tag:blogger.com,1999:blog-24586388.post4456022256785429816..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: The Human FactorJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-24586388.post-68687715086082478912007-05-16T00:40:00.000+02:002007-05-16T00:40:00.000+02:00There are all aspects of the "Human Factor" involv...There are all aspects of the "Human Factor" involved, from developers to end-users.<BR/>But...<BR/>The technology is definitely flawed! The network protocols we still use (and abuse) today were desinged decades ago for functionality, NOT Security. <BR/>A lot of our current technology is really just stretching the use of old technology in ways never conceived by the original designers. Original designers simply could not comprehend the nature of our present-day security environment.<BR/>To truly improve the security of the technology, the technology must be redesigned, from the ground up, with consideration to our current requirements, and those projected for the next decade or two.<BR/>Uh oh, wouldn't that cause compatibility problems? Imagine updating TCP/IP, Ethernet, even programming language revisions... Yes, absolutely it would. This is a much larger picture of what Microsoft needs to do (Scratch-build to an architecture worthy of current and future security requirements).<BR/>Will it happen? No - not all at once anyway. Did "Human Factor" cause all of this? Yes - but I think it is more helpful to separate technology issues and Human issues, to appropriately address them. Otherwise, everything gets jumbled into one big confusing mess.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-53478008235385197492007-05-03T22:56:00.000+02:002007-05-03T22:56:00.000+02:00Obviously the technology we use is flawed, I don't...Obviously the technology we use is flawed, I don't think anyone would argue that a browser having a bug should result in someone taking control of a computar. <BR/><BR/>I think you are misrepresenting the argument of "human error" that many people and that I make. Most security problems at corporations are the result of incompetent management and lax configurations. It is possible to build a network that offers an acceptable level of security. Things can be segmented and separated. Most corporations can't and don't consider the case of an attacker with a tremendous amount of resources. Given an infinite amount of resources mostly nothing is secure. Have you ever experienced dealing with the security of a corporate network? If you do, you will quickly realize that invisible malware is the least of their worries. There are generally many, many more fundamental problems to fix. <BR/><BR/>Not all of the security problems of the real world can be avoided and there's no reason to believe that we're going to have perfect avoidance in terms of IT security either, it's too expensive. That's why we have law, courts and prisons. And yes, a host can be "owned" (I wonder who comes up with these types of words...) and be undetectable from it's perspective, but:<BR/>1 - It might be detectable from a network perspective<BR/>2 - Just because a host is "owned" it doesn't mean that the corporation is in deep trouble, depending on the security measures in place.<BR/><BR/>For many corporations having the right person murdered could be more destructive than "owning" a machine undetectably. Nobody goes around saying "they might murder our CEO and not be detected", it's just obvious.<BR/><BR/>I get amazed at how much effort is spent on talking and researching "owning" when there are so many real world (maybe less hip) problems to solve in the real world.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-36135200252237191812007-04-15T23:15:00.000+02:002007-04-15T23:15:00.000+02:00Yes, we can blame technology for much of our secur...Yes, we can blame technology for much of our security chaos. However, it was human factor that lead us to situation. Now, even eliminating human factor of end users won't help, because underlying technology is flawed. <BR/><BR/>Requiring administrative rights for every installation is a bad security policy, made by humans. Relying that millions of lines of code in kernel and drivers is free of security vulnerabilities is also a bad security foundation, caused by human factor. Allowing emails to run scripts on a such a flawed operating system is another bad decision, also a human factor.<BR/><BR/>So in the end, we can conclude our security problems are based on human factor, but our problem is so wide spread, that fixing human factor for end users is not enough.boris kolarhttps://www.blogger.com/profile/02346446361520854450noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-20506344452375240682007-04-14T00:50:00.000+02:002007-04-14T00:50:00.000+02:00Being a humble user and after watching the mighty...Being a humble user and after watching the mighty IT departmens and their monster machines blaming the poor user ,I concluded :<BR/><BR/>- Computers are very naive machines<BR/>they believed whatever they are being told.<BR/>-It is possible to record the input<BR/>and reaction of the machines and made them to act accordingly.- If you tell a computer "black",<BR/>****???, XXX123 ,they will act on it, even if you do not know what it means. Face recognition, who cares ,you just say 11001000 or<BR/>whatever the computer believes is a face and it will comply.A dog<BR/>is smarter.<BR/>-Worse ,computers are the best imitators and can be used to imitate anything .<BR/>-So ,computer security cannot be achieved until computers think by themselves and even then.HarryEhttps://www.blogger.com/profile/09864046346549731473noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-74905453695643305562007-04-06T15:25:00.000+02:002007-04-06T15:25:00.000+02:00well, obviously mistake can be avoided. mistakes w...well, obviously mistake can be avoided. mistakes will happened but must be at acceptable rate, say 1/1million.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-67120308234067999692007-04-05T11:40:00.000+02:002007-04-05T11:40:00.000+02:00"Just because the technology is flawed!"I don't th..."Just because the technology is flawed!"<BR/><BR/>I don't think the technology is flawed. I think when you combine the Human Factor and the word variable you get an answer.<BR/><BR/>----------------------------------<BR/><BR/><B>Definition of Variable</B><BR/><BR/>1.apt or liable to vary or change; changeable:<BR/>2.capable of being varied or changed; alterable:<BR/>3.inconstant; fickle:<BR/>4.having much variation or diversity.