Security <-> Usability
"It does what I want with no fuss" and "it does ONLY what *I* want" have always been at opposite ends of a sliding scale. Nope, too long for a bumper sticker. Now how are the masses going to understand?
At the end of April my home was broken into by a professional who silently and systematically looted my residence of all my portable wealth while I slept. In the morning, as I looked around for a phone to call the cops (there wasn’t one, so I had to Skype them from a desktop machine), I saw he’d used an entrance that offered …
As, indeed, Mr. Schneier has pointed out. As he also pointed out:
this would only be a domestic solution to an international problem... attackers can just as easily build a botnet out of IoT devices from Asia as from the United States.
What he has also said is that governments themselves must be behind some of the lower-profile but steadily-growing attacks on key bits of Internet infrastructure. My conclusion from that is governments may well see an interest in the widespread deployment of devices that can be exploited for surveillance or active hostility.
I think we've seen that governments are not fond of devices and systems that are beyond their control and I'm sure if there is any regulation of security, it will include a stipulation for government access that will effectively undermine its purpose.
Unfortunately, the world is run by marketing, not engineering. Marketing is only thoughtful when it involves short-term profits, wouldn't understand security if it bit them in the ass, and is completely mystified by the concept of design. Other than that, I think your concept has legs.
"Unfortunately, the world is run by marketing, not engineering" - have mentioned elsewhere on here before about an acquaintance who is studying marketing, as it's the only important subject for a degree, not like boring engineering or pointless arts subjects ... don't let her hear what you're saying, she'll take it as proof she's right !! [not only can she not change a lightbulb without advice - or, it turned out, go out and buy one without help - but she just doesn't do sarcasm .. ]
This is true. Any solution that doesn't appeal to the masses is a failure. FOSS is a hard requirement, but it still has to be 'marketable'.
"No more passwords" would be a huge selling point.
I think storage is the place to start. Imagine a 'cloud storage' system that's actually secure and fully controllable by the user. Client-side key-based encryption. Key-based sharing / group access too. Clean, simple protocols. Servers only handle storage & retrieval of encrypted blobs, having just enough metadata for compartmentalization, just granular enough for efficient access & replication. Backends for existing storage options. Filesystem drivers, web APIs, etc, for compatibility with existing applications.
Make it easy for idiots to encrypt & backup their data. Kill off the proprietary cloud services. Once people get used to key-based access, extend it to everything and kill off passwords.
You could have doors that auto shut, unless physically put in a locked open position. The locks themselves would never have a "latch" position, defaulting to lock on closure.
And the house would be much more secure. Then that fateful time, on a cold winters day, you are late putting the bins out and BANG! You find yourself locked out, freezing cold, because the door has closed behind you, auto locked and the key is in the key safe next to your bed.
As said, its convenience vs security.
Default passwords are like having a £3 lock on the door,pretty pointless. Whereas having to type in a 30 character alphanumberic password that expires every 15 days, is like having a door with 20 high security, auto securing deadlocks. Secure, but an utter pain in the arse.
"You could have doors that auto shut, unless physically put in a locked open position. The locks themselves would never have a "latch" position, defaulting to lock on closure."
How many doors do people have that it would be worth doing that in case you forgot one? Seriously, I live in an old building with seven outside doors. That's really unusual, but I keep most of them locked and the front and back door are locked and unlocked as needed. I can't imagine someone not being able to keep track and simply locking a few doors when they go out or to bed.
I think the AVM FritzBox has something like a "physical handshaking" process. You can buy (could, at least) USB WLAN sticks to go with the access point. To configure them for your network, you would plug them into the FritzBox. This would load the SSID and authentication information onto it (supposedly, I don't own their stuff). This sounds like a no-fuss process, very accessible, very simple. Unfortunately not so easy to do this with a phone or 'slab. Especially if some companies insist on having a very strange connector, the design of which they also change, rendering equipment useless.
Yes, this is not a perfect method, but if somebody has physical access to the network equipment that should not have it you have other problems.
"I think the AVM FritzBox has something like a "physical handshaking" process. You can buy (could, at least) USB WLAN sticks to go with the access point. To configure them for your network, you would plug them into the FritzBox. This would load the SSID and authentication information onto it (supposedly, I don't own their stuff). This sounds like a no-fuss process, very accessible, very simple. Unfortunately not so easy to do this with a phone or 'slab. Especially if some companies insist on having a very strange connector, the design of which they also change, rendering equipment useless."
NFC comes to mind. Easy, cheap, extremely short range (almost contact only, if you want), and good enough to home routers and such.
I think devices should force you to change the password the first time you login. New router, well, it should take over the DNS and force you to login the first time. Annoying? Yes. Security enforced: Yes, but of course if you force someone to use a long password (12+ chars), and it doesn't match anything on a common list like, "correcthorsebatterystaple"
And where exactly would you store that glorious "common list" in the world of routers that are unable to run the latest OpenWRT due to not having enough storage to keep it? Unless of course you want the router to immediately send your proposed password to a perfectly safe and reliable (of course) server somewhere on the internet, for a "commonness check"...
Ignoring hassle: in the case of a house burglery the insurance company. These are in the position to push through a change; not (or reduced) payouts if the door locks are inadequate. The sell is reduced premiums to the householder. Properly done it will encourage the householder to do a one off investment in locks for a multi year drop in premiums.
Unfortunately: the marketing department shouts loudly about the lower premium and hides the good lock requirement on page 35 of the T&Cs; it is only pointed out after the theft.
Opportunity lost - squandered by marketing and that most people don't read T&Cs.
.
Much the same with our electronic bling: ease of use and price are seen as the draws. How to make it secure comes many pages after the instructions of how to view cuddly kittens.
Losses are less obvious unless someone grabs your banking details or similar. Many still take the view that the loss will be picked up by the bank; I have friends who proudly tell me that they use the same 3 passwords everywhere - even as I tell them that this is stupid.
Banks are refusing to cover some scams, but so far it is often seen as ''something that happened to someone else'' and that they will be OK ... anyway the next Bake Off is about to be aired.
But alarms are fecking useless...
More effective if you replace the normal audio with a track that plays someone screaming.. Young woman is best for effect.
Though it will cause some neighbours to cower in their beds. Knowing the track I picked, I wouldn't blame them. I also wouldn't want to run from the house when it is going as you can guarantee that someone will be out there with a baseball bat or axe to try to defend their neighbourhood/safe a life/be a hero... (well, for appearances sake anyway)
"More effective if you replace the normal audio with a track that plays someone screaming.. Young woman is best for effect."
No, because then you'll just deaden people to screaming. It's like with car alarms. They're loud and annoying by design (for the same reason, to draw attention to it), but because of all the false alarms, people start ignoring them. Trip a bunch of false scream alarms, and you'll end up with a case of Cry Wolf Syndrome; people will stop turning up when genuine screams are heard.
Basically, ANY notification system in the world can be trolled to produce Cry Wolf Syndrome.
Two dogs for physical break-ins, a Mikrotik for broadband ones.
Forunately our ISP allows us to own our own equipment rather than forcing us to lease. Although we cede control of the plain vanilla cable modem (set to bridge mode) to them, we've got a firewall/router (RB2011UiAS-2HnD) in between it and the rest of our home network. And yeah, it took some effort to configure beyond the defaults: but so does setting up a new TV. The biggest problem as always is inadequate documentation. Engineers write awful doc, and professional technical writers aren't much better. Both groups seem to aim for the same goal as my teenage sons, TBFM (The Bare F*ing Minimim). Here's three hints for better doc: EXAMPLES EXAMPLES EXAMPLES!
I'd check that if I were you. Not having the right door locks (in the UK, a 5 lever British Standard door lock on a wooden door, or a multipoint lock on plastic) *invalidates* your insurance, whilst an alarm or not gets you a 15% discount which generally isn't worth the cost of the monitoring required!
IoT gear should not have a password until you boot it for the first time. I came up with "4 simple rules for IoT development" on Twitter after a challenge. That was number two.
"Ok, 4 simple IoT rules? I'll try: Close all unnecessary ports. No default password (prompt at 1st boot). Make firmware updates possible. Have an ID on device to link back to manufacturer & manual/website for tech & update support."
