back to article NIST: People have given up on cybersecurity – it's too much hassle

Online security for the general public is just too much bother. According to a study released on Tuesday by the US National Institute of Standards and Technology (NIST) and published in IEEE's IT Professional, people are overwhelmed with messages about online perils and have just given up. The result, as the study puts it, is …

  1. Throatwarbler Mangrove Silver badge
    Trollface

    This should be good

    I await the torrent of comments to the effect of "Well, if they don't know how to use a computer correctly, they deserve what happens to them." Because that's helpful.

    1. Anonymous Coward
      Anonymous Coward

      Re: This should be good

      The article isn't really about if the user understands how to use a computer, it's sort of about if the computer understands how to use the user, that in one way or another is suppose to learn from the user. There's just way too much shit that is being convincingly sold to people. Every meeting that has revolved around technology planning seems to always have that catch phrase of "We need something like that." With that many somethings coming to exist, something was a bad security idea (or honestly just an all around bad idea). If you read the the lines of the latest IoT "future" talk, future software is apparently to remove your privacy, choices and cash. So talk of security is talk of sales loss.

      1. P. Lee

        Re: This should be good

        When you do go into a corporation to talk about security, its the opposite of what the cloud wants.

        We talk about data and application segmentation. At a personal level, does skype need access to all the email addresses in your addressbook, or just the skype handles and display names? Does your browser process need access to your home directory, or just your downloads directory? What does VLC need write access to? Should it have access to all internet URLs or just the local network? Do we need two instances, one which has access to the internet, but not local resources; and one which has access to local resources, but not the internet? I'm inclined to think that this sort of pre-emptive security would be far better than the current AV "scan all access" approach. AppArmour is a start but we need GUI support and an easier way for users to change settings. Something more like a "PortableApps" + BSD jails + other stuff.

        How about having multiple identities? App X wants my details? No problem, here are the details in a standard format, which I can just pick for this App/website, all taken from one of many such id caches I use.

        Until we can lock applications down easily, we'll keep worrying that a Flash zero-day can use a screen-saver reconfiguration module to elevate privileges. That shouldn't be an issue and it stops vendors focusing on the really serious problems, like ensuring critical system calls are securely coded.

        1. Charles 9

          Re: This should be good

          "Until we can lock applications down easily, we'll keep worrying that a Flash zero-day can use a screen-saver reconfiguration module to elevate privileges. That shouldn't be an issue and it stops vendors focusing on the really serious problems, like ensuring critical system calls are securely coded."

          Locking down is easier said than done since the nastiest exploits simply find ways around the locks. What man can code, man can code around, which is why we have things like Return-Oriented Programming that uses existing code in cleverdick ways.

        2. Stoneshop
          Big Brother

          Re: This should be good

          How about having multiple identities? App X wants my details? No problem, here are the details in a standard format, which I can just pick for this App/website, all taken from one of many such id caches I use.

          This is more or less what Bart Jacobs (security researcher at Nijmegen University) is trialling, though his design has an identity broker sitting between the requester and the identity holder. I would have to look up his lecture notes for details, but the broker is there to avoid having direct contact between requester and holder before there's agreement over what bits of identity the requester wants to know and what the holder wants to release to this requester.

          1. Naselus

            Re: This should be good

            I think that this whole 'should the user understand the internal workings of the computer' debate misses the point. A lot.

            No, the user shouldn't be expected to understand APIs, network security, port forwarding, VPN tunneling, Kerberos or IPSEC, in exactly the way they don't need to understand the fundamental principles of the internal combustion engine to use a car.

            But even so, they DO need to pass a driving test to use them. The workings of the machine are not really relevant to this, which is why the modern driving test basically checks if you can change the oil and spot a flat tire and not much else. But they do need to understand how to use the machine safely. And so the test concentrates on teaching them how to safely move the vehicle around the roads without killing themselves or other people rather than giving a detailed assessment of the correct size and placement of crumple zones and accurate descriptions of the physics behind stopping distance.

            Something similar for computers would be a good idea. No, we don't need them to learn how to configure a firewall. That is an expert job for the equivalent of a specialist mechanic. But they do need to know not to drive on the wrong side of the road - don't visit 'bad' sites with no SSL certs; don't use stupid passwords, don't plug random shit of unknown provenance into your computer. They need to understand not to do these things, and they need a superficial understanding of why not - otherwise it's just arbitrary IT rules being handed down from the IT priesthood. They need to know that the 'bad cert' symbol means 'give this site no sensitive information on pain of death' rather than understand the intricacies of public-private key encryption and the relative merits of different encryption algorithms.

            Basically, there's middle ground between 'users should not need to understand anything that they use on a day to day basis' and 'only people with a PHD in computer science should be permitted to use computers', and it's not elitist or ridiculous to suggest that maybe, just maybe, allowing people who have no idea what they're doing to use potentially dangerous equipment is a bad idea.

      2. Cuddles

        Re: This should be good

        "The article isn't really about if the user understands how to use a computer, it's sort of about if the computer understands how to use the user"

        I'd argue that it's not really about computers at all, but simply how to communicate with the public. For example, it's well established that having lots of road signs actually increases danger when driving because people are either too distracted reading all the signs to pay attention to their driving, or simply ignore the signs and do their own thing because they realise it would be too distracting to read them. Removing all signs and road markings has been tried in a few places and had big benefits. That might be going too far for general use, some information is quite important after all, but making sure users only see relevant, consistent information is important in pretty much all areas of life, not just computers.

        Specifically to the article, users are currently in a very similar position as they are with road signs. Visit 5 different sites, and you'll get 10 different instructions on how to set a secure password, all of which contradict each other and none of which actually result in a password that is actually secure. Your data is then promptly stolen because it turns out everything was stored in plain text on a third party server anyway. Or see the law requiring warnings about cookies to be put on every site that uses them, which means pretty much every site. It's basically equivalent to having a sign every 100m along a road saying "This road uses", except that most drivers know what tarmac is while few have the slightest clue what cookies are. Users are constantly bombarded with information which at best is rarely explained in a way they can understand, and most of the time is irrelevant, contradictory or just plain wrong. People haven't given up on security because security itself is too much hassle, but rather that it's too much hassle to figure out which fragments amongst the deluge of wrongness and irrelevance would actually help them be secure.

      3. Runilwzlb
        Holmes

        Re: This should be good

        " If you read the the lines of the latest IoT "future" talk, future software is apparently to remove your privacy, choices and cash. So talk of security is talk of sales loss."

        Why are people un-enthused about 'computer' security? Because they have no control, its out of their hands. What do you expect when you build always-connected devices and systems that are insecure from the ground up. Their precious phones are basically buffet tables with any and all personal and confidential info on offer to the world+dog.

        Build a device that people can't function in society without. Design the system so that no information residing on or accessible to the device can be kept from anyone, anywhere in the world, for any purpose. Then force people to put their entire lives and finances on it. And then send Captain Obvious from the NIST out to interview people about 'how they feel' about computer security. What did you expect you would find?

    2. Squander Two
      Devil

      Punishment.

      > I await the torrent of comments to the effect of "Well, if they don't know how to use a computer correctly, they deserve what happens to them."

      There's always some of that, yes -- IT does seem to attract more than its fair share of misanthropes (I'm one myself) -- but I think the more prevalent attitude is simply a lack of understanding. IT people just don't seem to get that not only do most people not understand the inner workings of a computer, but that they shouldn't have to. This decision was made back when Gates and Jobs and their peers decided that computers should be mass-market machines for everyone: with that aim comes the responsibility to make them safe.

