Slashdot Log In
Bruce Schneier Talks Brain Heuristics and Security
Posted by
CowboyNeal
on Thu Feb 01, 2007 08:03 PM
from the just-because-you're-paranoid dept.
from the just-because-you're-paranoid dept.
ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Its all in your.. (Score:3, Funny)
Re: (Score:3, Insightful)
A slightly different analogy. (Score:2)
Re:A slightly different analogy. (Score:4, Funny)
Parent
Re: (Score:2)
That's assuming they have it. Smart people take Valtrex so they can start sleeping around without using protection while eliminating the risk of a partner giving them herpes in the first place. But of course, the pharmaceutical industry lacks the balls to produce the obvious commercial, an
Re: (Score:2, Interesting)
The best path is to prevent ill will from forming. That is done by convincing the disenfranchised people that they are cared for.
Encryption and ease of use. (Score:5, Insightful)
At one point in the article, Schneier comments on email encryption:
This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.
Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.
Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.
Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.
Re:Encryption and ease of use. (Score:4, Interesting)
I have to enter my passphrase before I send something I might regret. This has been a boon to me on innumerable occasions. It means I send fewer emails than I otherwise would, but I don't tend to send anything I'll regret years down the road.
Parent
Re:Encryption and ease of use. (Score:5, Insightful)
That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.
Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).
Parent
Re: (Score:2)
I have to disagree with this statement since end users could use a notary to manage this identity. Specifically, I'm thinking of a website that allows users to send and read encrypted messages. One would create an account on the site which would then generate the necessary crptographic keys; the user could then send enc
MUA makes a big difference. (Score:2)
The environments where I've seen the heaviest use of encryption are Lotus Notes shops, because Notes was basically designed around encryption. Granted, it uses some str
That word. . . (Score:5, Funny)
Re: (Score:2, Informative)
Really, it's good that you paid attention in high school. You learned a lot of great rules of thumb that will help you avoid making grammatical errors. But they're just rules of thumb. They don
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
* That is 'immovable', not 'repaired'.
It's just the usual social engineering (Score:2)
Bruce Schneier is my homeboy (Score:5, Funny)
Perception (Score:5, Interesting)
Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."
In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.
This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.
But they will, with a probabilistically determined frequency.
Re: (Score:3, Insightful)
Take the risk of getting wiped out by an asteroid vs. the risk of getting framed and sent to prison. The former is far less likely (less than 1 in a million), but it also gets people a lot more scared. Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime (at least in the USA, the odds are far lower in countries with lower incarceration rates), b
Re: (Score:3, Informative)
And the perception still gets it wrong if two risks are very similar: Think about the craze because of the H5N1 bird flu. Worldwide we have now ~200 people w
Re: (Score:2)
5 tough user-space factors (Score:5, Insightful)
1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
3. Hubris: Most people believe they know what they are doing.
4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."
Some of these five are easier to address but some reflect deeper realities about being human.
fear and power (Score:3, Interesting)
It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..
Re: (Score:2)
The poor photographer nodded meekly.
True story.