Re: Hi-tech no panacea for ID theft woes

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 09/10/05


Date: 10 Sep 2005 00:06:03 GMT


"Brett Michaels From Poison" <jms504@gmail.com> writes:

>I'm talking along the lines of end users, which I beleive are the
>number one weakness in any security structure. Most end users don't
>know a hammer from a nail when it comes to computer security.
> I'm not speaking common sense on a specific user, but rather a general
>base of common sense.
>If these end users were more educated and used more common sense
>measures, eg. not opening unknown attachments, not writing your pin on
>your mac card, this would allow IT Admins to concentrate their efforts
>on more difficult security measures.
>Some end users actually do "dumb things" more than anyone realizes.
>As a security auditor, the place we find the largest pool of weaknesses
>is end user behavior/lack of policy adherance.

Unfortunately this is usually false. It comes from admins or whatever have
no knowledge whatsoever of people's abilities and psychology. It is like
thinking that you can build a ladder to the moon because you have no
knowledge of physics. People CANNOT remember 10 complicated passwords. They
simply cannot. IF they are to use the system they have to subvert it. Of
course the administrator then comes down on them for being stupid, dumb,
whatever. It is not they who are, it is the administrator almost always.
Ie, security policies which make assumptions about people are not let down
by the end user, they are let down by the administrator who originally put
them into place.

>The answer to security problems isnt always complicated and sometimes
>not even electronic!

Agreed. We may disagree however on where the problem lies.



Relevant Pages

  • Re: [Full-disclosure] Google vulnerabilities with PoC
    ... security designs the mere existence of unvalidated requests is symptomatic ... Thus, in academia such definitions are vague, ... attacker exploits a weakness in a service to modify it silently and without ... Availability*:* Availability refers to the ability to access a resource. ...
    (Full-Disclosure)
  • RE: IPTables Based Firewall Testing
    ... security,, but they don't tell us *how* to do it. ... drop in a firewall and say your secure. ... and you fortify your network with IDS ... Being predictable can similarly be a weakness. ...
    (Security-Basics)
  • Re: Hi-tech no panacea for ID theft woes
    ... number one weakness in any security structure. ... know a hammer from a nail when it comes to computer security. ... I'm not speaking common sense on a specific user, ...
    (alt.computer.security)
  • Pop UPs
    ... I run Norton Antivirus and Innternet ... The pop up manifests itself as Messenger ... Is this really a security weakness. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Delphi Bugs
    ... > Every hack is the result of a security weakness. ... various IIS worms result from problems with the Windows security model? ...
    (borland.public.delphi.non-technical)