      Someone below mentioned the internal combustion engine, apparently under the impression that people who drive cars know how it works. No they don't. Neither do we need to understand cathode rays or LED tech to watch TV, or materials science to use a ceramic frying pan. And if a manufacturer were to make a frying pan that catastrophically explodes if exposed to the highest temperature on a normal hob, a bit of small print in the packaging saying "Do not use the highest temperature with this pan" wouldn't protect them from the ensuing prosecution.

      Computer firms have a choice: they can make highly specialised machines for a tiny market of specialist professionals, and trust those professionals to know what the hell they're doing -- and so leave them to clean up their own mess when stuff goes wrong. Or they can make general mass-market machines for everyone, and accept the duty of care that comes with doing so. The trouble with too many IT people is their belief that you can sell to the latter market but act like you've got the former customer base.

      The big firms get some of this, as we see just from the fact that they do roll out security patches. But they don't get it enough. They still expect their customers to be watching the news for the latest "Install the latest patch immediately!" story and then doing so by the end of the week. Imagine if a toy manufacturer issued a product recall every week for a decade. They couldn't, actually, as they'd be bankrupt inside a year.

      Customers hate this crap, and rightly so. But they are faced with an industry that, although it refuses to change its stinking attitude, makes undeniably useful and wonderful things. So they try asking their techie friends for help, and those friends say things that they genuinely believe are helpful, such as "Switch to Linux" or "Implement this new encryption algorithm I've found", but which actually all boil down to the same piece of shitty advice: "Become an IT expert." So the only rational course left to users is exactly what this study has discovered: resignation.

      Since computer security is increasingly a safety issue, I'd like to see governments updating their laws to reflect that. If a young lady buys a laptop and happens to have it switched on in her room while she gets changed, she has an entirely reasonable expectation that video of her naked isn't going to be used to blackmail her. If it is, the manufacturer of the laptop and its software should be held liable. If a builder puts a new roof on your house and it's leaking six months later, they're simply not allowed to write an EULA that says it's not their problem because it's your roof and they didn't make the rain. They're liable, legally. The same principle applies to all other manufacturers and producers -- unless they're an IT firm. Car manufacturers don't get to shrug when their products crash due to design and manufacturing flaws, but IT firms do -- which is why Tesla are suffering from cognitive dissonance: they're full of IT people with IT attitudes, and are beginning to discover that that won't wash.

      Well, it shouldn't wash anywhere. Next time someone is driven to suicide by identity theft or revenge porn, how about we identify some senior executives responsible for the tech that made it all possible and drag them through the courts and embarrass the fuck out of them? Do that a few times and just watch computer security improve. Incentives matter.

      (Sorry, this comment went on a lot longer than I intended. Rant over.)

      1. Charles 9

        Re: Punishment.

        "Or they can make general mass-market machines for everyone, and accept the duty of care that comes with doing so."

        But the trouble is that even there you end up with limits. Like with the engine, how does the adjuster know the difference between a car that blew up on its own or one that blew up because some idiot put the wrong liquid in the crankcase?

        As the comedian said, you can't fix stupid yet you're expecting computer makers to account for stupid, and by that the stupid that doesn't realize what is meant by a mouse or who thinks a keyboard is where you hang the car keys when you come in the house.

        1. Squander Two
          Devil

          Re: Punishment.

          > how does the adjuster know the difference between a car that blew up on its own or one that blew up because some idiot put the wrong liquid in the crankcase?

          Wrong analogy. With computers, the problem isn't that some idiot put the wrong liquid in the engine by mistake. The problem is that some bastard put malicious liquid in the engine on purpose. And the car was manufactured with four hundred funnels all over the outside for strangers to pour liquid into it. And you can't lock the caps on any of those funnels because the manufacturer hasn't designed the locks yet. And there's a Russian criminal in the backseat with a gun, but the manufacturer says that's your fault for buying the model with doors.

          1. Vic

            Re: Punishment.

            With computers, the problem isn't that some idiot put the wrong liquid in the engine by mistake. The problem is that some bastard put malicious liquid in the engine on purpose.

            What opften happens is that some bastard asks the operator if he can put malicious liquid in the engine, and the operator says "yes". To fix that, you either need to train the operator not to trust malicious bastards on the Internet, or you need to prevent his ability to change the oil in his engine. Your argument is for the latter, but this just doesn't sell. People want multi-purpose computers, and that entails responsibility for their correct operation.

            Vic.

      2. Anonymous Coward
        Anonymous Coward

        Punish the user

        Sorry but anyone that clicks on Yes all the time needs a computer that will answer No on their behalves to protect them.

        So basically a web-browser with no cookies or plug-ins and no scripts and no privileges to install and no pop up questions.

        You need a license to drive a car but not for using a power saw or a computer. They are all dangerous! Screw users.

      3. This post has been deleted by its author

        1. Squander Two

          Re: Punishment.

          > If a user wants to own a general-purpose computing device, then there is a responsibility for the operation of that device that goes with such ownership.

          OK. So you go found a computing company with that mission statement and let us know when your profits go through the roof.

          Meanwhile, here in the real world, the firms making actual computers that actual people actually use have spent several decades specifically marketing them as things that you can use without understanding their inner workings. I'm fine with that. If you're not, you're going to need a time machine.

          The point is, a duty of care isn't something that accidentally happened to the IT giants. It's something they chose and pursued. They didn't have to.

          > If the use wants to abrogate that responsibility - that's fine, but don't expect to be permitted to do whatever you like with it.

          Permitted? Gosh. By whom?

          >> Someone below mentioned the internal combustion engine, apparently under the impression that people who drive cars know how it works. No they don't.

          > That's actually a superb example - we don't expect car owners to be experts in the internal functioning of their vehicles ...

          So not a superb example, then. What you're talking about is a different example.

          > ... but we do expect them to operate those vehicles in a safe manner - with potentially huge penalties if they fail to do so. Don't want to take that responsibility? Take a taxi.

          But we're not talking about people using computers recklessly and thereby endangering others. We're talking about users opening an email and being fucked. A few months ago, there was that text message doing the rounds that would brick iPhones if you received it. Now we're looking at IoT botnets, apparently. Yet still this attitude prevails in IT circles that it's always the victim's fault. Their fault for what? Putting a smart lightbulb in their living room?

          > Sure - but if they've put a new roof on, then they come to look at the leak you've reported and found you've drilled a massive hole in the roof to get some stuff in ...

          This is exactly the attitude I'm talking about. You just won't accept that a computer might actually have an inherent problem when it's sold.

          And this is odd, because go to any comments thread on this site about the new version of any OS, and there'll be loads of knowledgeable comments about all its problems and bugs. But the moment we discuss security, some of the same knowledgeable people insist that everything is the users' fault -- with the implication that the computers they're using must be perfect.

          Apple had that huge security hole a couple of years back that was caused by a dev screwing up their copying and pasting. The code was visible to the public, and the bug was obvious (I showed it to two non-devs, one with no interest in IT at all, and they both spotted it), yet none of Apple's processes picked it up. Every machine that shipped with that code and every machine that was updated with that code had a giant security flaw in it that was 100% Apple's fault and 0% their users' fault.

          Heartbleed was similar.

          > Just as you wouldn't expect a chainsaw manufacturer to take responsibility when someone's tutorial in "using a chainsaw to remove unsightly facial hair" goes wrong, you can't blame the manufacturer of computer software to accept responsibility for everything a user might do with their product ...

          ... such as checking their emails, opening a text message, or simply turning their computer on and connecting it to the Internet without first writing and installing a patch to a massive security hole that no-one except some criminals has discovered yet. Yeah, that's definitely equally as reckless as taking a chainsaw to your own face. Probably more.

          > Revenge porn requires three steps:-

          •Creation of the porn

          •Distribution of that porn to someone who should (at the time) have it

          •Distribution after the fact to someone who should not have it

          The example I gave -- people having their webcam hacked and being filmed without knowing it -- is a real example, that has actually happened. That's caused by users recklessly and irresponsibly changing their clothes in the same room as their computer. The stupid morons.

          > So whilst I'm all for some software being required to perform properly under pain of litigation, making such sweeping statements that it must all cushion users such that they do not need to be responsible for their own actions is both ludicrous and extremely unwanted.

          And not remotely what I said.

          1. This post has been deleted by its author

      4. Poncey McPonceface
        Thumb Up

        Re: Punishment.

        @Squander Two

        Superb Comment.

  2. Grade%

    After the telemetry cow flop

    Landing over and over and over on all our sundry machines...and the Wonkanets

    from the chocolate factory following and slurping, not to mention the alphabet agencies...well, an honest hack seems, um honest.

    Sigh, time to check how many grams have been removed from the new and improved box of cereal.

  3. Anonymous Coward
    Anonymous Coward

    Don't blame the users

    Maybe if it wasn't so difficult to tell the difference between companies and crooks people might care more. As it is now, the behavioral distance between the two is just about zero.

    1. Anonymous Coward
      Anonymous Coward

      So True

      Google just phoned my bank and took all my savings.

      Just like cybercriminals do.

      1. Destroy All Monsters Silver badge

        Re: So True

        You mean. just like the State does?

        1. Prst. V.Jeltz Silver badge

          Re: So True

          difference between companies and crooks

          They dont make it easy - if the Banks could stick to one domain name it would be handy, halifax dont - once your logged in at the front door som of the subsequent pages - that they must have outsourced or something are at www.scumbagcowboycodersforehire.ch/halifaxwork/passwordgrabber.php or something similar

          seeh ere:

          http://www.planetbods.org/blog/2009/02/05/bankurls

          1. Anonymous Coward
            Anonymous Coward

            Re: So True

            "They dont make it easy - if the Banks could stick to one domain name it would be handy..."

            For years my bank had an email address for me, but never used it - good because any dodgy email purporting to be from them obviously wasn't, without a second glance. But eventually they couldn't resist the temptation to try to sell me things I didn't want while justifying it as "helpful", so you had to think harder about who the sender was or resist the urge to click the dodgy link. I don't have a problem sorting the good from the bad, but many - perhaps most - people do. Like the inconsistent domains and a hundred other things, companies who should know better really do their best to make trivial aspects of security unhelpfully muddy for users.

      2. Anonymous Coward
        Anonymous Coward

        Re: So True

        No, they may not phone up your bank, but they'll steal your personal data any chance they get - hence the point about behavior. And the interesting thing about unchecked bad behavior is that it rarely gets better.

    2. Timo

      Re: Don't blame the users

      This is where social engineering plays. It is really easy for the crooks to impersonate the companies, hoping to confuse you long enough to hand over some money or information. And like viruses and spam, when the companies improve their information it is an escalating war that will need to be solved some other way.

      It happens in real life (hucksters misrepresenting themselves), on the phone (Microsoft calling), and online. It has always been lucrative.

      Or maybe you're implying that the legit companies and the crooks are all acting the same way, which is also true. Many "legit" companies are finding that they can get pretty far with the sin of omission (not telling you everything that is going on.) This has also been going on and has almost always been lucrative *in the immediate term*. So who are the real crooks?

  4. Anonymous Coward
    Anonymous Coward

    "People believe that security has become too complex "

    Its not that security (tools) are too complex, its all the vulnerabilities that are out there, coming at users from all directions.

    A lot of the problem is crap product and software design that leaves users on the hook when things are not secure or go wrong.

    1. Anonymous Coward
      Anonymous Coward

      Re: "People believe that security has become too complex "

      No. That's the propaganda. Just what the FBI, CIA, NSA and GHCQ, among others, want people to believe. They want people to give up, to give in, to make themselves even more vulnerable to attack. They don't care a whit that most attacks come from the criminal sector that they're not only not fighting, but in many cases funding with their black budgets.

      Public key encryption works, for example. But the commercial face of it (RSA) has been in Government's back pocket for almost 20 years.

      Are computers, computer security, really that much more difficult to understand than the internal combustion engine? We teach the fundamentals of that late 19th century wonder in high school physics: why not teach the basics of encryption, computer security, in high school math class?

      But no. We have to keep the public fat, dumb and lazy because otherwise they might be able to challenge their betters. It's the same old story all over again. In the Ante Bellum period it was illegal to teach slaves how to read. So in this new digital technology era we make sure that no one teaching the next generation knows how to do anything more than sync with their iTunes account.

      NIST has just become another propaganda tool of the corporatists. Too bad, because the US Commerce Department should be the one agency out front coordinating the actual defense of our public and private technology infrastructure (all the other three-letter agencies -- DoD, NSA, CIA, FBI, DHS, are too intent on creating offensive technological weapons to spend resources on the much more difficult job of defending against attacks). As much as I hate to admit it the only credible answer is going to come from the private sector, maybe a cooperative of universities and businesses who have sworn off government influence (including, most importantly, government money) and whose sole task is to create tools to defend us.

      1. Anonymous Coward
        Anonymous Coward

        Re: "People believe that security has become too complex "

        Public key encryption works, for example. But the commercial face of it (RSA) has been in Government's back pocket for almost 20 years.

        I don't know about RSA the company being in The Man's backpocket, but the fact that RSA (the algorithm) works and can be used freely (after the Patent expired) doesn't mean it can be used easily.

        You can download GPG right now for some crypto-magic based on RSA. Try to make productive use of it or even integrate it into an e-mail client, then. Good luck.

        No, encryption is not even en issue.

        Usability and secure-as-designed is. Microsoft is the single largest provider of "experience enhancements" that rot your security stance and things have not improved a whole lot since they announced, then disbanded their internal security design group.

        We need to start with a new OS, first and foremost, that compartimentalizes the user interface adequately (like in QubesOS), then build simple, usable tools on top.

        1. Vic

          Re: "People believe that security has become too complex "

          You can download GPG right now for some crypto-magic based on RSA. Try to make productive use of it or even integrate it into an e-mail client, then. Good luck.

          If you have people who want to use it, it's really not that tricky; the difficult bit is getting people to care.

          Setting up GPG or similar requires a key exchange just like getting a new house requires getting the keys. But whilst most PHBs understand why having keys to your house is a good idea, I've yet to find a single one who understands why one might want to do the same with email.

          We need to start with a new OS, first and foremost, that compartimentalizes the user interface adequately (like in QubesOS), then build simple, usable tools on top.

          Building simple tools that do one thing well is something of which I wholeheartedly approve - that is the Unix Way. But compartmentalising the UI? Most people seem to be against that - integration seems to be the order of the day. The ability to cut&paste between different devices makes my skin crawl, but that is what seems to be popular right now.

          But starting a new OS? Probably not.

          Vic.

    2. fidodogbreath

      Re: "People believe that security has become too complex "

      Its not that security (tools) are too complex, its all the vulnerabilities that are out there, coming at users from all directions.

      This.

      I've been working with computers since before they were called PCs, and I've come to resent the amount of time and effort that I have to expend in order to protect my systems.

      Flash is a dumpster fire, but if you uninstall it then half the web breaks. So I find, install configure, and maintain a Flash blocker. Meanwhile, web ads are a massive attack vector, so I find, install configure, and maintain an ad blocker....which also happens to break a lot of web sites.

