Philip Reitinger thinks we’re going about security on the large scale all wrong, and he talks about it on Lawfare:
As Rosenzweig says, a decade of government efforts to raise awareness has been insufficient. Awareness alone does not work at scale; awareness fails often. While increased awareness may raise costs for attackers, it can be overcome by automated attacks that will turn a small success rate into a series of significant and successful intrusions. The solution is not that “we need to think of ways in which government intervention can ‘nudge’ the general population in the right direction.” Instead, industry should stop asking consumers to make security decisions for which they are ill-equipped, especially when implementation of those decisions is burdensome. As Microsoft discovered decades ago, asking a consumer if she wants to run a process does not add value. If the consumer doesn’t understand what the process is, she will click “yes” almost always. Industry also needs to position bad security decisions so that they are, to use technical jargon, really hard to make. Save liability for inexplicably bad decisions that actors are equipped to make—decisions that don’t happen by default—such as corporations failing to meet basic and clear security standards.
This technology requires a paradigm shift: Don’t teach people to farm. Sell them food.
The flip side of that coin, though, is trust. Trust that industry will be giving you truly secure channel software. Do you trust them to do that?
Philip is quite right, most computer users don’t understand computer security. Heck, I didn’t specialize in it and so I just get the gist of it. But does that mean we should be trusting corporations to deliver security as a matter of course?
Should we be trusting the open source movement? Beats me.
I’ll tell you what, folks – I keep my online transactions to a bare minimum, and when I’m at the store, more often than not I’m paying cash. Some people think I’m old-fashioned, but the real reason is that I’m an informed, cautious consumer. I know that I don’t know how secure any online transaction will be – including credit cards at store, which are also running over a network, and are therefore somewhat vulnerable to determined hackers (such as those using skimmers).
Cash has its own security concerns, but frankly I’m a little more comfortable with them.