<BR/><BR/>----------------------------------Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-33378385657136995452007-04-05T05:17:00.000+02:002007-04-05T05:17:00.000+02:00Please pardon this expansive, questionable, and di...Please pardon this expansive, questionable, and dissipative rant ... If one is destined for stupidity, then into stupidity he goes. Keep as many eggs in as many baskets as possible. You can never be safe and secure, that is an illusion. If you want to play the game, then be prepared to lose. What's more valuable, data, information, or wisdom? What is value? As anonymous says, software will always reflect our flaws as much as our brilliance.Davidhttps://www.blogger.com/profile/08023829957100118573noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-41928692212907389682007-04-04T08:12:00.000+02:002007-04-04T08:12:00.000+02:00No one can to know everything. Modern IT technolog...No one can to know everything. Modern IT technology need polymathic. A security expert or software developer can be expert in small area only. I think software developer must be multiskilled. The best programmer is a security expert. The best security expert is a programmer. <BR/><BR/>Even you’ll know everything you can make errors. It is a human factor.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-43328423743078749972007-04-03T18:06:00.000+02:002007-04-03T18:06:00.000+02:00My view is that today's security problems are real...My view is that today's security problems are really a simple reflection of low quality software. My current operating system is so complicated that resonable test coverage is impossible. The result is bugs, lots of them. The operating system itself is so extended into 1000's of shared libraries that I don't believe anyone even understands the big picture, much less that has an "architecture" in mind. Today's operating system is very reminiscent of the "spaghetti code" associated with DOS of some years back. The Winchester Mystery house also comes to mind.<BR/><BR/>When I think about what I do with a computer, and what others do with computers, I see no compelling reason for such complexity -- expecially in the light of non-backward comatibility.<BR/><BR/>Reduce the complexity and innovation will be forthcoming and the number of bugs will decrease.<BR/><BR/>At least that's how I see it.<BR/>Ed Bradford<BR/>b ed at nc dot rr . comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-17823870654268588382007-04-03T16:48:00.000+02:002007-04-03T16:48:00.000+02:00human factor indeed, stupidity knows no bunds!human factor indeed, stupidity knows no bunds!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-37530568997859059122007-04-03T10:28:00.000+02:002007-04-03T10:28:00.000+02:00It would be great if systems were safe. What we kn...It would be great if systems were safe. What we know, they are not.<BR/>To achieve safety, both project and implementation have to be perfect from security point of view (not only the kernel, even the software installed).<BR/>Most of the companies developing software takes, care about security. Unfortunately their workers do not know all the possible ways to exploit their products. They are not "the hackers" - they are software developers. You can't blame them for that. Even you, security expert, do not know all the paths attacker can follow. Human factor.<BR/>Even if the systems were made fulfilling all the modern requirements of safety, tomorrow whizkid will find a flaw starting new branch of attacks; history taught us that. <BR/>You do a good job, pointing security flaws. Although your work on the most advanced system compromises is impressive, you completely ignore "visible" attacks, more popular and still hard to find.<BR/>Using zero-day exploit in Word or Acrobat Reader someone can steal your data working in "stupid ring 3".<BR/>How often do you look at the code injected to processes? How often you check what the user-mode threads do? How often do you look at the templates for new Office documents?<BR/>Are you sure that your Internet Explorer is not executed by external application when your screensaver is active and do not open a website passing somewhere your data? ;)<BR/>Praised PatchGuard protects the most popular malware from being deeply monitored. That's why antivirus companies complain about it so much. It especially protects the malware that use human factor directly.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9408497563819529042007-04-03T07:20:00.000+02:002007-04-03T07:20:00.000+02:00One quick philosophical comment about the "risk as...One quick philosophical comment about the "risk assessment pseudo-science" / probability part: afaik (I'm not a scientist), the current view in physics is that we all exists because of probability, in the sense that it is most probable for the atoms which form our body to behave such that we exists. However this is all probability and there exists the chance (although a very, very small one) that one day the atoms composing my body will move in such a way that I get disintegrated.<BR/><BR/>My point is that probability is part of our existence and many things we take for sure are in fact things which are very probable, but not 100% probable. One should embrace and not fear the unknown.Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-27388468320732577932007-04-02T19:41:00.000+02:002007-04-02T19:41:00.000+02:00I think educating users, and all the articles and ...I think educating users, and all the articles and policies saying you should educate users is both important and unimportant. I know, this is a contradiction. Users should be educated as best we can because they often detect the hack because the exploit coder is no more perfect than the rest of us. In "Cuckoo's Egg" Cliff Stoll detected the intrusion because the phone bill was incorrect. We also as an industry have to stop blaming the luser. Secure coding techniques and secure system design need to be just as important as building a bridge safely or making sure an Airplane can fly on one engine. When the OS has the fault tolerance of a Boeing 777, then we will be getting somewhere. I think you are on the right track with your discussion. I might not understand everything you are saying, but some combination of a secure hypervisor and a trusted code base for the kernel makes sense. We should also stop expecting users to know whether they should press the ''OK'' button. --MichaelAnonymoushttps://www.blogger.com/profile/14791818145414351933noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9514746195215865032007-04-02T07:35:00.000+02:002007-04-02T07:35:00.000+02:00Worst problem is the human factor. You talk about ...Worst problem is the human factor. You talk about bad drivers! Human develop drivers. Computer doesn't make errors in drivers! The human makes error and bad driver is the human factor too. <BR/><BR/>We must learn and improve our security knowledge. <BR/>I think basically all errors and all security problems are the human factor.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-79321027913970638932007-04-01T18:58:00.000+02:002007-04-01T18:58:00.000+02:00Indeed, it's quite disturbing. I hope your proposa...Indeed, it's quite disturbing. I hope your proposals for improving the security and verifiability of operating systems makes headway. <BR/><BR/>In any event it certainly seems like it will take 5-10 years before we trustworthy OS fundamentals are ready for mass use, but I would prefer 10 years to 50.denis biderhttps://www.blogger.com/profile/02662743799740973736noreply@blogger.com