      WIndows Update takes hours or days to complete, and randomly causes svchost.exe to consume massive resources; but I don't dare turn it off, because then I'll be defenseless against this month's dozen or so massive M$ security cockups.

      "Background" anti-virus scans clobber my machines' performance. When something happens that seems off, I wait for interminable foreground anti-malware scans. Every download or attachment has to be vetted, examined, scanned, parsed, and an imperfect decision made.

      And I haven't even gotten to the effort that goes into protecting the tattered remnants of my privacy from the Googles, Experians, Micro$ofts, etc. of the world who are obsessed with tracking me like livestock with a fucking ear tag.

      If I didn't already know how to do all this shit, I'd probably give up, too.

      1. Anonymous Coward
        Anonymous Coward

        Re: "People believe that security has become too complex "

        Go Linux Mint. Easy to install, easy to use for those accustomed to windows, and secure against majority of Web page and email malware.

        1. Charles 9

          Re: "People believe that security has become too complex "

          And lose access to 90% of the software out there since most software is Windows-ONLY, including likely something you use everyday that has no analogue (I speak from experience). Furthermore, Linux is not as invulnerable as you think (remember Shellshock?). That's yet another headache.

          1. dajames

            Re: "People believe that security has become too complex "

            And lose access to 90% of the software out there since most software is Windows-ONLY, including likely something you use everyday that has no analogue (I speak from experience).

            It's not as bad as you suggest -- certainly nothing like 90%.

            Apart from games and some specialist and often hardware-related applications (like SatNav updaters, I'm looking at YOU TomTom, but I gather Garmin are just as bad) there isn't much software that actually needs Windows apart from corporate/enterprise applications written using Microsoft Office. There are Linux-based alternatives for most other things. Dual-boot if you must.

            Furthermore, Linux is not as invulnerable as you think (remember Shellshock?). That's yet another headache.

            All software is buggy -- the stuff is too complex for it to be otherwise. For every Shellshock there's a Windows exploit -- probably years old and still unpatched -- that's just as bad. That's not the problem. The problem is that the reason that Linux systems are relatively safe is mostly because it has such a small market share.

            Should Linux, or any other non-Windows system for that matter, ever gain significant market share the unprincipled scrotes who write malware will start to target that as well, and the protection of relative obscurity will be lost.

            1. Charles 9

              Re: "People believe that security has become too complex "

              "Apart from games and some specialist and often hardware-related applications (like SatNav updaters, I'm looking at YOU TomTom, but I gather Garmin are just as bad) there isn't much software that actually needs Windows apart from corporate/enterprise applications written using Microsoft Office. There are Linux-based alternatives for most other things. Dual-boot if you must."

              What about all the CUSTOM jobs you tend to see in businesses? No one wants to plunk the big money down to replace it, and most of them can't afford it, either. If it means living dangerously, then they don't have a choice. It's live dangerously or they're already dead.

              1. Stoneshop

                Re: "People believe that security has become too complex "

                What about all the CUSTOM jobs you tend to see in businesses? No one wants to plunk the big money down to replace it, and most of them can't afford it, either.

                I currently see a decent amount of business software that's still under active development moving from dedicated (Windows) programs to stuff running in a browser, with most of that turning out to be browser-agnostic (and, ipso facto, OS-agnostic).

                1. Wensleydale Cheese

                  Re: "People believe that security has become too complex "

                  "I currently see a decent amount of business software that's still under active development moving from dedicated (Windows) programs to stuff running in a browser, with most of that turning out to be browser-agnostic (and, ipso facto, OS-agnostic)."

                  I've even started doing that myself.

                  What started out as a bit of Python to grab software package listings and produce a nicely formatted web page has evolved into a template which can be adapted for all sorts of stuff.

                  Yes, accounts too :-)

              2. Adrian 4

                Re: "People believe that security has become too complex "

                "What about all the CUSTOM jobs you tend to see in businesses? No one wants to plunk the big money down to replace it, and most of them can't afford it, either. If it means living dangerously, then they don't have a choice. It's live dangerously or they're already dead."

                But if they're custom, and have been in use for many years, they'll be written for old Windows APIs .. probably ones that aren't even supported in Windows any more, hence the reluctance to leave Win XP, 7 etc.

                So they'll likely work easily in some emulation, like Wine. And can be packaged to do so with relatively little effort on behalf of the local development support.

            2. Wensleydale Cheese

              Re: "People believe that security has become too complex "

              "Apart from games and some specialist and often hardware-related applications (like SatNav updaters, I'm looking at YOU TomTom, but I gather Garmin are just as bad) there isn't much software that actually needs Windows apart from corporate/enterprise applications written using Microsoft Office."

              HP used to be the bane of my life by insisting on Windows for firmware upgrades, even on their own kit that didn't run Windows.

              The move to PDF files as a distribution format has meant that there's a much reduced need to have a copy of Office lying around.

          2. Anonymous Coward
            Anonymous Coward

            Re: "People believe that security has become too complex "

            "And lose access to 90% of the software out there since most software is Windows-ONLY, including likely something you use everyday that has no analogue (I speak from experience)."

            Most users use their PCs for domestic use - email, web browsing, skype, watching videos, listening to music services, writing emails or looking at spreadsheets - 90% of what MOST PEOPLE USE works on Linux Mint

            "Furthermore, Linux is not as invulnerable as you think (remember Shellshock?). That's yet another headache."

            I didn't say it was invulnerable - I said it was "secure against MAJORITY of Web page and email malware".

            Using Linux Mint as a non-IT user in place of Windows has a very low threshold to learn it, and automatically protects the users from the worst of the threats Joe User encounters.

            If you are playing the odds, with minimum disruption to transition, the quicker you start using Mint, the quicker you get protected.

        2. Naselus

          Re: "People believe that security has become too complex "

          "Linux Mint.... secure"

          No, it's not.

      2. Prst. V.Jeltz Silver badge

        Re: "People believe that security has become too complex "

        @fido

        Maybe sandboxes are the answer.

        or a sandbox within a sandbox ,

        or like in that 'caprio film - box within a box within a box within a box.

        The malware will never know if its awake in the real world or still dreaming!

        1. Charles 9

          Re: "People believe that security has become too complex "

          Java was built on a sandbox model, yet it's now considered not fit for purpose. Seems sandboxes are too easy to ESCAPE. And VMs will probably be next with hypervisor attacks.

          1. Destroy All Monsters Silver badge

            Re: "People believe that security has become too complex "

            And VMs will probably be next with hypervisor attacks.

            Not likely. We know how computer works. "Virus breaking out" of a VM should be as hard as "virus breaking out" of the PC. Unless the hardware manufacturer mess up big or one connects a nanoassembler to the USB port.

            When one has to invoke "rowhammer" as an attack, things are overall looking pretty good.

            1. Anonymous Coward
              Anonymous Coward

              Re: "People believe that security has become too complex "

              Re: "People believe that security has become too complex "

              And VMs will probably be next with hypervisor attacks.

              Not likely. We know how computer works. "Virus breaking out" of a VM should be as hard as "virus breaking out" of the PC.

              Apparenty you are both a bit out of date. Hypervisor vulnerability alerts have been regular occurance for most of the past year amongst the security community. Several of the major cloud providers have been forced to do major reinstall and reboot operations for undisclosed reasons a few times so far this calendar year - rather hefty price tag for that, I suspect vulnerabilities made it worth paying.

  5. Anonymous Coward
    Anonymous Coward

    I've Given Up - I Get the Attitude

    And it starts with US leadership.

