[cap-talk] Security choices - human vs. automated (was: Google Chrome - browser sandboxed)

[Raoul Duke]

> Are there choices that can't be automated but are also
> unreasonable for humans to make?  I can't think of any
> off hand.  If we can develop such a category, then
> perhaps we can work on shrinking it.

interesting question.

* it certainly seems like users are presented with precisely the bad
category all the time these days, so we aren't doing a great job at
the moment.

* i'd guess it is case-by-case because the tuple of (which human you
are asking, what the question is) is critical in determining the
answer to what you ask, each time.

* further it depends on the particular details and context because
what can be automated is a moving target as we improve the abilities
of our systems (if the changes really are always improvements).

taking your tax example, what are some assumptions about the scenario
e.g. how trustworthy is the new tax program? if the new tax program
were to attempt to illicitly transmit the old tax info to a 3rd party,
would one deflect blame on the user who said "go ahead"? what if the
access to the old returns were over some unsecured network connection?
or if there were an option to use a secured one, but the self-signed
certificate makes the ui barf a little bit? etc.

i wish i knew how to say the devil is in the details in latin.

sincerely.