[By Nic Lindh on Friday, 30 January 2004]
Scott Granneman has written a couple of interesting columns for SecurityFocus. In one of them, he discusses the scary ignorance Joe User has when it comes to security. The column shouldn’t come as a surprise to anybody doing end-user support, but judging from the still-abysmal state of user interfaces for security tools, it’s a big surprise to the makers of anti-virus software and firewalls. And Microsoft’s Windows Update tool is still a living manifesto of how not to design end-user software.
You’d think that enlightened self-interest would convince a lot of people to learn enough about this stuff to lock down their own machines, but all the evidence says no. There’s a small percentage of nerds and geeks who spend the time on this stuff, and the rest of the user population, for whatever reasons, can’t be bothered. So their boxes get hacked, they keep clicking on dangerous attachments, fall for phishing scams, and in general have a thoroughly unpleasant experience on the Internet.
After Granneman published the column linked above, he was contacted by an FBI agent, who volunteered to give a lecture. The account of that lecture is fascinating reading. There’s a lot of nastiness out there.
Turns out that security is not so much a matter of technology. Granted, base levels of technological security, like firewalls and strong passwords, have to be in place to prevent abuses, but in the end “social engineering, coupled with greed, is the easiest way to subvert any security.”