Archive:
Security

A more complicated web — Christian Heilmann

A useful explanation as to why we can’t return to “a simpler web” that enabled anyone to easily become a publisher.

What we consider a way to express ourselves on the web – our personal web site – is a welcome opportunity for attackers… [I]t can be recruited as a part of a botnet or to store illegal and malicious content for re-distribution.

So, to me, there is no such thing as going back to the good old web where everything was simple. It never was. What we need now to match the siren call of closed garden publishers is making it easier to publish on the web. And to control your data and protect the one of your users. This isn’t a technical problem – it is one of user interfaces, services and tools that make the new complexity of the web manageable.

I’m not sure I fully agree with (or even understand) his proposed way forward. But it’s useful to think about how we can balance the desire to encourage self-publishing with fully robust, secure solutions. The game changed long ago.

Comment

Security design: Stop trying to fix the user

On the tendency of security approaches to rely on somehow educating users on this complex problem.

I’ve read dozens of studies about how to get people to pay attention to security warnings. We can tweak their wording, highlight them in red, and jiggle them on the screen, but nothing works because users know the warnings are invariably meaningless. They don’t see “the certificate has expired; are you sure you want to go to this webpage?” They see, “I’m an annoying message preventing you from reading a webpage. Click here to get rid of me.”…

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do.

The same could be said for usability of any kind — but it seems especially vital in this case.

Via Khürt Williams.

2 comments

Stylish browser extension steals all your internet history

If you use the Stylish browser extension, you ought to have a read of this. It might make you want to uninstall it immediately, as I did.

It appears that last year Stylish began collecting users’ data, including their full browser history, and even the contents of Google search results.

The above blog post explains exactly what is going on, and why it is a problem.

This is a great shame because Stylish provided a brilliant function enabling you to improve bad or unsuitable web designs very easily. I even created a style that improved the user interface for live timing on Formula1.com — which I still used up to last weekend, and has been installed by almost 500 others.

Not any more — I have uninstalled Stylish from my browser.

1 comment

Virgin Media have sent an email suggesting ‘safe’ passwords for people to use.

"As an example, ‘Password’ is weak and easy to break. But ‘v!rGiNM3d1A1’ or ‘Z89_!3b2aa43’ are much harder for hackers to crack."

…They’re not much harder any more. 🤦‍♂️

Comment

Triple Meltdown: How so many researchers found a 20-year-old chip flaw at the same time

In transpires that Meltdown and Spectre, the two major security bugs recently announced in processors, were discovered by several researchers who all had the same idea at a similar time. This is despite the flaws having existed for decades.

Something happens in the community and it leads people to think, let’s look over here. And then they do. And it definitely occurs way more often than chance.

This fascinating article also considers how long intelligence agencies may have known about this and other computer security issues.

Comment