Security's weakest link is people
Off the Beat: Bruce Byfield's Blog
A few years ago, a neighbor asked me to help secure their computer. I'm not an expert on Windows, but I told them to run non-administrative accounts except when doing maintenance, and set passwords for their regular accounts. I also suggested that if they avoided dodgy download sites, they might not have to pay to have their computer cleaned up every few months.
Several months later, I learned that they had gone back to using administrative accounts and stopped using passwords because they were "too much trouble." As for the hazards of download styles, they had just paid another $200 to have the malware and viruses removed.
I think of these neighbors whenever I see efforts to promote security and privacy like the EFF's An Introduction to Public Key Cryptography and PGP or Qube OS' use of Xen to provide a "reasonably secure operating system." However much those of who already understand the importance of such efforts applaud, however desktop-ready security and privacy tools become, they will still be rejected by large numbers of computer users as too much trouble (as opposed to losing the use of your computer every few months while everything is reinstalled). When it comes to security and privacy, people are the greatest vulnerability.
In 2004, the BBC reported on a survey in which 70% of those stopped on the London underground would either reveal their passwords in return for a chocolate bar, or after mentioning that their passwords were based on the names of pets or children would go on to reveal that name in conversation. Twelve years later, the annual worst password list suggests that the understanding of the importance of passwords had not improved.
Faced with a choice of securing their system and short-term convenience, far too many people still prefer short-term convenience, ignoring the potential long-term costs. If they do not ignore basic precautions altogether, they carry them out in such a way as to make them useless, such as choosing a password like "123456," or writing their passwords down in an address book that they conveniently leave beside their workstation
Some of this carelessness might be due to a misplaced faith in static measures like firewalls or anti-virus applications, that people believe can be set up once and then ignored. However, given how often I have seen people give a guilty start and mutter lame excuses when I recommend a firewall, even one-time actions are too much inconvenience for many people.
In Unix-like operating systems like Linux, this carelessness often takes the shapes of an uninformed faith in the how the operating system is structured. People who are unable to explain exactly what features make Linux secure are nonetheless convinced that it is secure, and reject any suggestion that configuration plays a role as FUD propagated by Windows users.
Needless to say, this faith is misplaced. Anyone who doubts the importance of configuration only needs to look at the wide-open state of Android on the average tablet to understand that having a Unix-like operating system is not an automatic protection. Similarly, many security distributions routinely disable the automounting of flash drives and other external devices -- a practice that early distributions routinely followed, but which was discontinued shortly after the turn of the millennium in the hopes of making Linux as convenient as Windows.
Admittedly, viruses and other attacks on Linux usually go no further than the current account. Still, that is enough if a user is running all the time in root, or using no password or a weak one, especially if sudo is set up, and no defence in depth -- that is, multiple security measures -- are in place. In fact, even if an exploit is successfully confined to a single account, careless users may still be in trouble because making regular backups requires too much short-term inconvenience.
Beyond social engineering
The idea that people are the weakest link in security is not news to security experts. They even have a name for it: social engineering.
Social engineering refers to any exploit against a system that is not based on technology. It covers a wide variety of actions, from finding a list of passwords taped under the keyboard to using personal information such as a person's birthday or favorite sports star to break into a computer. Depending on configuration, breaking into a regular account based on knowledge of its owner can even be the first step to gaining root access.
However, the kind of carelessness I am describing goes beyond the usual examples of social engineering, although obviously this carelessness enables many types of it. But this carelessness can make any form of cracking unnecessary, leaving a system open without the need for any special effort. All too often, users who value convenience over security are defeating themselves before the crackers even begin their probe.
Developing tools for encryption or enforcing strong passwords is something I would like to see more of, but such efforts are only effective when people understand the need for them, and the tools themselves are as user-friendly as possible. Yet, besides providing tools, efforts to improve security have to educate people, not only about why they are needed, but of the consequences of ignoring them. Otherwise, carelessness is going to continue to undermine security, just as it has for the last thirty-five years.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.