looked at the computer in the room. I noticed that someone affixed a sticker to the keyboard tray with (presumably) the windows domain login info. Had I wanted to, I could have logged in and probably gotten to all kinds of medical records. Someone from the hospital's CIS department would probably poop a brick if he saw that.

People are lazy, and security folks constantly have to toe the line between making things hard enough to be secure but not so hard that it's just easier to find the loopholes.

Re:because people want the easy way (1)

Jasin Natael (14968) | more than 6 years ago | (#21104025)

I can one-up you on that. I recently saw a security system control panel with the four-digit PIN code written in permanent marker on the plastic housing near the LCD display, and clearly labeled as such: "Security Code: 1-1-1-1". To make it even worse, the panel directly faces the unreinforced glass doors used for the business's main entrance, and is clearly legible from outside the building.

Thanks Bruce, but call us when you're qualified (1, Informative)

SIIHP (1128921) | more than 6 years ago | (#21103699)

"Originally from New York City, Schneier currently lives in Minneapolis, Minnesota. Schneier has a Master's degree in computer science from American University and a Bachelor of Science degree in physics from the University of Rochester. Before Counterpane, he worked at the United States Department of Defense and then AT&T Bell Labs."

I don't see anything about "behavioral psychology" or "evolutionary biology" in there.

So, sorry Bruce, but you're not qualified to make that statement with any authority, and frankly, your position as an expert on security should make you more wary of voicing lay opinions about subjects in which you have no expertise.

Re:Thanks Bruce, but call us when you're qualified (3, Insightful)

NeutronCowboy (896098) | more than 6 years ago | (#21103879)

So, sorry Bruce, but you're not qualified to make that statement with any authority

You're making the mistake of judging the validity of a claim based on the person's authority. Even Wikipedia, your favorite source, has info on that. Just make sure to read the article in its entirety. Your comment would in fact be far more helpful if it would actually dissect his theory. Because, quite frankly, if we're going by authority is the prime criterion for when anyone should say anything, you'd only be allowed to talk about the lint in your navel.

No I'm not (0, Troll)

SIIHP (1128921) | more than 6 years ago | (#21103947)

I'm judging his statements based on his expertise. He has none. That's not "authority" by any measure.

His "authority" never entered the equation.

So you're wrong, and you're trolling me because I proved you wrong previously.

Re:No I'm not (3, Funny)

NeutronCowboy (896098) | more than 6 years ago | (#21104285)

Wow. You truly are entertaining. Here, have some more rope. I'm sure you can find an entertaining way of hanging yourself again.

It must get tiring you being constantly wrong (-1, Troll)

SIIHP (1128921) | more than 6 years ago | (#21104333)

Since when is repeatedly proving you wrong "hanging" myself?

And is that what your final gambit is these days, lose a debate then pretend that you're letting someone "hang" themselves.

Look up "authority" then look up "expertise" then realize you're wrong and slink away defeated.

Again.

SIIHP (0)

Anonymous Coward | more than 6 years ago | (#21104407)

Hm, my troll detector just went off. dharbee [slashdot.org] ? Is that you?

Re:No I'm not (1)

Chandon Seldon (43083) | more than 6 years ago | (#21104349)

I'm judging his statements based on his expertise. He has none. That's not "authority" by any measure. His "authority" never entered the equation.

That's exactly how a (fallacious) argument from authority is usually constructed.

You can't reliably judge an argument on the basis of the perceived expertise of the speaker, since it's entirely possible that they may know more than you think.

Re:Thanks Bruce, but call us when you're qualified (0)

Anonymous Coward | more than 6 years ago | (#21103951)

I'm pretty sure your bio won't include any qualifications to pass judgment on him, either.

Re:Thanks Bruce, but call us when you're qualified (0, Troll)

SIIHP (1128921) | more than 6 years ago | (#21104009)

"I'm pretty sure your bio won't include any qualifications to pass judgment on him, either."

I AM A FULLY QUALIFIED BEHAVIOR ANALYST.

So you'd be wrong troll, how much does it hurt?

Re:Thanks Bruce, but call us when you're qualified (1)

spottedkangaroo (451692) | more than 6 years ago | (#21104165)

I AM A FULLY QUALIFIED BEHAVIOR ANALYST.

Welcome to my sig.

(I'm posting this part because the lame "lameness" filter won't let me post a direct quote.)

Re:Thanks Bruce, but call us when you're qualified (1)

SIIHP (1128921) | more than 6 years ago | (#21104237)

Are you? In some places it's illegal to claim you are if you aren't. Be advised.

Just read his blog (0)

Anonymous Coward | more than 6 years ago | (#21104155)

He's officially hung up his cryptographer's hat, and is now somehow qualified to critique the TSA and all sorts of related "real-world" security issues.

Err... (0)

Anonymous Coward | more than 6 years ago | (#21104231)

You do realize that, outside of biology, evolution is usually used metaphorically, right?

Anyhow, whether or not evolution has anything to do with it, his fundamental point is one about security. Something he DOES have a lot of expertise in.

The fact is that we're VERY bad at estimating risks we don't understand. The behaviors we fall back on, wherever they come from, don't serve us very well at all. We're terrible at worrying about the things that are very likely to hurt us and good at working up a fuss over ridiculous and stupid things.

How much money and how much trouble have we expended to go after terrorists? But how few people have they killed? It won't please anyone, but if we spent that money fighting something ordinary, say heart disease (#1 killer, last I knew), we might actually save more lives.

Not very emotionally satisfying, though, because people feel strongly that we need to do something, anything, to protect ourselves from terror. Even if it doesn't make any sense. This is why we now take off our shoes in airports, etc.

Hey AC! (1)

SIIHP (1128921) | more than 6 years ago | (#21104307)

"You do realize that, outside of biology, evolution is usually used metaphorically, right?"

YOU do realize that in this case, WE ARE ACTUALLY TALKING ABOUT BIOLOGY, RIGHT?

I see why you posted AC.

No, we are simply taught the reverse. (2, Insightful)

Zombie Ryushu (803103) | more than 6 years ago | (#21103707)

I don't think thats the case. I think its just that culturally we fear what we don't understand and are being taught to be stupid and proud of it. Biology and evolution have nothing to do with it. We can learn these concepts we just willingly refuse to for religious and ideological reasons.

Re:No, we are simply taught the reverse. (1)

Chandon Seldon (43083) | more than 6 years ago | (#21104375)

I don't think thats the case. I think its just that culturally we fear what we don't understand and are being taught to be stupid and proud of it. Biology and evolution have nothing to do with it. We can learn these concepts we just willingly refuse to for religious and ideological reasons.

Human culture has evolved right alongside human physiology. I'm not sure that there's any benefit to trying to distinguish between them at this level of discussion.

His arguments are logical, but... (1)

sm62704 (957197) | more than 6 years ago | (#21103719)

He's a security guy, not a biologist. His list (I must not be well today, I'm actually RTFAs) is correct; e.g., 3000 deaths this century in the US from terrorism and 40,000 every single year on the highways, but OMG ITS TEH TERRAISTS!

However, although he's well versed on security his grasp of evolution is even slimmer than mine, and I'm no biologist, either. The only way evolution would come into play would be if computer security had the effect of killing us before we had children. Clearly, the security of your home PC is NOT going to keep you from procreating. In fact, considering the stereotype of us nerds it's arguable that knowing how to secure a PC is counter to evolution! After all, evolution is all about getting laid.

I'll demonstrate with two real people: me, and a woman I know.

It is possible that I have a lot of kids in Asia I don't know about, but for the sake of argument lets say I only have the two girls that came from my ex-wife's uterus.

Both of my children are living, and grown. Neither has children of their own.

Linda, OTOH, had 14 kids, 13 of which are still alive. She trumps me in the evolution game 13 to 2. I lose, she kicks my ass in the Darwin game. But she can't even boot a computer, and while Bruce Schneider could likely root my box with impunity, I built the damned thing from spare parts.

There is no possible way to "evolve" computer security. Schneider should stick to computers and shy away from fields in which he isn't an expert.

-mcgrew

Re:His arguments are logical, but... (1)

ObsessiveMathsFreak (773371) | more than 6 years ago | (#21103949)

Linda, OTOH, had 14 kids, 13 of which are still alive. She trumps me in the evolution game 13 to 2.
I'm almost certain that this can be shown to be a fallacy. Natural selection is an ongoing process. If you're a one trick pony, in this case, lots of children, then you have many offspring, but they all are more likely to be "specialists" not "generalists", and will be less adaptable.

Any way I note that
a) Linda's large family is less likely to be down to genetic factors than it is to social or cultural factors. and
b)

It is possible that I have a lot of kids in Asia I don't know about
Linda's "mass production" strategy may not in fact be as intensive as your own,

Re:His arguments are logical, but... (2, Funny)

Jasin Natael (14968) | more than 6 years ago | (#21104107)

There is no possible way to "evolve" computer security.

Then, it sounds like we need a lethal, compulsory video game with a computer security theme.

Re:His arguments are logical, but... (1)

sm62704 (957197) | more than 6 years ago | (#21104229)

If I had mod points today I'd mod that funny, but alas today all my comments are being modded "flamebait" and "troll". The Microsoft, DEA, MAFIAA, and Sony employees must have mod points today. My karma was excellent this morning, it's probably in the shitter now.

