Security Without Idiocy, Part 1

Sunday, 2007-June-10 at 09:55 4 comments

This is, I believe, going to be a series.

Let us begin this way.  When I was in high school back when cave men still walked the earth, there was some creep that killed some girl scouts at a camp.  Their reaction was appropriate for the situation—they shipped the survivors home and canceled all scheduled camping in that state for the rest of the Summer.  I believe they evaluated the environment and made a few changes.  Ultimately, I think they recognized that there are not thousands of these guys out there waiting to attack teenage girls in their sleep, and so it would have been extreme (and costly) to hire armed guards to patrol the outskirts of the camp in order to prevent such an occurrence.

Fast-forward to this century.  We are so extreme about preventing the slightest risk that we have people who want to force children who wear those wheeled shoes to wear pads and helmets.  Of course, pads and helmets are not foolproof, so when someone gets hurt wearing a helmet, we will then force helmet-making companies to make their products bigger, thicker, and heavier.  Eventually, our children will be armored like the Star Wars StormTroopers.  At some point, we have to decide what levels of risk are acceptable, because even in full armor, people will still get hurt or killed.

In the meantime, we are afraid to allow our middle schoolers to walk a mile home from school or to play outside, so we are creating a generation of overweight, fearful, risk-averse people.  Without putting risks and dangers into perspective, any harmful event results in new restrictions on what is allowed, without any real improvement in security.  There are some dangers that you can lessen or prevent, but there are many more that you can not affect at all.  A few years back, a local teen died (and two others were injured) when the spoon he was using to eat ramen noodles was hit by lightning.  Should we then require that all youth eat from plasticware to protect against this kind of event?

Now let's consider this in the context of Web browser security.  I was on a Linux laptop (not my usual laptop) a few years ago, using Konqueror to visit a Webmail site that was not one of the big three.  I moved the mouse pointer across a banner ad on the way to the "Log Out" button when it popped up a JavaScript box: "Install IE Toolbar?" and of course, I immediately hit the enter button, since I was so used to getting these pop-up security messages that I instinctively hit enter before I considered what they said.  Fortunately, it responded, "Unable to find Internet Explorer" and quit.  The point is, rather than giving us modal dialogs for trivial events, we need visible but non-intrusive indicators to tell us (for example) that we are entering or leaving a secured site.  Save modal dialogs for real dangers, such as phishing or malware sites.

Computer security can never be perfect, because at some level, we have to depend upon humans that are imperfect.  We can overreact, making everyone that goes through airports remove their shoes and dump out their shampoo (except for a tiny quantity in a plastic bag), but this reactive strategy puts us at a disadvantage and only serves to make us more and more paranoid.

An example of this idiocy would be requiring passwords like A5!n%G94d.  In theory, this makes a better password, because it does not spell any words.  In reality, this password will force users to write their passwords down (with the likelihood of losing or leaving said password in a place where another person might find it).  I was logging into my mobile phone carrier's site to check my balance, when they prompted me to enter additional "security" information, such as my first pet's name and grandmother's maiden name.  Since I do not know all of this information, I opened another browser tab to search for it.  You guessed it—most of this security information was publicly available on the Web.  I fired off an e-mail message to the company's technology support staff, but I have not received any response.

Have you ever discussed your hobbies, your children, your pets, or your genealogy on any online forum or message board?  Have you been registered with and participated in one of those school / college / military / employment reunion sites?  If the answer is 'yes', anyone can find all of the information necessary to answer those supposedly secret questions.

In general, I think we have to accept the fact that some risk is built into life.  You can cage your daughter up in her room until she is 18, but then she will walk out the door with no ability to decide for herself which situations present unacceptable risks.  Either she will lock herself in her apartment without human contact, or she will travel to Hollywood to sell her body on the streets.  If you think either or both of those are unacceptable, you’d better start giving her a realistic perspective (and exposure to real life) now.

Entry filed under: Society, Software.

MemDay Comments A Few Conflicts In A Longer Struggle


RSS Slingshot

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Owner Managed Business

  • An error has occurred; the feed is probably down. Try again later.


Recent Posts

Blog Stats

  • 598,611 hits

Top Clicks

  • None


%d bloggers like this: