ihoby wog

Here is my grid for keeping track of how authentication methods compare to one another. Apologies if you’re color blind, since I’m using green for good, yellow for okay, and red for bad. The “hoby netid” method is a protocol of my own design that has yet to be implemented.

Ahh the age old battle between Security and Usability.

I hope in the future that we arrive at these conclusions:

• Obscurity is not security
• Security problems most popular in the news (and in Congress) are the least common in reality
• Current forms of security don’t work for people and the data proves that
• Most implementations widely used only provide the perception of security
• Nothing is uncrackable or unhackable

• Usability is usually more important than security
• Security need only be sufficient to demoralize malice, while usability must succeed in actually enticing interest in an unappealing activity (luring is more difficult than impeding)
• When we make more usable functionality quicker to implement (one line of code) then developers will welcome it
• When we prove with data that many threats are not reality and security is often overkill then employers can feel good about tipping their investment in favor of usability

Currently we have a lot of fearful perception and “what if” corner cases polluting the landscape. Getting consensus on this topic doesn’t easily happen right now. Security is entrenched in technology and that point of view is what wins most often, especially in the States.

(comment on ZDnet about security admin pet peeves)

Of course people don’t like security, it tends to be obtrusive, unfriendly, difficult, oppressive, and demanding practices that are very un-human. It also is something that can often be bypassed with varying ease by anyone determined to do so.

For any kind of security to gain real traction, it has to be tailored to people and become extensions to individuals as much as possible. Remove the oppression. Imagine for instance, being able to remotely “feel” if your house is being intruded.. see and hear who they are, and if you want them out, being able to do so as easily as moving your own body. Your house would know you, it becomes part of you. Regulations should keep it non-violent but no agency would dictate your interactions with your house.

That’s the kind of sci-fi that should be the goal with security for a variety of functional and ethical reasons.

What exactly is the source of ZDnet’s obsession with attempting to strike fear into the hearts of everyone who uses digital technology? Why must they constantly push the “you will be attacked” and “there could soon be a virus that does this” angles?

The mundane truth is still that most security breeches are from disgruntled employees (a result of corporate abuses) and most intentional cracks are done solely for the purpose of sending spam (a result of public gullibility).

Real breeches are about the almighty dollar, not destruction.