[ISN] Geek speak bridles information security

From: InfoSec News (alerts@private)
Date: Thu Oct 12 2006 - 02:02:15 PDT


http://www.computerworld.com.au/index.php/id;1970653607

By Rodney Gedda 
12/10/2006

Usability of security software is partly to blame for low protection 
levels in many computers, according to international security experts.

In a panel session at this year's Australian Unix Users Group (AUUG) 
conference in Melbourne yesterday, software security developers gave 
reasons why the IT industry is still at the mercy of so many problems.

University of Auckland computer scientist Peter Gutmann said many 
security standards were written 10 years ago and have mostly just been 
tweaked since then.

"A lot of the security stuff is designed by crypto geeks [and] because 
of a lack of usability, people can't apply them correctly," Gutmann 
said, adding usability is just as important as "having a bunch of crypto 
and let people figure it out from there".

Gutmann said the protocols were designed without usability and even if a 
user-friendly GUI could be put over it, it is unlikely the original 
developers would accept it.

"They would rather have 100 percent perfect software that's unusable 
than 99 percent perfect software that is usable," he said.

OpenBSD developer Ryan McBride, who works on packet filter and IPSec 
code, lashed out at intrusion detection systems, saying the technique 
has no way of detecting whether a virus is attacking a network.

"I do IDS work in a Fortune 50 company and it's a case of 'oh look, 
another box has a virus - go turn it off'," McBride said. "It's very 
hard to automate turning things off in security."

McBride said IDS isn't the place to solve the problem, but inside the 
software is.

University of NSW School of IT senior lecturer, Dr Lawrie Brown said 
when looking at modern software, part of the problem is the enormous 
body of un-safe software that people continue to use, which propagates 
vulnerabilites.

Brown said there is also a mindset within the general population that 
computers are relatively new and people are unaccustomed to the 
importance of information security.

German network security PhD student Tobias Eggendorfer seconded this by 
saying end users are not educated to deal with security threats.

"It will take 20 to 30 years to educate people about computer security," 
he said. "You wouldn't give your house key to someone, so why do the 
same with your password."


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 12 2006 - 02:20:15 PDT