    The Social Security Administration doesn't want to protect our Social Security numbers. Get informed your SSN has been stolen in a cyber-theft, you'd think the SSA would do something. But no, the SSA tells you there is nothing they will do for you. Oh, sorry, I was instructed to go to my village police hall and fill out a report of the theft. Why I ask? Well in case someone opens fraudulent accounts in your name, and runs up charges, you can attempt to say it wasn't you because you have a police report

    You go to open a bank account and you are told that the SSN is being used by another customer. You, prove it's your number and ask who is using your number fraudulently so that you can report it to the police, and are told that disclosing the their's identity would violate the thief's privacy.

    You see the US credit card companies refuse to implement secure transactions with chip and pin like the rest of the world, and you wonder why. You go to Canada and China and see people there use chip and pin with fast response times and you try to understand why the response time for the US chip and signature process is so slow.

    You see that ransomware attacks are up 400% in 2016 over 2015 and watch the FBI sit feckless.

    You watch the US Department of Health and Human Services issue guidance on Ransomware and Malware to regulated entities and watch them sit and do nothing to comply. And then you watch the GAO come along and say that HHS was not following the NIST Cybersecurity Framework.

    And you begin to understand that the US leadership is completely F*CKED UP.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've Given Up - I Get the Attitude

      "And you begin to understand that the US leadership is completely F*CKED UP."

      No its not. It's there to protect the interest of big business and the mega rich.

      You are a citizen - it's the job of the government and it's agents to fuck you and to protect the wealthy.

      You don't actually think the three letter agencies are monitoring everything to look out for you do you.

    2. AndyS

      Re: I've Given Up - I Get the Attitude

      > And it starts with US leadership.

      > ...

      > And you begin to understand that the US leadership is completely F*CKED UP.

      That's nice. You do realise you're on a a UK website though, right?

      1. Destroy All Monsters Silver badge

        Re: I've Given Up - I Get the Attitude

        The UK is just the anal gnome of the US.

      2. Anonymous Coward
        Anonymous Coward

        Re: I've Given Up - I Get the Attitude

        "You do realize you are on a UK website though, right?"

        You do realize that NIST, the topic of this article is a US agency, and it's Cybersecurity Framework was developed on the orders of President Obama?

        And you do realize that El Reg is an international pub with authors from around the world?

  6. ArthurKinnell
    Linux

    Ditch Windows

    I feel your pain, bit I think you know the answer to your problem. Ditch Windows, it's insecure and riddled with malware.

    My sons just started secondary school here in the UK, and I am pleased to learn that coding, raspberry pi's and Linux are all on the syllabus. Only issue is as he has been having Linux from birth he will probably know more than the teacher.

    We run as many Linux servers as we can at work, and you won't find a windows terminal in our it department. All windows updates are rolled out to MS servers and workstations via ZenWorks patch management, so we don't get the painfully 2 day 300 update process on our Windows 7 boxes.

    When you see the day to day stuff most people use PC for at home, browsing social media, reading news, sending email and producing documents and (poorly conceived) spreadsheets then you realise that they don't need windows for that. Linux could serve them well.

    1. Charles 9

      Re: Ditch Windows

      "When you see the day to day stuff most people use PC for at home, browsing social media, reading news, sending email and producing documents and (poorly conceived) spreadsheets then you realise that they don't need windows for that. Linux could serve them well."

      What about the games? And there's usually one or two things the casual users need that happen to be Windows-only from my experience, and WINE usually won't work on them, either.

      1. Apprentice of Tokenism
        Linux

        Re: Ditch Windows

        > What about the games? And there's usually one or two things the casual users need that happen to be Windows-only from my experience, and WINE usually won't work on them, either.

        So true. Setting up/running programs with Wine sucks. But never say die! Some genius came up with a very nice solution: playonlinux. Give it a try! It simply is brilliant.

        1. Charles 9

          Re: Ditch Windows

          playonlinux is based on WINE, and like I said the compatibility list for games is pretty bad, especially when you get to newer ones like Fallout 4. And with DX12 now being pressed, I suspect this is only going to get worse as it appears Valve has failed to convince developers to go multiplat.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ditch Windows

      Indeed, it's rare I don't see a home Windows computer thats riddled with malware. It's got to be over 90% for me. I have seen 2 day old Windows 10 machines that already have malware on them. The first thing owners did was download something that Internet Explorer told them they needed...

      Ironic that Android gets all the headlines, and I have never ever seen a compromised Android device, but it's rare to find a Windows machine that isn't riddled with backdoors, malware or keyloggers...

      Go figure.

      1. Charles 9

        Re: Ditch Windows

        That's because Android malwares don't let you know they're infected. They work in the underlayer and usually try to root themselves, even to the extent of surviving a nuking.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ditch Windows

          ".They work in the underlayer "

          You really fell for that horseshit? Do you know how hard it is to deliberately root an android device? Yet somehow malware can magically do it without your knowledge and hide itself? You need to listen to yourself.

          How exactly did this magical malware get there in the first place?

          To even think android is even vaguely close to windows in malware terms in bonkers

          1. Charles 9

            Re: Ditch Windows

            "You really fell for that horseshit? Do you know how hard it is to deliberately root an android device? Yet somehow malware can magically do it without your knowledge and hide itself? You need to listen to yourself."

            Not that hard if the device is pretty old. Check out the xda forums where this is a basic request of every device out there. Also look up the rooting toolkits like KingoRoot. Anything these kits can do, the malwares can do.

            "How exactly did this magical malware get there in the first place?"

            Smuggled into apps that somehow pass Google's security testing. El Reg covers this all the time (The linked article specifically covers malware getting into Google Play; there's also the Gugi trojan one month ago).

            "To even think android is even vaguely close to windows in malware terms in bonkers"

            It's closer to Windows than any other mobile OS on the market. It's possible to install third party apps, it's possible to bypass security measures even if they're running, and let's not forget Stagefright, an exploit in the Android baseline that can't be fixed in the vast majority of phones on the market. Is it any wonder Google's taking more of an Apple approach with its Pixel phones and the upcoming Andromeda. If they don't, they could end up on the hook.

    3. Bob Camp

      Re: Ditch Windows

      Most people need the latest version of iTunes to work, because most people have an iDevice. They may also need to actually use their printer and Microsoft Office.

      And FYI, Linux web browsers get hijacked just as easily as their Windows versions. So Linux won't protect you if you visit a nefarious web site just before you do your online banking.

    4. Naselus

      Re: Ditch Windows

      "Ditch Windows, it's insecure and riddled with malware."

      Can we please ditch the idiotic notion that installing some variant of Linux is the answer to every problem? It doesn't make you look clever or computer-savvy. It just makes you sound like a blinkered, unrealistic fanboy with no serious understanding of the problem in question.

      There's hundreds of thousands of programs that people want to use that won't work on Linux, and thousands upon thousands of peripherals that also do not supply drivers for Linux. There's plenty of Linux malware and Linux vulnerabilities. And if the average user struggles to configure Windows safely, then the answer is not 'here, learn to secure this more complex product instead'.

      If users complain that Microsoft releasing 7 versions of each OS is too complex, how exactly do you think they'll react to the choice between umpteen million different Linux distros (some of which are secure, and some of which are friggin bombsites)? Check out any 'getting started with Linux' guide. They almost all start with a multi-page section on 'choosing the right distro' which usually recommends spending hours or days researching the different options. DAYS. Yeah, this is totally more convenient and easier for the average user who just wants to own a device that lets them browse the internet and play Doom - only for them to discover they can't play Doom without even more pissing about setting up WINE or some other emulator that may just randomly stop being developed at some point when the dev team get bored.

