‘“The problem with making things foolproof is that we keep evolving a better class of fool”, as the old saying goes. And nowhere is this more true than in security where breaches remain regular and commonplace despite all the investment that has gone into it. Part of the problem is that we expect users to be experts in security …
It's not a question of security
It's a question of what is an appropriate level of security?
Sadly, that question very rarely gets asked. Most IT departments view security in the same way a thug views violence - if a little doesn't work, you need more. The problem is that when it's done badly, intrusive security becomes more of a problem itself than the situation it was meant to solve.
Most users don't care about security. They can't see it. They can't measure it. It doesn't make their jobs faster, easier or more efficient. From their point of view people who try to impose more of it on them are the enemy. The trick is to put the right levels of security at the right place and doing the right thing. Unfortunately almost no-one does this. We're all so fixated by the FUD/CYA mentality that we forget what our computer systems are for.
Ultimately, the only way they can be made completely safe is to lock them in a room behind a steel door, with the power turned off. They might not get any work done, but at least they're secure. What the security industry needs more than anything is a few sensible people, taking a realistic approach and finding the right balance between utility and keeping the baddies out. Not just slapping on another layer each time they read about another theoretical possibility in a technical publication.
"Part of the problem is that we expect users to be experts in security, when in reality what they want to do is be successful in their job and will hunt out ways to make this happen."
FIXED: WE NEVER expect users to be experts in security. And, in reality, what they want to do is avoid their job and will hunt out ways to keep work from happening.
I watch this article's thread in sheer anticipation.....
Speaking as a user
Please don't. Seriously. Protect us from other people. Protecting us from ourselves is a waste of time, kind of like checking airline pilots for bombs.
I guess all you need to do is check that said airline pilots are, in fact, airline pilots, and that they're going to be flying the plane they're trying to board. If I was a suicidal pilot, I think it would be more poingant to blow up some other pilot's airplane?
And here I thought it was that "nothing is ever foolproof because
fools are so ingenious."
> Live today (18:00 GMT and 10:00 PST), we have an audiocast with experts talking about just these issues ..
Any chance of a transcript, I tend to nod off after four minutes of someone droning on ...