There was one little bit at the conference I went to today that caught my attention. One of the academics, Dr. Ryan Ko, is working on a research project that aims to bring better privacy and security to web applications. These are things that interest me, so I listened for anything that sounded promising.
The project is called Stratus, and the part that was shown was an auditing system that created cryptographically signed audit records. The records were generated by a low-level process, making it impossible to delete logs without leaving any trace. This sounds like a great idea, except for one thing. That’s a lot of auditing data, and who will be bothered reading it? User apathy is a huge boundary to try and push past.
At the end of Dr. Ko’s presentation the question remained unanswered, so I used Q&A time to ask the question. His answer? That some education will be required, and that the information will be made readily available to the user. He also extended a general invitation for people to help make a contribution to the project.
The only thing that his answer said to me is that he’s quite out of touch with the average user. Most people have some level of general awareness about the dangers of the internet. They’ve heard about The Fappening and that those emails from that Nigerian prince may not be real. But this completely ignores a key issue: users will ignore anything that gets in their way.
The average user doesn’t bother reading even the first paragraph of their software license agreements. Error dialogs are like flies and are swatted away as quickly as possible. Anything that’s optional and requires brain power is just a distraction and should be ignored. If they can get something done a different way with less fuss, they’ll do it that way.
This is where security gets really hard. Access controls and audit logs are must-haves for most software, but it’s extremely difficult to come up with a good user interface for them. If the access controls need more than a couple of clicks, they become a barrier and stop being used. Audit logs need to be filtered so that only important events are shown, otherwise they become a sea of white noise.
While I wish the project all the best, I think they’ve got a long way to go to meet their goals.