back to article Good luck securing 'things' when users assume 'stuff just works'

At the end of April my home was broken into by a professional who silently and systematically looted my residence of all my portable wealth while I slept. In the morning, as I looked around for a phone to call the cops (there wasn’t one, so I had to Skype them from a desktop machine), I saw he’d used an entrance that offered …

Re: Sleeping through a robbery

I used to be, pre-child. I could sleep though anything.

I got so used to waking up in the middle of the night that a fly coughing in the next room now wakes me up, 10 years later.

1
0
Silver badge
Trollface

Re: Sleeping through a robbery

a fly coughing in the next room now wakes me up

Blimey, you must have bad pollution where you live if even the flies are coughing!

3
0

Re: Sleeping through a robbery

I have slept through a battalion attack involving 30 M60 LMGs, roughly 500 rifles, a helicopter, and the battalion quack playing the bagpipes, lots of grenade & artillery simulators as - well mind you this was at dawn of day 10 of a 10 day exercise where was getting 2-3 hours sleep in any 24 hour period. I was woken by the none too gentle tapping on my boots - after uttering the appropriate greeting (f-off) I opened my eyes to see the RSM & CSM - cost me 6 months of duty when back in the barracks - sigh

3
0
Anonymous Coward

Re: Sleeping through a robbery

cost me 6 months of duty when back in the barracks

Work as an indentured servant of the State (the health of which is war) will make your life hell. Ok.

But as a civvie in a non-warzone bedroom?

As in a Spaghetti Western, all should be quiet, with crickets chirping. But when you get woken as dark doings are afoot, a boomstick should be in your hand immediately, with an audible click indicating the cocking of the hammer.

1
0

Stop training users not to update!

Hands up: How many of us have had an update take something from a working to a non-working state?

Or had the UI needlessly changed because of an update?

Most users see updating as something that breaks what works, adds crap they don't need nor want, and makes their device harder to use. Of course they're not going to run the updates.

13
0
Silver badge
FAIL

Re: Stop training users not to update!

<quote>Or had the UI needlessly changed because of an update?

Most users see updating as something that breaks what works, adds crap they don't need nor want, and makes their device harder to use. Of course they're not going to run the updates.</quote>

Mozilla, I AM looking at YOU!!!!

3
0
Silver badge

Re: Stop training users not to update!

So what happens when you're caught between Scylla and Charybdis: you CAN'T update because it'll break, but you MUST update because it's already broken, and you're obligated to use the device for legal, contractual, or practical (as in it's the ONLY one that'll work with your setup) reasons?

0
0
Anonymous Coward

"Caught between Scylla and Charybdis"

Oh do stop going all Sting on us.

0
0
Silver badge

Re: "Caught between Scylla and Charybdis"

Eh? Sting? I'm taking this from the Odyssey.

3
0

This post has been deleted by its author

Silver badge

"...unless companies start building secure products then we're goosed."

But the money's not there. Customers want the job done FIRST, secure somewhere below that (especially if, like it usually does, it INTERFERES with getting the job done).

0
1
Silver badge

But the money's not there. Customers want the job done FIRST, secure somewhere below that (especially if, like it usually does, it INTERFERES with getting the job done).
.

Yup. How many people would prefer to log in automatically to an admin account so that on those rare occasions where they install a program, they don't have to take the whole extra couple of seconds to type in an admin password? My longest password in current use is in the 15-20 char range covering most of the keyboard, and it takes me about 3 seconds to type.How much of my life have I wasted watching 10 minute software installs every few months because of those extra 3 seconds? I could've done so much in that time! Why, that's a whole extra 10 seconds of sitting idly on my arse every single year! So much effort to type that in....

(FTR, decent AV, separate user/admin, and I question anything that causes me to be asked for my password)

2
0
Silver badge

"Yup. How many people would prefer to log in automatically to an admin account so that on those rare occasions where they install a program, they don't have to take the whole extra couple of seconds to type in an admin password? My longest password in current use is in the 15-20 char range covering most of the keyboard, and it takes me about 3 seconds to type.How much of my life have I wasted watching 10 minute software installs every few months because of those extra 3 seconds? I could've done so much in that time! Why, that's a whole extra 10 seconds of sitting idly on my arse every single year! So much effort to type that in...."

Ever thought many people have to do this MUCH more often? Why do you think UAC was panned so much? Does the term "click fatigue" spring to mind? What about having so many passwords you can't remember them all (and you can't use a mnemonic because you forget the mnemonic) and a manager is not an option because the computer's communal? Too many people these days are suffering from a chronic case of Information Overload and just wish the KISS principle could be applied to everything to stop the insanity. Flip a switch and be done with it, thank you! Some people even feel locks on the front door is too much work.

1
1
Silver badge

"What about having so many passwords you can't remember them all "

Absolutely.

When I read this, I just started to do a mental rundown of all the systems that I use or have used (that if I could remember my login credentials I could probably still access), and the number was huge. Admittedly, I work in IT for a large organisation, that has a stupid IT system (separate AD and LDAP systems that overlap common envronments that each used their own username/password combinations, 3 AD environments, 6+ LDAP environments), plus many legacy apps that don't use EITHER of those so maintain their own in-built username/password databases...

But if we consider the non-work related ones (because that adds over 100 separate systems...).

Financial accounts, banks, credit cards, store cards, mortgage accounts, utilities (electricity, phones, ISPs) and so on, that's at least a dozen, probably more I can't think of right now.

Online games/gaming (MMO's, steam, etc.), a score or more.

Various news/blog sites, e.g. TheRegister, AnandTech and what not, each with separate forum/commenting logins, another score or so.

Email, some frequently used, others rarely used (for signing up to suspicious sites, e.g. pr0n etc), that's another half a dozen.

Some accounts I have to have but don't really use, e.g. google accounts for my phone that I don't use for anything else apart from my phone/tablets. Another 2 or 3 of those.

Some rarely used social media accounts, 3 or 4 of those.

Online stores (e.g. Amazon, eBay, online grocery ordering, kickstarter), that's gotta be at least another score right there, probably many more that i've used for one-off purchases and am never going back.

My home IT equipment, router, modem, 2 WiFi APs, phone, tablet, 2 laptops, desktop, media center, NAS, WiFi passwords (mine plus friends WiFi etc.), a dozen or more.

And these are just the ones I'd use at least every 6 months. I've got dozens, hundreds I signed up to for a once-off (commenting on an article on a site I rarely visit or usually don't comment on, but I had to comment on something that time) or old services I used to use but don't anymore (old ISP email accounts floating around from the half a dozen ISPs I've had over the years, etc.).

My heads gonna explode I think....

1
0
Silver badge

So how do you deal with the problems when you can't use mnemonics (because *a* the password rules won't let you use one and *b* you forget the mnemonic), a password manager (because the computer isn't yours or is communal), or a book (because again, you lack privacy)?

0
0

Well, something like Ubikey might work for you. Physical hardware token.

0
0
Silver badge

Not many places support them anymore because true high-security settings don't trust ANY external hardware. Plus it doesn't solve the problem of hard password rules which the key wouldn't be able to negotiate.

Look, what's needed is a solution for people with bad memories and no way to store loads of passwords other than their defective brains.

0
0
Silver badge

Not far enough

...Thoughtful security by design would go a long way....

...but not far enough.

If something is insecure - say, uses default password '1234' - it's fairly easy for any malicious user to hack you

If something is secure by design, that needs a deep investigation by skilled hackers to find a vulnerability. There will always be several in complex system - it's just a question of how hard it is to find them. That sounds good. The bar has been raised. Only a few highly-skilled hackers can possibly attack you....

But.... the skilled hackers write their attack routine into a script. And publish it on the Web. And now it's fairly easy for any malicious user to hack you again....

1
0
Silver badge

Re: Not far enough

That's been the catch. Once something has been broken into ONCE, the technique used to break in can be re-tuned as needed to evolve to cover variants. It's a difference in degree but not in kind. It's like how once the Java sandbox was broken, most any sandbox can be easily broken now. It's only a matter of time before the same thing happens to VMs. Plus the human angle is always available. After all, locks can't do much if someone manages to copy the keys.

1
0

I'm pretty sure expecting things to "just work" isn't lazyness, it's... er... how things are supposed to work.

When you get in a car, you start it, and it "just works.

When you turn on your TV, it "just works".

When you buy a new fridge, it "just works".

Stuff "just works".

Expecting techie stuff to "just work" isn't lazyness, it's a reasonable expectation.

What we need is *better* techie stuff that is secure(ish) by default and doesn't need any special setup from the user.

And we actually have that for home Wi-Fi routers, it's called "Wi-Fi Protected Setup". Why we're still relying on passwords 10 years after having a much better solution is beyond me.

2
0
Anonymous Coward

WPS is half-cracked. PINs can be gleaned from the outside. As for the Push-Button Control, a few seconds alone with the button would be all I need to snatch the password and pass it along.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018