Archive for the ‘Security’ Category

“It Just Works” vs. Security

May 1, 2014 Comments off

I have written before about the “it just works” problem: Training people to expect not to need to think about their technology gives rise to the self-fulfilling prophecy that most people can’t think about technologyThe usual problem with the “it just works” attitude, namely the users being completely lost as soon as something doesn’t work, is at least something that people recognize as a problem once it occurs. When something doesn’t work, they know it doesn’t work, and they know that they don’t know why it doesn’t work or how to fix it. However, the same attitude creates another problem that’s more difficult to recognize: A lack of security. Non-tech-savvy users not only do, but are encouraged to do, some rather unsafe things in the name of having everything just work.

To be a bit more specific, the problem is that people end up being compromised because they don’t know to take simple precautions or treat things they find online with an appropriate amount of suspicion. As a normal part of browsing the Web, people allow—without even realizing it—dozens of JavaScript scripts, Java applets, and Flash (and occasionally Silverlight) objects to run without their knowledge or consent. A large portion of these pieces of software are not even hosted directly on the sites users are trying to view, but pulled in from somewhere else, whether to add functionality (like blog comments, social media widgets, or embedded videos), to show ads, or just to track users (which, of course, pretty much all of them do). Users have no way of knowing whether some kind of malware has been inserted into the chain, something that has been known to happen even to perfectly legitimate Web sites.

A related issue is that people click without reading or thinking, don’t know enough to understand that it’s a problem that their homepage has suddenly switched to some search engine they’ve never heard of, and can’t figure out why their computers are so slow. Between deceptive “ads” that look like download buttons and installers for legitimate programs also installing “legitimate” (or at least nominally legal) adware and spyware if you’re not extremely careful, it’s easy to get tricked into installing something unwanted.

Of course, it’s a long-standing piece of security advice that if you let others run arbitrary software on your computer, it’s not your computer anymore. It’s just that most people don’t realize this and often don’t even realize that they’re letting people run arbitrary software on their computers. After all, it tends to happen completely transparently in the course of normal Web surfing.

What gets me is that people do know better. Technology is the only area of life I can think of where we let people get away with this.

Think about this: Just about everybody knows to lock the doors to their houses. They may not always do it, but they know they’re supposed to do it. It’ the same with cars: People know to turn them off, take the keys out, and lock the doors. Most people know better than to leave the car unlocked and running in the parking lot while they go shopping, because if they do, it probably won’t be there when they get back. And they certainly wouldn’t hand over their keys to anyone and everyone who asked for them. Yet pretty much any site on the Web can ask for something very nearly equivalent to that, and by default, the browser will allow it.

Admittedly, I may be making the problem sound worse than it is. Most of the software that is run in this manner is perfectly harmless, or at least not doing anything more harmful than tracking users to show them targeted advertisements. Moreover, at least in theory, there are limitations in place to keep these kinds of software from being able to do too much damage. However, I strongly recommend against depending on this. Most people probably wouldn’t let just anyone do just anything to their cars, even if they trusted the one doing the tinkering not to do anything deliberately harmful and trusted the car to limit the damage.

So why is that people take risks with their computers they wouldn’t take with their cars? I still think that it’s mainly a desire not to have to think about technology in order to make it work. That sounds like I’m accusing people of laziness, and maybe laziness is probably a part of it, but I actually can’t blame anyone for feeling that way. For one thing, security is an intimidating topic, whether you’re talking about computer security or any other kind. Blocking potentially harmful elements isn’t exactly trivial, either. (Firefox, for instance, doesn’t even allow JavaScript to be disabled from the Options menu anymore, for fear that a user will unwittingly “break” something—another example of the self-fulfilling prophecy.)

Additionally, there’s an education problem: People can’t understand the risks involved with using the Web unless someone explains it to them. After all, just surfing the Web while not deliberately blocking anything doesn’t sound any more risky than going out in public and walking around. Yet it seems to me that the industry doesn’t make much of an effort to explain it, and they probably won’t because it’s not in tech companies’ best interests. Vendors are too invested in their mythical ease of use to admit that using things safely requires a little time and effort to be spent up-front. Moreover, they face a lot of pressure from (or, in some cases, are) advertisement companies that have a financial interest in being able to track users to show them targeted ads.

After all this, what would I have people do? First, and foremost, I urge people to take some time to get a basic understanding of how the Internet works and what kinds of dangers it presents. This burden can’t rest completely on the shoulders of non-technical end users; people who already have in-depth understanding need to be able to explain it simply and quickly. After that, I recommend sticking to the principle of not letting anything run on your computer unless you know what it is and you know you need it. Makers of Web browsers (and other software) ought to make this easier than it is, but it will still take some time and effort. Tools like AdBlock Plus, NoScript, and Ghostery can be helpful here, though even they shouldn’t be trusted implicitly.

Nothing I’m suggesting is fool-proof, of course. The vast majority of computer users aren’t going to become security experts, and it would be wrong of me to expect them to. Computer security is really hard to understand, and even harder to implement correctly. However, I would argue that the same is true of physical security, and that doesn’t stop people from taking basic precautions. After all, people haven’t given up on locking their car doors just because smash-and-grab theft is possible.

Here’s the bottom line: People should be willing to spend the time, thought, and effort to use their technology safely, and using technology safely shouldn’t be as time-consuming, confusing, and difficult as it often is.

Categories: Security, Software Tags: