On 5/18/2010 9:54 AM, johnjbarton wrote: > > I mean that starting a design from the point of view that the users have > faulty judgment will almost certainly lead to software that fails.
The judgment starts when the user chooses the app. In effect the designer is saying "The user, by selecting my app, is validating the way my app handles the security-convenience tradeoff." If users actually preferred and selected apps on the basis of security first, we might be having a different conversation. > It > positions the designer as a superior being and the users as cattle to be > herded in directions deemed important by the designer. As I see it, there are (broadly) two classes of users with competing interests: 1. "The unwashed masses". I think a large mass of research shows that the great majority of users, in fact, do not have the same ability to judge the relative risk and security implication of such things as bypassing a cert warning page. This is not to demean them. More than likely they are experts in some other, perhaps more useful, area. B. "The careful and competent admin". I believe that there is a group of users who understand PKI and network security and are quite concerned with maintaining security of their connection. For example, I have been told that newer networking equipment is moving away from SSH-to-command-line to web-based configuration. I would hope that admins of core internet routers are not now subject to phishing! However, I have also been repeatedly assured that this person doesn't exist. > In fact, both the > security system designer and the users are humans with entirely > equivalent ability to make judgments. Is there evidence for this or are you perhaps being a bit of a romantic idealist? I, for one, would like my security systems designed by those who know more about it than I do. > The concluding sentence citing Felten gets right to the heart of the > problem. Felten poses a false choice, then revels in the forgone > conclusion: stupid users, they would pick dancing pigs because they are > so stupid, while we, sage security folk, would know to pick security. It's more complicated. I would choose to view the dancing pigs, because the technology is supposed to make that a safe thing for me to do. I would not, however, enter any important credentials after clicking through the cert warning. I would find it hard to explain the reasoning to my grandmother. But this is becoming increasingly confused as well. Viewing "documents" with Adobe software clearly carries risk as well. Ensuring the identity of the site you're connecting to doesn't do much to protect you from this risk since the site itself may be compromised. > If users choose to disregard or subvert security systems, the problem is > with the system. It is irrational to think that the problem is user's > faulty judgment. The fundamental problem is that it's inherently a hard problem. Biological systems have had billions of years to work out this "identity" thing and they still do it imperfectly. If you've got a better model for any identifiable subset of users, don't keep it to yourself. - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
