Usable Security

Useless security?
(this is what came into my mind when I read your blogs title, sorry…)

In my opinion, you must not sacrifice security for usability. Any attemt to do so will usually undermine your whole security concept.
Think of Windows - it should have never allowed you to login as Administrator in first place, that is one of the main reasons for windows virus problems.

But you are right, people need to talk to each other. The usability people need to understand where to integrate security into the processes, and the security people need to talk to the usability people on how to make secure but usable authentication schemes.

The schemes in Linux are often very nice, IMHO. Take a Ubuntu Linux box. You login as your user, and when you select the user manager it will prompt you for the password to confirm that action. Assuming that people read what they are being prompted for, this is quite secure. Your random email trojan will not be able to use this to add a new user in the background. The random attacker at your box you left unattended neither.

So what would you suggest are the main things worth reading for usable security? Roger Dingledine & company did a nice job with the anonymity bibliography at
http://www.freehaven.net/anonbib/

at assembling a bunch of resources that had been widely distributed. Doing something that comprehensive is a lot of work, but off the top of your head, what are some things that people should be familiar with? “Why Johnny Can’t Encrypt” is certainly on that list. What else?

Good luck on your new blog!

“In my opinion, you must not sacrifice security for usability. Any attemt to do so will usually undermine your whole security concept.”

Why do we have systems, if not for the people who use them? And what security concept do you operate under? What are the real risks and costs associated with security?

I’ve worked on operational security teams (as opposed to research on security, or developers who code security tools) for the past 3 years, and I assure you that successful professional security staff always need to balance security against usability (and cost).

The main problem with security is that as a “feature”, it is hard to justify the expense of implementing things correctly in the first place. Good security is not something that people notice and appreciate, until they suffer from the security failure (and then, there is a short lived period when it is a frantically high priority).

As a consequence, outside of relatively small communities, good intrinsic security doesn’t drive adoption or increased sales - except as an after fact product.

I’m subscribed, and I look forward to your thoughts and advice that I can use to improve my applications so as to be usable but secure.

“In my opinion, you must not sacrifice security for usability. Any attemt to do so will usually undermine your whole security concept.”

The most important thing to realize is that it does not have to be a tradeoff of one for the other. And that even when it is, sometimes you get more security in practice by giving up something that is more secure in principle.

For example…imagine an OS that prompted you for a password every time any program in the system wanted to read from disk. For one thing, it would be so annoying to use that nobody would use it; but aside from that you have now run into the problem that even if you forced people to use it there would be the problems that 1) people would have to constantly being entering their password and would therefore likely choose very simple/short passwords (like, say, “a”), and 2) whether or not they chose a decent password their would be a significant danger of somebody “shoulder-surfing” to get the password. Besides which, such a scheme does nothing to address the problem that people seem to have some psychological issues that keep them from respecting/understanding the security notion behind keeping passwords secret.

Now…that example is rather extreme…but the idea is there. Let’s consider a more realistic example: Simson Garfinkel proposed an e-mail gateway that would automatically encrypt any outgoing messages so that they were protected in transit. This clearly lacks the security of something like PGP…but in practice it adds a layer of security that just isn’t there in general. (And, happily, helps avoid the annoying federal wiretap issue where they tried claiming that police did not need a warrant to read e-mails that were waiting in a mailbox because they were in storage, not in transit.)

The idea can be taken to a point where it is troubling…something like arguing that users should be allowed to use passwords that are as simple as they want and never be required to change them because they you wouldn’t have so many problems with people writting down their passwords. Obviously this is not a secure idea. The trick here is that there is some sort of balance to be struck…but people have to realize that often security and usability can be made to coincide if people focus on practical security rather than theoretical models.

Hi! Do not prompt as me to send e-mail? = (

Hi
I can not find coordinates for a feedback.