Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Bruce Schneier Talks Brain Heuristics and Security

Posted by CowboyNeal on Thu Feb 01, 2007 07:03 PM
from the just-because-you're-paranoid dept.
ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • Its all in your.. (Score:3, Funny)

    by scoot80 (1017822) on Thursday February 01 2007, @07:08PM (#17852604)
    (Last Journal: Tuesday September 18, @02:29AM)
    head.. as a matter of fact.. this reply is all in your head too.. it doesn't exist..
  • Encryption and ease of use. (Score:5, Insightful)

    by Kelson (129150) * on Thursday February 01 2007, @07:12PM (#17852656)
    (http://www.hyperborea.org/journal/ | Last Journal: Tuesday September 11, @05:30PM)

    At one point in the article, Schneier comments on email encryption:

    "Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

    This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.

    Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.

    Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.

    Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.

    • The interesting thing about this is that I tend to at least use digital signatures now, and started for one big reason:

      I have to enter my passphrase before I send something I might regret. This has been a boon to me on innumerable occasions. It means I send fewer emails than I otherwise would, but I don't tend to send anything I'll regret years down the road.

      [ Parent ]
    • Re:Encryption and ease of use. (Score:5, Insightful)

      by owlstead (636356) on Thursday February 01 2007, @08:02PM (#17853170)
      "Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

      That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

      Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).
      [ Parent ]
    • MUA makes a big difference. by Kadin2048 (Score:2) Thursday February 01 2007, @09:55PM
    • Re:Encryption and ease of use. by RAMMS+EIN (Score:2) Friday February 02 2007, @06:46AM
  • That word. . . (Score:5, Funny)

    by Skadet (528657) on Thursday February 01 2007, @07:39PM (#17852942)
    (http://slashdot.org/)

    Bruce Schneier once again is turning security on its head -- literally.
    That word. . . I don't think it means what you think it means.
  • Bruce Schneier is my homeboy (Score:5, Funny)

    by bigredradio (631970) on Thursday February 01 2007, @07:41PM (#17852954)
    (http://www.storix.com/ | Last Journal: Sunday August 20 2006, @03:39PM)
    More facts about Bruce. http://geekz.co.uk/schneierfacts/ [geekz.co.uk]
  • Perception (Score:5, Interesting)

    by bwthomas (796211) <bwthomas.gmail@com> on Thursday February 01 2007, @07:48PM (#17853016)

    Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."

    In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.

    This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.

    But they will, with a probabilistically determined frequency.

  • 5 tough user-space factors (Score:5, Insightful)

    by G4from128k (686170) on Thursday February 01 2007, @07:56PM (#17853076)
    I see five factors that make the user-space side of security so hard.

    1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
    2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
    3. Hubris: Most people believe they know what they are doing.
    4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
    5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."

    Some of these five are easier to address but some reflect deeper realities about being human.
  • "Old news" (Score:1, Funny)

    by Anonymous Coward on Thursday February 01 2007, @07:56PM (#17853084)

    When one of the reporters asked for a copy of Mr. Schneier's notes during the presentation, he handed her two pages of ciphertext.

    • Re:"Old news" by oostevo (Score:2) Thursday February 01 2007, @10:25PM
      • OT (your sig) by jonadab (Score:1) Friday February 02 2007, @10:25AM
  • fear and power (Score:3, Interesting)

    by wall0159 (881759) on Thursday February 01 2007, @08:03PM (#17853186)
    Seems to me it would be good if more people understood the ways that their gut reaction to fear is often incorrect. It would at least make it harder for politicians to manipulate the populace.

    It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..
  • by wwnexc (1029180) on Friday February 02 2007, @03:02AM (#17856006)
    Why do people trust complex programs with colorful symbols and logos more than a simple linux command, where you know what is going on?
  • The New Science of Change (Score:2, Informative)

    by screeder (851027) on Friday February 02 2007, @11:11AM (#17859840)
    (http://blogs.cio.com/blog/10)
    For what it's worth, I wrote an in-depth look at the neuroscience of the brain and its impact on peoples' ability to change for CIO magazine here: http://www.cio.com/archive/091506/change.html [cio.com].
  • Primate psychology (Score:2)

    by Master of Transhuman (597628) on Friday February 02 2007, @04:13PM (#17865092)
    is all you need to know to understand "security".

    Chimps are afraid of each other. So any time any chimp does anything, it's automatically fear time for everyone else.

    As I've said many times before, humans work like this: "If you're right, I'm wrong. And if I'm wrong, I'm dead - and that can't be allowed. So I'm right and you're wrong. And if necessary, you're dead."

    It's that simple.

  • Tag !schneider (Score:1)

    by Nesetril (969734) on Thursday February 01 2007, @07:29PM (#17852842)
    I am tagging this story !schneider.
    [ Parent ]
  • 6 replies beneath your current threshold.