[cap-talk] nice article about usefulness of "security advice"
Matej Kosik
kosik at fiit.stuba.sk
Mon Jan 4 23:54:36 PST 2010
<OT>
I wish everybody here all the best in this year 2010 (health, love,
happiness, success and not excluding $$$)
</OT>
Despite the origin (One Microsoft Way) of this article:
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf
The part I like is:
it openly points to the prevalent effort to pretend security effort by
giving various vague promises concerning "improving security". I like
the following sincere observation:
<CITE>
Given a choice between dancing pigs and security,
users will pick dancing pigs every time." While amus-
ing, this is unfair: users are never offered security, either
on its own or as an alternative to anything else. They
are offered long, complex and growing sets of advice,
mandates, policy updates and tips. These sometimes
carry vague and tentative suggestions of reduced risk,
never security. We have shown that much of this advice
does nothing to make users more secure, and some of it
is harmful in its own right. Security is not something
users are offered and turn down. What they are offered
and do turn down is crushingly complex security advice
that promises little and delivers less.
</CITE>
Promoters of mainstream security tools would probably refute it.
More information about the cap-talk
mailing list