Information Warfare: Putting The Blame Where It Never Belonged

Archives

July 4, 2011: Earlier this year, the U.S. DHS (Department of Homeland Security) ran a fairly common type of security check on government employees and contractors who work in secure (closed to the public) buildings and work on secret data. The test consisted of leaving data CDs and thumb (USB) drives on the ground in their parking lots. About 60 percent of these items were taken inside, and office computers were used to see what was on the CDs and thumb drives. This is how hackers often get into secret networks. The DHS security people, who ran the test, issued a press release bemoaning the failure of people with security clearances (and training in how to preserve secrets) to recognize this as a ploy to load a virus or worm onto secret networks. This was kind of lame, because this sort of ploy has been used for decades, and the security experts still have not dealt with it.

What the DHS security boffins missed, along with most people in the security business, is that such failures are not the fault of users (who have other jobs to occupy them), but the security people, whose sole job is preserving secrets. This is a common problem. In any manufacturing industry, there is often a bad attitude towards "dumb users." The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use. Apple has long recognized this, and one of their catch phrases is that "it just works." Apple has grown prosperous by not thinking of their customers as clueless users, but as valuable customers who deserve products that are easy to use and just work.

There have been an increasing number of people in the security field who are adopting the Apple attitude. Take, for example, the problem with CD drives and USB ports on computers with access to secret data. You can modify the operating system to not allow unauthorized CDs or thumb drives to be used on these PCs. Sure, it's more work for the security people (who would have to work with similarly "user hostile" software and hardware developers), but in the end it's less hassle for the users, and fewer security problems. Sometimes doing things the right way takes a little more effort, and the use of a bit more insight.