Security's weakest link is people

Off the Beat: Bruce Byfield's Blog
A few years ago, a neighbor asked me to help secure their computer. I'm not an expert on Windows, but I told them to run non-administrative accounts except when doing maintenance, and set passwords for their regular accounts. I also suggested that if they avoided dodgy download sites, they might not have to pay to have their computer cleaned up every few months.
Several months later, I learned that they had gone back to using administrative accounts and stopped using passwords because they were "too much trouble." As for the hazards of download styles, they had just paid another $200 to have the malware and viruses removed.
I think of these neighbors whenever I see efforts to promote security and privacy like the EFF's An Introduction to Public Key Cryptography and PGP or Qube OS' use of Xen to provide a "reasonably secure operating system." However much those of who already understand the importance of such efforts applaud, however desktop-ready security and privacy tools become, they will still be rejected by large numbers of computer users as too much trouble (as opposed to losing the use of your computer every few months while everything is reinstalled). When it comes to security and privacy, people are the greatest vulnerability.
In 2004, the BBC reported on a survey in which 70% of those stopped on the London underground would either reveal their passwords in return for a chocolate bar, or after mentioning that their passwords were based on the names of pets or children would go on to reveal that name in conversation. Twelve years later, the annual worst password list suggests that the understanding of the importance of passwords had not improved.
Faced with a choice of securing their system and short-term convenience, far too many people still prefer short-term convenience, ignoring the potential long-term costs. If they do not ignore basic precautions altogether, they carry them out in such a way as to make them useless, such as choosing a password like "123456," or writing their passwords down in an address book that they conveniently leave beside their workstation
Some of this carelessness might be due to a misplaced faith in static measures like firewalls or anti-virus applications, that people believe can be set up once and then ignored. However, given how often I have seen people give a guilty start and mutter lame excuses when I recommend a firewall, even one-time actions are too much inconvenience for many people.
In Unix-like operating systems like Linux, this carelessness often takes the shapes of an uninformed faith in the how the operating system is structured. People who are unable to explain exactly what features make Linux secure are nonetheless convinced that it is secure, and reject any suggestion that configuration plays a role as FUD propagated by Windows users.
Needless to say, this faith is misplaced. Anyone who doubts the importance of configuration only needs to look at the wide-open state of Android on the average tablet to understand that having a Unix-like operating system is not an automatic protection. Similarly, many security distributions routinely disable the automounting of flash drives and other external devices -- a practice that early distributions routinely followed, but which was discontinued shortly after the turn of the millennium in the hopes of making Linux as convenient as Windows.
Admittedly, viruses and other attacks on Linux usually go no further than the current account. Still, that is enough if a user is running all the time in root, or using no password or a weak one, especially if sudo is set up, and no defence in depth -- that is, multiple security measures -- are in place. In fact, even if an exploit is successfully confined to a single account, careless users may still be in trouble because making regular backups requires too much short-term inconvenience.
Beyond social engineering
The idea that people are the weakest link in security is not news to security experts. They even have a name for it: social engineering.
Social engineering refers to any exploit against a system that is not based on technology. It covers a wide variety of actions, from finding a list of passwords taped under the keyboard to using personal information such as a person's birthday or favorite sports star to break into a computer. Depending on configuration, breaking into a regular account based on knowledge of its owner can even be the first step to gaining root access.
However, the kind of carelessness I am describing goes beyond the usual examples of social engineering, although obviously this carelessness enables many types of it. But this carelessness can make any form of cracking unnecessary, leaving a system open without the need for any special effort. All too often, users who value convenience over security are defeating themselves before the crackers even begin their probe.
Developing tools for encryption or enforcing strong passwords is something I would like to see more of, but such efforts are only effective when people understand the need for them, and the tools themselves are as user-friendly as possible. Yet, besides providing tools, efforts to improve security have to educate people, not only about why they are needed, but of the consequences of ignoring them. Otherwise, carelessness is going to continue to undermine security, just as it has for the last thirty-five years.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
2024 Open Source Professionals Job Survey Now Open
Share your expectations regarding open source jobs.
-
Arch Linux 2023.12.01 Released with a Much-Improved Installer
If you've ever wanted to install Arch Linux, now is your time. With the latest release, the archinstall script vastly simplifies the process.
-
Zorin OS 17 Beta Available for Testing
The upcoming version of Zorin OS includes plenty of improvements to take your PC to a whole new level of user-friendliness.
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.