The problem is that most end users either do not understand the risk, or do not care about the risks, as obviously "the security types are shroud waving again".
Even if users are provided with standards, if the standard involves effort (sliding the bolt on the door) there is no guarantee that the standard will be followed.
In the UK at least, if you get a router from BT or Virgin Media then your default SSID password is set to a unique value on a sticker affixed to the device. This presumably corresponds to a value flashed into the hardware at manufacture. By default at least the SSID passwords are unique and non-guessable.
You can reset it to your own choice (subject to password complexity requirements) if you want, but a reset of the device will set it back to that unique password on the sticker.
Of course, that doesn't help if someone has physical access to the device or if there are other backdoor logins with weak/common passwords in the device that the ISP can use for remote admin...
Plus it doesn't help if the manufacturer is on razor-thin margins such that 2-3 cents per devices pivots it into unprofitable. And yes, many DO run on razor-thin margins as it's the ONLY way to compete. And that's against companies that have alternate revenue streams and can actually loss-lead.
"Plus it doesn't help if the manufacturer is on razor-thin margins such that 2-3 cents per devices pivots it into unprofitable."
Which is why some of us keep saying the solution is to make such security provisions mandatory. You want to sell your stuff here? This is what you have to do.
To some extent it levels the playing field - those costs are common to all products. And for manufacturers who can't afford that, maybe they're best kept out of the market. If they were selling cars would you consider it acceptable to omit bakes to enable them to compete on price?
"Which is why some of us keep saying the solution is to make such security provisions mandatory. You want to sell your stuff here? This is what you have to do.
To some extent it levels the playing field - those costs are common to all products. And for manufacturers who can't afford that, maybe they're best kept out of the market. If they were selling cars would you consider it acceptable to omit bakes to enable them to compete on price?"
You ever thought about the Law of Unintended Consequences? Instead of keeping them out, you'll just move them to the lawless badlands of the gray and black markets. If people want them badly enough, they'll be provided in spite of God, Man, or the Devil. See Prohibition.
The problem is that BT routers have 'BT' in the broadcast name, Virgin has 'VM' eg VM997772-2G. you get the idea.
By having the ISP name in the broadcast name makes the hackers job an awful lot easier.
My router used to have the network name of 'EffOff' just to make it different. now it does not broadcast a name at all.
> > My router used to have the network name of 'EffOff' just to make it different.
> In the next street to mine there's an SSID of "Get your own fucking WiFi!"
Lately I've been fine-tuning the settings on our wireless devices, and noticed the appearance of the ESSID "WiFiDetectorVan".
:)
@Steve Davies 3: "now it does not broadcast a name at all."
Hiding your network name from beacons does not appreciably add to security. The problem is that the Probe Request, Probe Response, Association Request, Association Response, Reassociation Request and Reassociation Response frames contain the SSID in the clear. All an attacker has to do is listen for one of those frames.
If he doesn't have the patience to wait for a new device to connect, he can send Probe Request frames to the Access Point. If the AP is configured to ignore Probe Requests that don't contain its SSID, all the attacker has to do is identify a device that is already connected, forge a Disassociate message from the AP to that device, and wait for the device to send a Reassociation Request.
Hiding the network name also has another downside - if your device is configured to connect automatically, it will send Probe Requests with your network name whenever it's not connected to something else, so leaking the name of your network if you're out of range.
now it does not broadcast a name at all.
Which is actually a negative level of security added.
Setting the SSID to hidden doesn't actually hide the SSID from anyone who wants to see it. In actual fact, it makes it get broadcast more often under many circumstances - just not in a way that makes it appear in normal users' WiFi list.
Why ? Because if you hide it, every device that you join to it must then broadcast to find it - in effect shouting "Is the network 'EffOff' around ?" Thus instead of one router advertising your SSID, each of your devices will be doing it - IIRC they'll be doing it all the time, when not connected they will be trying to connect, when connected they will be looking for other base stations that might have a better signal to roam to. For bonus points, your mobile devices will use more battery power as well.
So any WiFi analyser will show the hidden SSID network exists, it takes naff all effort to actually find out what that SSID is.