Or maybe today's mods are familiar with my old stuff [kuro5hin.org] .

-mcgrew

Just an excuse (4, Insightful)

Kohath (38547) | more than 6 years ago | (#21103761)

Security solutions have to be designed around usability. If usability isn't the #1 or #2 consideration, it will increase the failure rate of the humans involved and you'll end up with an insecure system in practice regardless of the technical merits of the security methods.

Security is the least of it. How about Democracy? (1)

victorvodka (597971) | more than 6 years ago | (#21103783)

The crude animal impulses present in the vast bulk of humanity are masked by the accumulation of accomplishments by extremely rare geniuses. Skim off the top 1% of creative freethinkers, and humanity wouldn't be all that different from any other species on this planet. Our feelings about what is or is not secure are easy to game with scary stories and special effects. Our desire to live peacefully in a democracy can quickly be overwhelmed by a relatively small threat, such as by a group of underfunded Islamic crazies living in a cave with a shoebox full of box cutters and 19 airplane tickets. It wouldn't take much of a jujitsu move for an effective terrorist to scare the bulk of the American people to quickly decide that fascist rule was in their interest. Humanity's easily-meddled-with irrationality is our Achilles Heel. For example, since 9Eleven America has turned away many brainy and creative people who used to contribute to our greatness. Now those people go elsewhere, making other places great.

What a pile of carp (4, Interesting)

Roadkills-R-Us (122219) | more than 6 years ago | (#21103799)

The real problems are, in no particular order:

1) A lot of people are either stupid or uneducated.
2) A lot of people don't bother to think.
3) A Lot of people are sheep and believe what they're told by marketing.
4) A lot of people are lazy.

I guarantee you this covers the vast majority of the problems with IT security. It's not biological evolution, though you could make a good argument for societal devolution being the problem.

Re:What a pile of carp (1)

cthulu_mt (1124113) | more than 6 years ago | (#21103891)

A short, unoriginal list...I guess you fall under #4.

Re:What a pile of carp (3, Funny)

Frozen Void (831218) | more than 6 years ago | (#21104041)

You forgot :
5.Building an insecure system from the ground up and expecting the users to fix it.

Glad I outsourced security to microsoft! (0)

Anonymous Coward | more than 6 years ago | (#21103803)

What with their careful patch scrutiny that insures things like, oh i dont know, windows desktop search, doesnt get auto downloaded by all my 500 computers, bypassing the policies on the wsus. Its the little things that make me glad I work in a microsoft (tm) security (tm) world (tm) where nothing can possiblie go wrong!

Is there anything...? (2, Insightful)

Otter (3800) | more than 6 years ago | (#21103809)

Is there anything on which Bruce Schneier is not an expert? Now he's an expert on evolution? I'm not sure why he thinks his knowledge of cryptography qualifies him to hold forth on every freaking subject on the planet.

in other news (0)

Anonymous Coward | more than 6 years ago | (#21103823)

research shows that humans are not evolved for
unassisted flight
long periods without oxygen
sustainably conducting large amounts of electricity
only drinking pure arsenic
only inhaling pure chlorine
living in magma

maybe stories like this stand better as support for the idea that we could not have been intelligently designed. if we were, why would we waste time writing or reading articles like this?

Worse: humans evolved against security (1)

MeditationSensation (1121241) | more than 6 years ago | (#21103837)

Witness the post-it notes under the keyboard to remember a password. :-)

Stupid Crap (1)

TrappedByMyself (861094) | more than 6 years ago | (#21103867)

I guess people are running around in some sort of Darwinian intellectual enlightenment these days. I've been seeing bad evolution and artificial intelligence references all over the place recently. It's only a matter of time until some jack-off writes about a darwin 2.0 semantic web

Anyway...the issue with security isn't that people aren't "evolved" enough to use it, it's just that the solutions presented to the masses are garbage. You don't implement something in a way which makes it difficult to use, then say that people are just too dumb to use it. The solutions needs to evolve, not the people.

Re:Stupid Crap (1)

tomstdenis (446163) | more than 6 years ago | (#21103957)

I think it's the opposite. I think most people are capable of advanced lines of thought, they just choose not to because to them it's work.

Like, if they have to use a password that is hard to guess [er, remember] then they look at the service as "unfriendly." If they have to wrap their minds around trivial concepts like public and private keys, then the solution is too hard (honestly, if you can't figure out public/private keys you're probably operating on the mentality level of a severely retarded 8 yr old).

I'm sorry, but at the age of 14 I was capable of figuring out on a high level how RSA worked. I didn't understand all of the math, but I at least got the idea that the private key decrypts what the public key encrypts, how to distribute them, etc. And that was almost 12 years ago when the PGP was less common place.

We have technology that can trivially encrypt/sign your emails, like pgp and enigmail. Just people refuse to spend the 15 mins it takes to learn the software because *throws up hands* it's too hard. Face it, people are lazy, deceitful creatures that seem to blame everyone but themselves for their shortcommings. (and yes, I misspelled that word because my browser failed to correct for me!).

Tom

Re:Stupid Crap (4, Interesting)

Quiet_Desperation (858215) | more than 6 years ago | (#21103969)

which makes it difficult to use, then say that people are just too dumb to use it.

That always amazes me to this day.

IT GUY: Your PC is insecure.
AVERAGE JOE: I don't really know how to properly secure it.
IT GUY: Dumbfuck.

Yeah, great approach. Gosh, why don't we teach kids that way?

TEACHER: What's 147 divided by 7?
FIRST GRADER: You haven't taught us division yet.
TEACHER: Dumbfuck.

Re:Stupid Crap (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21104373)

More like this:

IT GUY: Please use a secure password. Try using a phrase you're familiar with, and stick in a couple of numbers and special characters. It's good to use at least 16 characters.

USER: Look, can I just leave it empty, so I can hit the button and log in?

IT GUY: No. Look, just pick a line from a poem or something. Stick a number or two in. That's good enough.

USER: Why do I have to log in all the time! You guys are a pain in the ass.

IT GUY: I'll make it easy for you. Pick a secure password or I'll lock your account and file a complaint with your supervisor.

USER: IT NAZI!

That's how it goes in most organizations...

The Root of the Problem (0)

Anonymous Coward | more than 6 years ago | (#21103973)

So I guess it all boils down to the root cause, which is niggers.

So evolution is the deciding factor? (1)

Opportunist (166417) | more than 6 years ago | (#21103975)

Time to get rid of planes (not snakes, just the planes), frozen yoghurt and tv. I can't see how any of that is in our genetic makeup. If we should fly, I'm sure we'd have evolved some wings by now.

Old News (1)

scruffy (29773) | more than 6 years ago | (#21103999)

This sounds like what's in his 2003 book, Beyond Fear.

I suppose we need the repetition though.

News flash (0)

Anonymous Coward | more than 6 years ago | (#21104113)

In other news, Slashdot readers have not evolved for relationships with the opposite sex, leading to a re-evaluation of evolution as an origin to the species. Creationism is being evaluated as a viable alternative.

It's not about where or when you are... (0)

Anonymous Coward | more than 6 years ago | (#21104163)

... it's about the nature of the risk.

We're good at noticing things that are imminently threatening to kill us. It's - unusual, at least - to see people voluntarily putting themselves in the way of obvious, physical harm.

Threats like identity theft or fraud, however, are much less tangible, and they don't have the same impact on our brains.

We're hardwired by evolution, for example, to avoid a heavy moving object, whether it's a rhino or a car. There is no comparable aversion mechanism that instinctively steers us away from Nigerian e-mails - that's something that has to be learned specially.

Just give it a couple 10,000 years (1)

rrohbeck (944847) | more than 6 years ago | (#21104255)

On the other hand, why *should* we evolve for IT security? It's not like there's a Darwin Award waiting for the dumbest user or admin. There's no evolutionary advantage for comp sec aware folks... unless we start creating some, like opening up safety related systems to the wild. Mmmm, how about wireless interfaces to the internal networks of cars, or to household appliances like gas stoves? Or the charge circuitry of Li-Ion batteries? That'll teach the noobs.

This explains many of the "solutions" out there (1)

damn_registrars (1103043) | more than 6 years ago | (#21104265)

Consider how many of the IT solutions for the mass market work right now:
  • Your expensive OS has security flaws that you can drive a mack truck through? Patch it or buy the new version of the same.
  • Your mailbox is flooded with special offers on discount viagra? Install a spam filter to block the messages.
  • Oops, the filter isn't catching the newer offers for discount software? Update the filter or buy the newest version of the same.
  • Oops, the filter isn't catching the new stock offers that are flooding your inbox now? Another update, of course.
When of course, these all have much better solutions, if only people actually worked on the source of each respective problem. Hint, its not filter / firewall rules.

Bad Science (1)

Ezekiel38 (1057860) | more than 6 years ago | (#21104267)

"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up." If your brain is so imperfect and patchy, and you know so little about it, why should anyone listen to your opinion? You're using your own beta-mode noggin' to whip up a bunch a baloney, and you recklessly throw it out with such certain authority. Shameful.

Brain Vista (1)

mindwanderer (1169521) | more than 6 years ago | (#21104283)

"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up." See, even God uses Windows.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...