      Linux is a great OS, and it's a great tool for experienced IT admins to use. It is not a solution to the average user complaining about complexity problems. That's why Linux has made massive strides in the server room and is a rounding error in the desktop market, and why these (utterly predictable) 'ditch windows' responses are such a load of bullshit.

  7. allthecoolshortnamesweretaken

    "The interview participants revealed an unexpected level of fatalism and resignation."

    I actually expect that semi-religious cults* will form soon, based on people's desire for something, anything, that will give them some illusion of safety. They will pray for deliverance from malware like peasants in ancient times pleading with their gods to spare them from thunderstorms.

    * Come on, a sizable proportion of the fanbois are halfway there already.

  8. Destroy All Monsters Silver badge
    Windows

    Bad prognosis

    "We were reading through the results and we saw this overwhelming sense of not being able to keep up"

    That's my feeling about practically anything, especially the neverending manufactured instability coming out of government offices, parliaments and the PC-enhanced aggressive victim culture. This is what "Standing on Zanzibar" was about.

    There is only one way out now.

    1. Grade%

      Re: Bad prognosis

      "Standing on Zanzibar"

      Have an upvote my literate friend.

      1. Squander Two
        WTF?

        Re: Bad prognosis

        Who the utter bucketing fuck gave you a downvote for congratulating someone on their taste in books?

        (I mean, it's actually Stand On Zanzibar, but surely no-one's so pedantic that they think they need to punish someone for that, are they?)

        1. Anonymous Coward
          Anonymous Coward

          Re: Bad prognosis

          "...but surely no-one's so pedantic..."

          Really? If pedantry was ever weaponised, ElReg commentards would be ground zero for a global scrap for raw material.

  9. Pete 2 Silver badge

    Too hard, won't use.

    To be successful, security measures must be at the level of intrusiveness of putting your key in the latch - once, If it can be made even simpler: down to the level of car's keyless entry, then better still. But that all requires significant changes at the hardware level - changes that can't be backed into a 30 year-old, pre-internet, PC architecture.

    That is why all the security bolt-on products we are being sold are so complex, complex AND unreliable, since they continually fall behind the exploits that are being developed. I do not believe that computers as we have them today can be made secure. Not without dumping all of the backwards compatibility that seems to be mandatory in order to preserve a suppliers existing user-base.

    Fortunately for the "ordinary people" in the survey, home computers are a dying breed. Being overtaken by their phone (although most transactions aren't voice calls, so "telephone" is a rather anachronistic term for them). And here there IS the opportunity to build in security measures since the life-cycle is only a few years.

    However, I still won't engage in personal banking on my phone. My (Linux) computers, with multiple user accounts - only 1 of which is used for personal finance, is still far more secure that either Windows or a phone.

  10. Anonymous Coward
    Anonymous Coward

    Bruce Schneier recently posted some wise words on the subject:

    https://www.schneier.com/blog/archives/2016/10/security_design.html

  11. Charles 9

    So how do you design secure devices for stupid people who still want to be able to do high-performance stuff like games AND be able to check their bank accounts? Since you can't fix stupid, educating them isn't an option.

    1. Destroy All Monsters Silver badge

      Proper design.

      It's called proper design.

      Remember the procedure for activating the Nostromo self-destruct? That kind of design.

      1. Charles 9

        That's not proper design. First, the self-destruct can be aborted in the first five minutes. No good if you're being hijacked as you can be frog-marched to turn it off. Plus, after the five-minute point. Murphy strikes and you get knocked out past the point of no return and wake up only to learn the last escape pod's god and you have no way to get off.

        Fact is, there is no such thing as proper design if you have to go up against "Dave".

    2. Palpy

      Re: How do you design secure devices...

      ...for people who want games AND be able to check bank accounts?

      Somewhere up-thread someone mentioned QubesOS: compartmentalization. You play games in one VM, which cannot access other parts of your OS or filesystem. Even the clipboard is shared only through circuitous routes which make it an order of magnitude harder for an attacker to pivot from your game VM to your banking VM.

      It can be done with a minimal amount of user agony. I uses QubesOS on my travel laptop, and it's not all that hard to get used to. The dev team behind it is, like the teams behind many Linux distros, tiny compared to any Microsoft sub-department. Which is to say, Microsoft could develop a compartmentalized Windows with VM sandboxes dedicated to varying levels of security. With the ability to wipe out a VM and rebuild from an "always fresh" template when the active image has become compromised.

      I think it would break some of the existing Windows API, though. No expert me, but apparently basic things like the way "Windows" draws windows onscreen presents difficulties (link, PDF).

      But I don't know that Microsoft or Apple are interested in pursuing a fundamentally more secure OS. Reactive security is still the rule.

      1. Charles 9

        Re: How do you design secure devices...

        Until you need a lot of inter-process communication, that is. Many people are used to browsers turning matters over to other programs when they download certain things, your idea breaks it. Plus games tend to suck in virtualized environments, especially the newer games. Not to mention increased memory usage when most consumer machines lack the memory. And what about things like Steam that run on top of games?

        Plus you overlook the likelihood of a hypervisor attack. If you can break out of a sandbox, I can bet you they'll find a way to the hypervisor next, if they haven't already done it.

        "But I don't know that Microsoft or Apple are interested in pursuing a fundamentally more secure OS. Reactive security is still the rule."

        Because they get the complaints when things BREAK. And when things BREAK, things don't get done. It's bad in a consumer setting since they'll probably stop buying stuff. It gets worse in an enterprise environment since it could mean the business stops making money, putting them in existential risk. That's why backward compatibility takes precedence over security nine times out of ten; the customer demands it.

        1. Palpy

          Re: Some good points --

          -- you need plenty of memory and a good CPU for extensive VM hosting, IMHO.

          And of course this system makes inter-process communication more difficult. That's part of the point, again IMHO: if you have always-on, widespread comms between many processes then obviously a security flaw in any one of them becomes a vulnerability in all of them. If you want to keep attackers in one room, you have to shut the door. Or at least vet the traffic in and out.

          But, as noted by others, successfully attacking a hypervisor as well as attacking the processes running inside it adds a layer of difficulty an attacker must overcome. It's not trivial. Probably an order of magnitude harder.

          It's a commonplace to assert that the only secure computer is in a Faraday cage encased in concrete at the bottom of Lake Geneva. You can never be secure, but you can raise the bar for attackers. To take another example, OpenBSD is not secure. It's just much harder to crack than Windows.

          Whatever. You make good points. I do think OS modifications will have to move toward raising the security bar, though. The bad guys are not getting stupider, nor fewer.

          1. Charles 9

            Re: Some good points --

            "And of course this system makes inter-process communication more difficult. That's part of the point, again IMHO: if you have always-on, widespread comms between many processes then obviously a security flaw in any one of them becomes a vulnerability in all of them. If you want to keep attackers in one room, you have to shut the door. Or at least vet the traffic in and out."

            Which poses a problem if said door is the kitchen door of a restaurant. People come and go all the time as part of the business AND they frequently do so with their hands full. Thus the passageways are either open (with bends for privacy) or are doors built with double-action spring hinges that allow opening with some body part other than an arm. Similarly, what if you do FREQUENT inter-process communication. You interfere with this, things don't get done. And again, who cares about security if the job isn't getting done?

            "But, as noted by others, successfully attacking a hypervisor as well as attacking the processes running inside it adds a layer of difficulty an attacker must overcome. It's not trivial. Probably an order of magnitude harder."

            They said the same thing about sandboxes, and look where we are now. Figure out how to crack one egg and dealing with any other egg becomes a lot easier. We're just at the probing stage at this time for VMs, but once they figure out how to reliably hit the hypervisor, I expect a house of cards effect to follow.

            "Whatever. You make good points. I do think OS modifications will have to move toward raising the security bar, though. The bad guys are not getting stupider, nor fewer."

            But you still have to deal with the customer, and The Customer is Still King. What do you do when the customer's demands are a direct conflict with your security model?

  12. Pascal Monett Silver badge

    "this overwhelming sense of not being able to keep up"

    Not a surprise.

    I started my computer experience in 1986, with MS-DOS 1.0. Folders didn't exist until 2.1.

    I have had time to ease into each new functionality, learn its interest and how it works. I worked with Windows 1.0 and every iteration after until 7.

    At the same time, I witnessed the rise of Internet connectivity and, in parallel, malware and spam. Learning how to manage mail, and avoid virus traps is an ongoing process.

    I truly pity those who have to learn it all in one go today.

  13. Big Ed

    The Problem is TCP/IP

    Malware and Ransomware could be stopped by simply fixing TCP/IP to contain non-reputable identity and source information.

    1. Charles 9

      Re: The Problem is TCP/IP

      In other words, you want a stateful Internet: no more anonymity. Plus what's to stop state-sponsored impersonation?

      1. Big Ed

        Re: The Problem is TCP/IP

        @Charles 9

        "...you want a stateful Internet: no more anonymity. Plus what's to stop state-sponsored impersonation?"

        Yes, a stateful set of trusted communication protocols for business and government - no anonymity to conduct business.

        And to stop "state-sponsored impersonation?" - our financial systems have trusted protocols at higher levels and by-and-large, they work.

        Treaties can help. And countries entering into the treaty agree to abide and provide legal frameworks. And ISPs that want to participate - they can agree to shutdown untrusted traffic - or not participate. And if their customers are shutout from trusted e-commerce; they will demand and force the ISP to be a part.

        Every major invention has gone thru this international treaty and standardization process: telecom, radio, aircraft, nuclear non-proliferation, etc...

        Anonymous communication provides cover for criminals.

        Take the criminals out of the e-commerce equation, and leave anonymity for social media.

        1. Charles 9

          Re: The Problem is TCP/IP

          "And to stop "state-sponsored impersonation?" - our financial systems have trusted protocols at higher levels and by-and-large, they work."

          Oh? Wells Fargo? SWIFT? I suspect we're only seeing the tip of the iceberg and that a lot of bank sleight of hand is being conducted under everyone's nose, likely through currency inflation so that no one knows the real value of anything anymore.

          "Anonymous communication provides cover for criminals."

          AND whistleblowers, who in oppressive places can literally fear for their lives. Throw out the baby with the bathwater?

        2. Kurt Meyer

          Re: The Problem is TCP/IP

          @ Big Ed

          "Take the criminals out of the e-commerce equation..."

          The only problem I can see with your solution is what to do to fill the rest of the morning.

    2. Anonymous Coward
      Anonymous Coward

      Re: The Problem is TCP/IP

      For every complex problem there is an answer that is clear, simple, and wrong. -Henry Louis Mencken

      1. Kurt Meyer

        Re: The Problem is TCP/IP

        @ AC Re: Henry Louis Mencken

        Love me some Mencken.

        Thanks

  14. Florida1920
    Pint

    Worried about cybersecurity?

    There's an app for that. ------->

  15. Prndll

    Attention must be paid

    I'm sure that there are people that have given up. It is a shame that so many would get caught in the grip of fear needlessly over all this.

    Cybersecurity is NOT nearly as complicated as it is being portrayed. It does however mean certain decisions need to be made.....by the end user, by the manufacturer, by software engineers, by governments, and by the makers of operating systems. All of which need to take the issue alot more seriously than they currently do.

    The average person (the end user) usually leaves it all to someone else to be responsible for. This is proven in the popularity of iphones and ipads (smartphones and tablets). End users must take the initiative and the time to actually 'learn' something about the equipment and the devices they spend all the money and time on. Without that, nothing anyone else every does will ever matter much.

    Manufacturers need to understand that they are helping to create bigger problems by being more concerned about making money than they are for maintaining an environment where their customer base is protected, secured, and provided for over the long term. Far too many people across the planet are convinced that this is what Apple does. Apple 'shields' it's users and thereby makes them dependent as they never really learn anything. They just "look" cool. Well....looking cool does NOT mean being cool. It also does not translate to anything that can be called cybersecurity. Windows seems to be far easier for most people to grasp but is so obviously the worst offender when it comes to the important issue. Personally, I would push for Linux. But this does come with a learning curve that most users simply don't care to invest in (which is part of the problem).

    Governments all over the planet have made it quite clear that they are only interested in any of this to the point of keeping the masses under their control.

    As long as the biggest portion of the human population remains unwilling to actually learn anything about computer technology beyond social media, so intently interested in playing the latest games, and pushing their own responsibilities onto others (big companies like Apple, Microsoft, Facebook, Twitter, Sony, etc.) then it is easy to understand why no one can properly focus on the real problems.

    You have to get rid of Flash, Java, ActiveX, VBScript (Internet Explorer and Edge). You have to start filtering out online advertising at all levels. You have to understand that doing these things might 'break' websites but these websites are things that need to be avoided anyway.

    1. Charles 9

      Re: Attention must be paid

      "The average person (the end user) usually leaves it all to someone else to be responsible for. This is proven in the popularity of iphones and ipads (smartphones and tablets). End users must take the initiative and the time to actually 'learn' something about the equipment and the devices they spend all the money and time on. Without that, nothing anyone else every does will ever matter much..."

      Then we're lost, as people lack the time and willingness to learn. As the comedian says, you can't fix stupid. You CAN'T work around the stuff as that's what the people want (or even NEED, ask anyone who has to control expensive devices with nothing but Flash) every day, and they won't part with it. The Customer Is King. What do you do when you're told you CAN'T remove Flash as the business DEPENDS on it and they can't afford to replace the machine?

      1. Prndll

        Re: Attention must be paid

        "...ask anyone who has to control expensive devices with nothing but Flash..."

        That is precisely my point. It is time to ask questions regarding why it is required that these devices use Flash in the first place instead of demanding they use something else. It is time to actually deal with the fact the such devices are 'required' rather than summarily rejected BEFORE they are purchased.

        Trying to fix the barn doors after to horses come home is futile. Which is WHY we are all in this mess to start with. Now I do understand the idea that "hind-site is always 20/20" but this is a very real problem that is getting worse by the day. Retailers, manufactures, ISP's, and marketing departments are going to follow trends based on what the mass population does. ALL of these entities can be manipulated. Everyone seems to be stuck in a frame of mind that indicates the exact opposite. There is strength in numbers. This has been proven time and time again throughout history.

        1. Charles 9

          Re: Attention must be paid

          "That is precisely my point. It is time to ask questions regarding why it is required that these devices use Flash in the first place instead of demanding they use something else. It is time to actually deal with the fact the such devices are 'required' rather than summarily rejected BEFORE they are purchased."

          Because they were purchased a long time ago when it was pretty much the ONLY way to go. You forget that in many industry long-term investments are pegged to run for DECADES. Thanks to the breakneck pace of technology, it's practically impossible to predict the direction of technology that far forward.

          "Trying to fix the barn doors after to horses come home is futile."

          So is trying to secure the barn doors against very aggressive animals who will probably just bust them down. We're probably already at the point where we've bitten off more than we can chew but are forced by momentum to see this through to the end.

          "There is strength in numbers. This has been proven time and time again throughout history."

