Re: Hi-tech no panacea for ID theft woes

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 09/10/05


Date: 10 Sep 2005 00:06:03 GMT


"Brett Michaels From Poison" <jms504@gmail.com> writes:

>I'm talking along the lines of end users, which I beleive are the
>number one weakness in any security structure. Most end users don't
>know a hammer from a nail when it comes to computer security.
> I'm not speaking common sense on a specific user, but rather a general
>base of common sense.
>If these end users were more educated and used more common sense
>measures, eg. not opening unknown attachments, not writing your pin on
>your mac card, this would allow IT Admins to concentrate their efforts
>on more difficult security measures.
>Some end users actually do "dumb things" more than anyone realizes.
>As a security auditor, the place we find the largest pool of weaknesses
>is end user behavior/lack of policy adherance.

Unfortunately this is usually false. It comes from admins or whatever have
no knowledge whatsoever of people's abilities and psychology. It is like
thinking that you can build a ladder to the moon because you have no
knowledge of physics. People CANNOT remember 10 complicated passwords. They
simply cannot. IF they are to use the system they have to subvert it. Of
course the administrator then comes down on them for being stupid, dumb,
whatever. It is not they who are, it is the administrator almost always.
Ie, security policies which make assumptions about people are not let down
by the end user, they are let down by the administrator who originally put
them into place.

>The answer to security problems isnt always complicated and sometimes
>not even electronic!

Agreed. We may disagree however on where the problem lies.