But, this is all academic anyway - unless the hacker is in close proximity then they won't be trying to connect to to your WiFi. Hard to do that from half way round the world.
Unless you are a geek a nerd or actually work in IT you probably look at any piece of tech as a white good.
You don't need to update the firmware on your fridge or microwave (IoT nonsense avoided) so why should you need to on anything else? Things should just work.
I know more than a few people who think it's ridiculous that a car should need serviced, again "it should just work".
Manufacturers passing the buck to non-technical customers are doing just that passing the buck for their poorly implemented products.
"Manufacturers passing the buck to non-technical customers are doing just that passing the buck for their poorly implemented products."
They're passing the buck because that's what customers want. At least with cars they run on government-run-and-regulated roads. But a router runs in the privacy of one's home, so how are you going to possibly enforce an Internet license?
you know if i give someone the keys to my car and let them go for a drive - no one gives a shit.
you know if i give someone the keys to my house to feed the cat - no one gives a shit
If i give someone my logon password so they can get a document from my home drive - everybody freaks the hell out!
However, if you left the keys on a wall outside the house, with a note saying 'help yourself' you would have little comeback when the car was stolen / emptied / trashed. No insurance payout, and no-one would be impressed by 'but it never said i should not leave the keys right next to the car'
Which is pretty much like using an easily hacked device.
I have slept through a battalion attack involving 30 M60 LMGs, roughly 500 rifles, a helicopter, and the battalion quack playing the bagpipes, lots of grenade & artillery simulators as - well mind you this was at dawn of day 10 of a 10 day exercise where was getting 2-3 hours sleep in any 24 hour period. I was woken by the none too gentle tapping on my boots - after uttering the appropriate greeting (f-off) I opened my eyes to see the RSM & CSM - cost me 6 months of duty when back in the barracks - sigh
cost me 6 months of duty when back in the barracks
Work as an indentured servant of the State (the health of which is war) will make your life hell. Ok.
But as a civvie in a non-warzone bedroom?
As in a Spaghetti Western, all should be quiet, with crickets chirping. But when you get woken as dark doings are afoot, a boomstick should be in your hand immediately, with an audible click indicating the cocking of the hammer.
Hands up: How many of us have had an update take something from a working to a non-working state?
Or had the UI needlessly changed because of an update?
Most users see updating as something that breaks what works, adds crap they don't need nor want, and makes their device harder to use. Of course they're not going to run the updates.
<quote>Or had the UI needlessly changed because of an update?
Most users see updating as something that breaks what works, adds crap they don't need nor want, and makes their device harder to use. Of course they're not going to run the updates.</quote>
Mozilla, I AM looking at YOU!!!!
So what happens when you're caught between Scylla and Charybdis: you CAN'T update because it'll break, but you MUST update because it's already broken, and you're obligated to use the device for legal, contractual, or practical (as in it's the ONLY one that'll work with your setup) reasons?
This post has been deleted by its author
But the money's not there. Customers want the job done FIRST, secure somewhere below that (especially if, like it usually does, it INTERFERES with getting the job done)..
Yup. How many people would prefer to log in automatically to an admin account so that on those rare occasions where they install a program, they don't have to take the whole extra couple of seconds to type in an admin password? My longest password in current use is in the 15-20 char range covering most of the keyboard, and it takes me about 3 seconds to type.How much of my life have I wasted watching 10 minute software installs every few months because of those extra 3 seconds? I could've done so much in that time! Why, that's a whole extra 10 seconds of sitting idly on my arse every single year! So much effort to type that in....
(FTR, decent AV, separate user/admin, and I question anything that causes me to be asked for my password)
"Yup. How many people would prefer to log in automatically to an admin account so that on those rare occasions where they install a program, they don't have to take the whole extra couple of seconds to type in an admin password? My longest password in current use is in the 15-20 char range covering most of the keyboard, and it takes me about 3 seconds to type.How much of my life have I wasted watching 10 minute software installs every few months because of those extra 3 seconds? I could've done so much in that time! Why, that's a whole extra 10 seconds of sitting idly on my arse every single year! So much effort to type that in...."
