WebApp Sec mailing list archives
RE: Summary: Growing Bad Practice with Login Forms
From: "Yvan Boily" <yboily () seccuris com>
Date: Wed, 28 Jul 2004 10:33:33 -0500
To play the devils advocate, how many people actually take this kind of responsibility for other, far more critical matters? Many people do not behave interactively in important situations because everybody tends to specialize. I freely admit that I could not fix my car beyond changing fuses, changing oil and such, not because of ignorance, or stupidity, but rather because I would prefer to spend my time researching AI or some other more interesting topic than learning how to fasten two widgets together with a gasket. Does this mean I don't take my safety seriously when driving? I listen to my vehicle and pay attention for weird noises, and get it serviced when it, or my mechanic tells me to. Personally, I would rather my doctor spend his time reading medical journals and improving his knowledge so that he can catch whatever bizarre and rare disorder or bacteria that affects me instead of puzzling over which button to click where to attempt to understand if a connection is secure. Specialization is what has allowed us to develop the technology that we have all started to take for granted. Computer users have been trained to trust their computers by the industry for the previous 20 years. We have told them (and even though I am only 27 I include myself; I have been guilty of this when I was peddling custom software as a teenager) that computers will help them work faster, more efficiently, and safe time and money. Also we have told them that storing personal information on their computers is safe as long as there was a backup (and it was until some gomer came up with the idea of connecting everyone under the sun to the internet). Now after two decades of this behaviour we have to re-educate them to understand that personal information needs to be protected, and that they need to actually understand what their computer is doing. When you compare this to the challenges presented to the security industry by marketing and sales it is rather daunting. You have a small group of people saying "You need to learn more and work harder to make your system more secure, and stop being such a stupid user" against an ocean of software vendors, marketing teams, and profiteers saying "buy this magic bullet to protect your information and stop evil hackers and viruses with no extra effort". People do not pick the marketing people because they are dumb, they pick the marketing people because they are not being degraded, and they are not being told that they have to do extra work. I personally have no problem stomping on programmers when I am performing a code audit, or flaming network engineers when I am assisting with a VA, but only if they deny that security is an issue, or disagree (to the point of ignorance or belligerence) with a perfectly valid assessment of a vulnerability because it makes them look bad. Don't stomp on users because they have not chosen to specialize in understanding computer technology. They could probably take you to the streets in their area of specialization and think you are a chump for not understanding what seems basic or trivial to them. Regards, Yvan
-----Original Message----- From: David Telfer [mailto:david.telfer () ostechnology co uk] Sent: Wednesday, July 28, 2004 10:16 AM To: webappsec () securityfocus com Cc: ivan.hernandez () globalsis com ar Subject: Re: Summary: Growing Bad Practice with Login Forms On Wednesday 28 Jul 2004 14:27, Ivan Andres Hernandez Puga wrote:Anyway, there is no application without user. Why don't youtry to learnwhat's wrong with your poin of view instead of blaming the99% of nontechie people?His point of view has some foundation. Your personal information is ultimately your responsibility. A lot people are wary of real word security implications, card skimming and tampered ATM machines for example. They would not insert their bank card into an ATM machine that looked abnormal. Many of the public would never check public keys or certificates though. Surely taking some responsibility for your own personal information should be assumed. On the other hand it is the responsibility of the site developer to be verbose as much as possible in security provisions. Ways to help the "non techie people" secure their data should be under constant development. I am unable to find the post, but the suggestion of pass phrases that the user holds would surely help. Showing characters x and y to a user and getting them to verify them against a given phrase (provided non-electronically, by normal post perhaps) would allow the user to verify in her own mind that the site is legitimate before entering login information.athena () buyukada co uk wrote:Users are stupid, unpredictable, and applications wouldfunction a lotbetter without their interaction.Perhaps intended to be tongue-in-cheek somewhat? None of us deny the point in the technology is for the user. David Telfer
Current thread:
- RE: Growing Bad Practice with Login Forms, (continued)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Lane Weast (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)