          What history REALLY tells us is that strength in numbers can only work when directed properly. IOW, effective leadership can mean the difference between an army and a mob. That's why riot police can do their job, why the Romans won the Battle of Wattling Street, why Americans could hold off so many Chinese in Korea, and so on.

  16. Ilsa Loving
    Mushroom

    Not surprising

    The level of change in technology is ridiculously high. Things are changing constantly, and 99% of the time it's not even for the better. There are 50 alternatives to almost *everything*. From messengers, to email systems, to programming frameworks, with new ones appearing almost daily, and nobody works together because they all want to trump everyone else, resulting in countless balkanized systems that all need to be managed. Right now on my phone I have no less than *9* different messenger tools, and I don't even have facebook on it.

    What we need is for the government to step in and set some ground rules for minimum functionality and compatibility, and force companies to work together. They did it for phone service, and as a result, phone service is the only communications medium that is guaranteed to work no matter who or where you are.

  17. Ray Barto

    One easy solution is to stop using a computer for anything important.

    1. Charles 9

      "One easy solution is to stop using a computer for anything important."

      Ever considered that train has already left the station? The way things are being reorganized, going back to the old days (as I put it, back to the Sears catalog) may be more trouble than it's worth, especially since you can't UNlearn what we learned in the meantime.

  18. Bou Te

    Could the new Evil Empire have it right?

    The average homeowner has neither the funding nor the expertise to place a sophisticated ultra-bot, neural net, heuristic, intrusion prevention, AI defender with self-learning capabilities at the entrance into their residence.

    As an IT professional, I couldn't tell you the last time I patched my own home router. My annual upgrades were "often enough" that I didn't care. I have the Google OnHub and there has been a shift on their part to be that protective beast made of unobtanium. They analyze threats and patterns across all the routers and adapt the software accordingly and in an automated fashion unbeknownst to the unwitting end users like myself.

    Does the next generation of protection look like centralized learning with the lessons pushed out to the children nodes? Did Google get something right? Will the ensuing IoT rush from Google see us end users protected or will we all be leaving our front door keys in the locks and going to sleep?

  19. Dwarf

    Users are lazy and don't understand why.

    They are supposed to lock their front door when they leave home, but some don't

    They are supposed to check their oil level on their car when they refuel, but most don't

    They are supposed to secure their WiFi by changing the factory defaults, but didn't. Now all home routers come with device specific WiFi passwords to prevent that.

    They don't understand technology, so probably couldn't do a firmware update or apply a patch, even if they wanted to.

    So, why are we surprised when they don't do something on their computers, particularly as the first ones are visible (theft and an oil light on the car), but the last two are not visible or understood.

    What we can say though is that IoT is going to make this problem a lot worse..

  20. Anonymous Coward
    Anonymous Coward

    Well well, the corruption does on and up Its all to much hassle

    I think we are seeing the beginnings of awareness from researchers to something ordinary people have been saying for a while now. "its all too complicated. I just wanna do this... or that"

    Most people know how to work a device without ever understanding how it work - with som,e not knowing or caring if there is a difference.

    We as an industry have to make IT Security: simple, easy to use, or better still invisible!

    The more complex the industry makes things like security the less engagement it will see from its users simple because they wont have the time or inclination to engage with it. They are the users of tech, who do so to achieve a goal. That goal is not technology itself nor its security - such thing are simple a distraction from the user goal they don't want to "have to" know about.

    This is why generation X Y & Z don't give a stuff about it, and have the mantra "if it happens it happens" -I can confirm this as I've consulted with subject matter experts - aged 8 and 17 :¬)

  21. Anonymous Coward
    Anonymous Coward

    NIST doth protest too much

    I've been reviewing the new guidelines from NIST on cybersecurity and the DOD. 800 pages of risk management/ISO-type framework, which relies on writing reports more than ensuring compliance. NIST and their Taxonomy of Everything approach to guidelines makes people give up from sheer overwhelm. NIST is very much part of the problem when it comes to users giving up on security.

  22. hidalgonat

    I am one of those people who just want to use the computer to check email, buy something now and again and go on social media. I hate that I need to create a password for everything. And then it has to be what that particular company thinks is a secure password. You must have 1 uppercase or symbol or some other combination. I should not have to change my password every 6 months or year. Who cares about a pinerest account? who cares about this site also? why do I need a password for everything even to just make a comment about having to make a password? After a while it is easy to just say "screw it" and when you forget a password? uggh! the hoops to jump thru is stupid. Like, what was my answer to that security question from five years ago? Who cares. And just to put this comment here I need an account, a password, a verified link from my email? Proves my point. Who is going to hack into my account here and post comments in my name? It's just a means for sites to flood my email with junk mail.

    1. Charles 9

      Someone can hack into your account and use it to glean information to perform social engineering attacks to get at your other accounts. It's happened, and El Reg has reported on it. And since we can't present ID cards or the like to say who we are, we have to use best analogue in a "not present" situation: a username/password combo. It's basically the only option open, and an open forum is a no-no because of forum spam problems. And the environment's such that bots are gaining the ability to pass simple Turing Tests and the rest can use sweatshops. It's like with dead bolts. You pretty much have to live with it or leave the Internet.

    2. Anonymous Coward
      Anonymous Coward

      "And then it has to be what that particular company thinks is a secure password"

      And why oh why can't they at least agree on a standard minimum and maximum length, or if that's too onerous, at least put on the signup page what the bloody max length is. I'm totally sick of using my standard length password, discovering it doesn't work and spending the next 10 minutes working out what random length they've truncated it to without bothering to mention it.

      No wonder people give up and resort to 8 character text only.

      1. Vic

        at least put on the signup page what the bloody max length is

        Any account with a maximum password length is necessarily insecure. You should think very carefully about using it at all...

        Vic.

        1. Charles 9

          "Any account with a maximum password length is necessarily insecure."

          Any database that DOESN'T enforce a maximum length will become the victim of a DoS attack as someone exploits the lack of a length check to fill up that system.

          A maximum length is a necessary evil. What's key is how much space is allocated to the job (say, no smaller than 64, higher depending on the valuables to be protected).

          1. Vic

            Any database that DOESN'T enforce a maximum length will become the victim of a DoS attack as someone exploits the lack of a length check to fill up that system.

            No it won't. The database must never see the password - just a hash of it, which is a constant length.

            Any database storing the actual password is ripe for credential-stealing.

            Vic.

            1. Anonymous Coward
              Anonymous Coward

              A hash allows for collisions, plus what if it's a situation where it MUST be stored (for example, to allow for a recovery because a reset can't be used--ties to other security systems, for example)?

              1. Vic

                A hash allows for collisions,

                A decent hash has very few problems with collision - but besides that, that's part of the reason for using a salt. Getting a collision on a slated hash is very tricky indeed.

                plus what if it's a situation where it MUST be stored (for example, to allow for a recovery because a reset can't be used--ties to other security systems, for example)?

                No such situation exists. If the password is lost, you reset it. Recovering it is asking for trouble.

                Vic.

    3. Vic

      Who is going to hack into my account here and post comments in my name?

      So post your password. You'll soon find out why it's a good idea to secure it...

      Vic.

  23. admiraljkb

    the 40 they interviewed...

    may not be enough for a proper statistical sample, but it does match what I've been seeing out in the real world where people just don't give a flip anymore. I've basically been told repeatedly by different people (and I'm paraphrasing) "All this security stuff is just a downer, so stop harshing my mellow." and this was corporate IT folks, although family members and friends have been no different.

    I agree with their findings that there is massive security burnout in a large swath of the population.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like