Ever thought many people have to do this MUCH more often? Why do you think UAC was panned so much? Does the term "click fatigue" spring to mind? What about having so many passwords you can't remember them all (and you can't use a mnemonic because you forget the mnemonic) and a manager is not an option because the computer's communal? Too many people these days are suffering from a chronic case of Information Overload and just wish the KISS principle could be applied to everything to stop the insanity. Flip a switch and be done with it, thank you! Some people even feel locks on the front door is too much work.
"What about having so many passwords you can't remember them all "
Absolutely.
When I read this, I just started to do a mental rundown of all the systems that I use or have used (that if I could remember my login credentials I could probably still access), and the number was huge. Admittedly, I work in IT for a large organisation, that has a stupid IT system (separate AD and LDAP systems that overlap common envronments that each used their own username/password combinations, 3 AD environments, 6+ LDAP environments), plus many legacy apps that don't use EITHER of those so maintain their own in-built username/password databases...
But if we consider the non-work related ones (because that adds over 100 separate systems...).
Financial accounts, banks, credit cards, store cards, mortgage accounts, utilities (electricity, phones, ISPs) and so on, that's at least a dozen, probably more I can't think of right now.
Online games/gaming (MMO's, steam, etc.), a score or more.
Various news/blog sites, e.g. TheRegister, AnandTech and what not, each with separate forum/commenting logins, another score or so.
Email, some frequently used, others rarely used (for signing up to suspicious sites, e.g. pr0n etc), that's another half a dozen.
Some accounts I have to have but don't really use, e.g. google accounts for my phone that I don't use for anything else apart from my phone/tablets. Another 2 or 3 of those.
Some rarely used social media accounts, 3 or 4 of those.
Online stores (e.g. Amazon, eBay, online grocery ordering, kickstarter), that's gotta be at least another score right there, probably many more that i've used for one-off purchases and am never going back.
My home IT equipment, router, modem, 2 WiFi APs, phone, tablet, 2 laptops, desktop, media center, NAS, WiFi passwords (mine plus friends WiFi etc.), a dozen or more.
And these are just the ones I'd use at least every 6 months. I've got dozens, hundreds I signed up to for a once-off (commenting on an article on a site I rarely visit or usually don't comment on, but I had to comment on something that time) or old services I used to use but don't anymore (old ISP email accounts floating around from the half a dozen ISPs I've had over the years, etc.).
My heads gonna explode I think....
Not many places support them anymore because true high-security settings don't trust ANY external hardware. Plus it doesn't solve the problem of hard password rules which the key wouldn't be able to negotiate.
Look, what's needed is a solution for people with bad memories and no way to store loads of passwords other than their defective brains.
...Thoughtful security by design would go a long way....
...but not far enough.
If something is insecure - say, uses default password '1234' - it's fairly easy for any malicious user to hack you
If something is secure by design, that needs a deep investigation by skilled hackers to find a vulnerability. There will always be several in complex system - it's just a question of how hard it is to find them. That sounds good. The bar has been raised. Only a few highly-skilled hackers can possibly attack you....
But.... the skilled hackers write their attack routine into a script. And publish it on the Web. And now it's fairly easy for any malicious user to hack you again....
That's been the catch. Once something has been broken into ONCE, the technique used to break in can be re-tuned as needed to evolve to cover variants. It's a difference in degree but not in kind. It's like how once the Java sandbox was broken, most any sandbox can be easily broken now. It's only a matter of time before the same thing happens to VMs. Plus the human angle is always available. After all, locks can't do much if someone manages to copy the keys.
I'm pretty sure expecting things to "just work" isn't lazyness, it's... er... how things are supposed to work.
When you get in a car, you start it, and it "just works.
When you turn on your TV, it "just works".
When you buy a new fridge, it "just works".
Stuff "just works".
Expecting techie stuff to "just work" isn't lazyness, it's a reasonable expectation.
What we need is *better* techie stuff that is secure(ish) by default and doesn't need any special setup from the user.
And we actually have that for home Wi-Fi routers, it's called "Wi-Fi Protected Setup". Why we're still relying on passwords 10 years after having a much better solution is beyond me.