Humans Not Evolved for IT Security

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

really

[snarkh]

As a species we got really good at estimating risk in an East African village 100,000 years ago.

I wonder how many days would that guy last in an East African village 100,000 years ago.

Ms Abacha?

[Mr_Icon]

Looking at the number of people falling for Nigerian scammers, I'd say that our ability to "estimate risk in an East African village" is not so hot either. :)

Humans Not Evolved for IT Security

[Daimanta]

Thank God I was intelligently designed for this kind of thing ;)

Smith

[pete-classic]

"Only human."
--Agent Smith on IT security

Re:Humans Not Evolved for IT Security

[gammygator]

That's because in Soviet Kansas, nothing evolves...

Re:Humans Not Evolved for IT Security

[sm62704]

Thank God I was intelligently designed for this kind of thing ;)

Too bad Windows isn't.

Re:Ms Abacha?

[nelsonal]

But that's a west African villiage, totally different risk profile. Well played.

Re:What a pile of carp

[Frozen Void]

You forgot :
5.Building an insecure system from the ground up and expecting the users to fix it.

Re:really

[Gabest]

depends... raw, smoked or cooked?

Re:really

[apparently]

Last time I walked through Harlem, the hoodz said I had to fucking PROVE my wealth and whitenses before they would even consider robbing me. I showed them paystubs, my Discover card, even an ATM receipt, and still they doubted how rich I was! And don't get me started on the "white" thing, apparently they don't go by complexion any more, you gotta keep a DNA sample on you with a notarized letter from a scientist stating that he confirms your race.

Us white, rich folk never had it so tough.

Also, you really ought to be awarded with some sort of "waste of a condom" trophy.

Re:His arguments are logical, but...

[Jasin Natael]

There is no possible way to "evolve" computer security.

Then, it sounds like we need a lethal, compulsory video game with a computer security theme.

Re:so what?

[apparently]

Go down you local street corner and see how many people can solve the simplest of equations

Well, for any equations where the solution is "go fuck yourself!", "I got somethin' you can solve, sugah!", or "no seriously, go fuck yourself" the subjects in my test study pass with flying colors.

Re:really

[mstahl]

Come on. Bruce Schneier is like the Chuck Norris of the IT industry. He'd outlast us all!

Remember. There are no prime numbers, only numbers that Bruce Schneier doesn't want you to factor [geekz.co.uk]!

Re:No I'm not

[NeutronCowboy]

Wow. You truly are entertaining. Here, have some more rope. I'm sure you can find an entertaining way of hanging yourself again.

Open letter to God

[EmbeddedJanitor]

Better luck with Humans V2.0.

Anyway you should only trust Humans V1.0 after SP1 has been released.

Re:Stupid Crap

[Sax Maniac]

What I usually see is this:

IT GUY: Your PC is insecure.
CEO: It's your job to secure it, dumbfuck. Give me a secure computer.
IT GUY: Yes sir.

Re:Lets think about this.

[CompMD]

> You are alone in a dark room and cannot see. You are likely to be eaten by a grue.

Actually, sounds like what you can't see WILL in fact eat you.

Re:Probably

[maxwell demon]

No, those were South African villages. :-)

Re:Ms Abacha?

[SterlingSylver]

As a celebration for his victory, we are established for your beneficiary a large bank account in a small East African village. Effect payment of charge processing to the bank account to be listed later in order to receive your monies.

Re:because people want the easy way

[blhack]

And that is why it SUCKS to be the person in charge of security for a domain. Make the security too harsh and the users complain (with good reason) that they can't get anything done. Make things too lax, and you turn into an alcoholic schitzophrenic who does nothing but sit at home in the dark murmering about exploits and unencrypted telnet sessions that your entire company runs on, and how even the software providers out in north carolina won't implement SSL into their software because all of their programmers are from the 1970s even the guy who supposedly "knows-linux" and wants to run gentoo on the soekris box that you sent them to use as a firewall; you sit there alone, and paranoid that some russian script kid, or 14 year old digg user wanna-be l33t-sausage hack-zore is gonna come accross a username/pass and burn your precious servers to the ground!

The relation between beer/security can most properly be illustrated by this graph [imageshack.us]

Re:so what?

[Chris Burke]

They believe that having rolled many sixes recently, they are "due for a 1 or a 2" even though the probability of rolling a particular number on a die is independent of previous rolls.

My goodness, this is simply untruth! While it may be so in the white halls of academia, where such things as "fair dice" and "independent events" are bandied about as though they actually exist in their perfect mathematical forms, it isn't so in the harsh reality of the craps table! Allow me to explain. You see, when you roll a die and it lands as a six, this means that the one side is facing down. While bouncing and rolling each side of the die will contact the table only momentarily, but just prior to stopping the die will have one side contacting the table and will move ever so slightly until friction eliminates its remaining kinetic energy. This friction creates heat on the one, which is held in by the felt table, while the six is facing up and exposed to the air currents and thus is cooled. As hot objects expand and cool objects contract, and a less dense object is more buoyant than a dense one, this creates a natural tendency for the subsequent roll to favor landing one-up rather than six-up. Successive rolls of six will only increase this heat differential. So you see, the gambler's intuition is correct that they are "due" for a one as the odds every increasingly push the die in that direction.

I have myself used this fact to acquire vast sums of money from casinos, to the point where I was able to purchase a casino myself. You should come and visit and play at my craps table. I'm sure with my the knowledge I've given you, you will soon be buying the casino from me!

Re:Smith

[Anonymous Coward]

"Dodge this."
--Trinity on the ability of software security to defeat a determined human attacker

Re:Open letter to God

[comradeeroid]

Early reports from beta testing of Humans Longhorn indicate that the increased security features mainly consist of nagpop's and blocking of almost every function. Before a patch was released to allow it to be shut down several beta testers suffocated due to a function that prompted "It seem's like lungs.exe is trying to access oxygen, if this is correct press 'Yes'"