![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
terriko
Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.
He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.
You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?
Ignoring security-advice
Date: November 3rd, 2010 12:43 pm (UTC)* Check every program installed on your windows-computer for updates regularily, for example weekly. This is a many-hour job if you're an average user with ~50 programs installed, 40 of which don't automatically tell you about updates.
* Pick 8+ character semi-random UNRELATED passwords for each of the 173 websites you're registered on, DONT write them down, CHANGE them regularily. Come on, that advice basically boils down to: "don't be human"
A security-policy that depends on humans not being human, is broken. And it's unreasonable to blame the users for the policy being broken
Re: Ignoring security-advice
Date: November 3rd, 2010 04:30 pm (UTC)