The Main Security Problem

All security problems are to some degree people problems. Code may be buggy, but it was written by people who could have been better trained, had more time to spend on code review, etc. When there are multiple programs, OSs, libraries, etc to choose from then choosing a suitable combination of software is a matter of the skill and background knowledge of the people involved.

There are issues of software choice where there is no provable benefit of making one particular choice, EG choosing between a popular product that is OK and for which it is easy to hire skilled people to use it and a less popular product that has better security features but less public knowledge. But this is minor compared to other security problem.

I believe that the greatest security problem is stupid people. Stupid people in technical positions write buggy code and configure servers to be insecure. In consulting and analysis roles they develop bad procedures. In management they hire bad people to do technical work.

The vast majority of security problems can be fairly directly and immediately traced back to stupidity. In the corporate environment that is stupid programmers, stupid managers who hire people who are obviously stupid, and often stupid executives for mandating that software that everyone knows to be insecure should be used across the entire enterprise. In both the home and corporate environments there are a huge number of people who run machines that they know to be compromised. Apparently using a computer that is known to be under the control of an unknown hostile person is something that they don’t consider to be a problem – in spite of the obvious risks of fraud, data destruction, and risk of being implicated in crimes such as the distribution of child porn.

6 comments to The Main Security Problem

  • tshirtman

    Well that’s not news for most people I think… but do you have a solution?

    Stupidity is obviously the root of most humanity problems, solving this would be a major improvement, but I’m apparently too stupid to see a solution to human stupidity. Thats just too bad…

  • As my mother used to say, there’s no such thing as stupid people, only stupid blogs.

    Or something like that.

  • etbe

    tshirtman: Recognising the cause of the problem is usually the first step towards solving it. Companies that repeatedly declare their security problems to be strictly a combination of bad luck and the work of outside attackers are never going to solve them. When an attacker compromises security it is in most cases not strictly a case of an attacker being too smart or lucky, it’s usually a case of the victim not taking any of the reasonable measures to defend themself.

    When a laptop or portable storage device is lost with sensitive data it’s not a matter of bad luck in losing the object. It’s an issue of stupidity that sensitive data was ever stored unencrypted in a portable device.

  • Whilst ultimately stupidity may underlie many problems it is a fairly trite answer.

    Laptop security is a good example I think. All laptops are portable, and most are very attractive to thieves, and almost all will have some security sensitive information be it only email user name and password stored (which can be the gateway to someone’s Paypal account or more).

    So obviously by now the industry has addressed this problem and delivers all laptops with encryption enabled by default? So you obviously don’t have to buy Windows Vista Enterpise or Ultimate or a third party product to get disk encryption on your laptop?

    Ultimately this reflects some sort of market failure, it might be that people are too stupid to ask for this feature, or it might be lack of competition in the operating system market. Certainly most third party operating systems include encryption in the installer.

    In this case I think that business buyers may have been irrational not to dual source operating systems, but I’m not sure one can blame any particular current purchaser in the current market situation.

    Adding and managing encryption to such devices after OS installation is non-trivial in many cases. So one might understand why it doesn’t often happen.

  • tshirtman

    @etbe: where I work, some people say that there are so much security concern that attackers probably thinks it’s a honey pot… it’s probably a bit late to clean up all this mess, we try to clean and not create new concerns, but the early days where awful (I was NOT here ;)). Some stupid butts needs majors kicks, but it won’t solve anything, things have to keep running now :/.