Archive for the 'Opinions' Category

Panel: Usability of Security Software - Is Open Source a Positive, Negative, or Neutral Factor?

Friday, July 17th, 2009

Moderator: Luke Kowalski, Corporate UI Architect, Oracle
Stuart Schechter, Microsoft Research
David Recordon, Open Platforms Tech Lead, SixApart
David Sward, Director of User Centered Design, Symantec
Nancy Frishberg, User Experience Strategist and BayChi chair
Rashmi Sinha, CEO, SlideShare
The opening premise is that Open Source is a neutral factor on usability of security software.
One of the first myths of open source [...]

Rivest’s ThreeBallot Voting System

Friday, September 29th, 2006

Ron Rivest suggests a paper-based voting system called ThreeBallot, which is unusual in that it lets voters verify the integrity of the election from end to end, but doesn’t require computers to do fancy cryptographic operations.  Designers of voting schemes have long desired to enable each voter to ascertain with confidence that their ballot [...]

Security in Windows Vista: to 2002 and Beyond!

Thursday, May 18th, 2006

While in MontrĂ©al, i came across this article on Bruce Schneier’s blog, which points to Paul Thurrott’s scathing review of Vista’s new security restrictions.  In a test build of Vista, even simple operations now trigger popup prompts asking the user for confirmation.  In the reviewer’s example, installing Firefox left a shortcut to Firefox [...]

But what if it doesn’t work?

Wednesday, April 26th, 2006

Giving security talks can be tough.
At a typical gathering of security folks, just about any proposal for a new design that intends to improve security will be met with lots of questions of the form “But what about [some attack]?  Or [some other attack]?  Or what if [something] goes wrong?” And i’m [...]

Challenges: Simon Says

Saturday, July 23rd, 2005

Time for another challenge.  Today, I’d like to describe what I call the “Simon Says” problem.
A Simon Says problem occurs when the safe course of action requires the user to respond to the absence of a stimulus.

Challenges: Obedience to Authority

Tuesday, July 19th, 2005

From time to time, I’ll highlight some of the special challenges faced by designers of usable security.  Let’s start with a fairly obvious problem that’s often exploited in security attacks on people:
The “Obedience to Authority” problem occurs when the safe course of action requires the user to reject or contravene an apparently authoritative command.
“Obedience [...]

Netscape 8: More Security Choices

Sunday, May 29th, 2005

The front page at browser.netscape.com proudly announces:
The All New Netscape Browser 8.0
Speed, Flexibility and More Security Choices Than Any Other Browser
Speed: Good.
Flexibility: Good.
More Security Choices Than Any Other Browser: What ninny decided this was a positive feature?

Microsoft’s Folly

Thursday, May 26th, 2005

Adam Shostack mentioned the previous post (Hi, Adam!) and noted that Microsoft is “aggressively promoting” the myth that software is unconstrainable.  The first of their so-called Ten Immutable Laws of Security says
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
Totally false.

Zaptastic Author Misses the Point

Thursday, May 19th, 2005

It’s nice how The Internets have a way of offering me real-life examples, like a cat leaving a dead bird on the doormat, only moments after i’ve been talking about something.  Thank you, Internets.
Recently, to demonstrate a security problem in the new Dashboard feature in Mac OS 10.4, Stephan Meyers created a “slightly evil” [...]

The Armed Butler

Thursday, May 12th, 2005

Read a typical news article about computer security and you will see words like “attack” and “defend.” People speak of software being “strengthened” or “hardened” as though it were some kind of physical substance.  That might cause one to envision cannonballs smashing into the high walls of a fortress, where the only hope [...]

Dangerous Analogies

Wednesday, May 11th, 2005

Argument by analogy is common in discussions of computer security.  It’s often a useful way to reason about things, but sometimes an analogy can mislead you.  I think a large class of misunderstandings about computer security are due to recurring problems in drawing analogies between what goes on in a computer and what [...]

The Path of Least Resistance

Thursday, March 17th, 2005

This year I attended South by Southwest for the first time and enjoyed meeting lots of interesting folks.  During a session about decentralized social networks, the panelists mentioned the problem that bloggers (especially beginning bloggers) sometimes post personal information about themselves in public without realizing the risks.  Often they may be unaware of [...]