Security's weakest link is people

Off the Beat: Bruce Byfield's Blog
A few years ago, a neighbor asked me to help secure their computer. I'm not an expert on Windows, but I told them to run non-administrative accounts except when doing maintenance, and set passwords for their regular accounts. I also suggested that if they avoided dodgy download sites, they might not have to pay to have their computer cleaned up every few months.
Several months later, I learned that they had gone back to using administrative accounts and stopped using passwords because they were "too much trouble." As for the hazards of download styles, they had just paid another $200 to have the malware and viruses removed.
I think of these neighbors whenever I see efforts to promote security and privacy like the EFF's An Introduction to Public Key Cryptography and PGP or Qube OS' use of Xen to provide a "reasonably secure operating system." However much those of who already understand the importance of such efforts applaud, however desktop-ready security and privacy tools become, they will still be rejected by large numbers of computer users as too much trouble (as opposed to losing the use of your computer every few months while everything is reinstalled). When it comes to security and privacy, people are the greatest vulnerability.
In 2004, the BBC reported on a survey in which 70% of those stopped on the London underground would either reveal their passwords in return for a chocolate bar, or after mentioning that their passwords were based on the names of pets or children would go on to reveal that name in conversation. Twelve years later, the annual worst password list suggests that the understanding of the importance of passwords had not improved.
Faced with a choice of securing their system and short-term convenience, far too many people still prefer short-term convenience, ignoring the potential long-term costs. If they do not ignore basic precautions altogether, they carry them out in such a way as to make them useless, such as choosing a password like "123456," or writing their passwords down in an address book that they conveniently leave beside their workstation
Some of this carelessness might be due to a misplaced faith in static measures like firewalls or anti-virus applications, that people believe can be set up once and then ignored. However, given how often I have seen people give a guilty start and mutter lame excuses when I recommend a firewall, even one-time actions are too much inconvenience for many people.
In Unix-like operating systems like Linux, this carelessness often takes the shapes of an uninformed faith in the how the operating system is structured. People who are unable to explain exactly what features make Linux secure are nonetheless convinced that it is secure, and reject any suggestion that configuration plays a role as FUD propagated by Windows users.
Needless to say, this faith is misplaced. Anyone who doubts the importance of configuration only needs to look at the wide-open state of Android on the average tablet to understand that having a Unix-like operating system is not an automatic protection. Similarly, many security distributions routinely disable the automounting of flash drives and other external devices -- a practice that early distributions routinely followed, but which was discontinued shortly after the turn of the millennium in the hopes of making Linux as convenient as Windows.
Admittedly, viruses and other attacks on Linux usually go no further than the current account. Still, that is enough if a user is running all the time in root, or using no password or a weak one, especially if sudo is set up, and no defence in depth -- that is, multiple security measures -- are in place. In fact, even if an exploit is successfully confined to a single account, careless users may still be in trouble because making regular backups requires too much short-term inconvenience.
Beyond social engineering
The idea that people are the weakest link in security is not news to security experts. They even have a name for it: social engineering.
Social engineering refers to any exploit against a system that is not based on technology. It covers a wide variety of actions, from finding a list of passwords taped under the keyboard to using personal information such as a person's birthday or favorite sports star to break into a computer. Depending on configuration, breaking into a regular account based on knowledge of its owner can even be the first step to gaining root access.
However, the kind of carelessness I am describing goes beyond the usual examples of social engineering, although obviously this carelessness enables many types of it. But this carelessness can make any form of cracking unnecessary, leaving a system open without the need for any special effort. All too often, users who value convenience over security are defeating themselves before the crackers even begin their probe.
Developing tools for encryption or enforcing strong passwords is something I would like to see more of, but such efforts are only effective when people understand the need for them, and the tools themselves are as user-friendly as possible. Yet, besides providing tools, efforts to improve security have to educate people, not only about why they are needed, but of the consequences of ignoring them. Otherwise, carelessness is going to continue to undermine security, just as it has for the last thirty-five years.
comments powered by DisqusIssue 270/2023
Buy this issue as a PDF
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
OpenMandriva Lx 23.03 Rolling Release is Now Available
OpenMandriva "ROME" is the latest point update for the rolling release Linux distribution and offers the latest updates for a number of important applications and tools.
-
CarbonOS: A New Linux Distro with a Focus on User Experience
CarbonOS is a brand new, built-from-scratch Linux distribution that uses the Gnome desktop and has a special feature that makes it appealing to all types of users.
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.