If only security was that easy

There was one little bit at the conference I went to today that caught my attention. One of the academics, Dr. Ryan Ko, is working on a research project that aims to bring better privacy and security to web applications. These are things that interest me, so I listened for anything that sounded promising.

The project is called Stratus, and the part that was shown was an auditing system that created cryptographically signed audit records. The records were generated by a low-level process, making it impossible to delete logs without leaving any trace. This sounds like a great idea, except for one thing. That’s a lot of auditing data, and who will be bothered reading it? User apathy is a huge boundary to try and push past.

At the end of Dr. Ko’s presentation the question remained unanswered, so I used Q&A time to ask the question. His answer? That some education will be required, and that the information will be made readily available to the user. He also extended a general invitation for people to help make a contribution to the project.

The only thing that his answer said to me is that he’s quite out of touch with the average user. Most people have some level of general awareness about the dangers of the internet. They’ve heard about The Fappening and that those emails from that Nigerian prince may not be real. But this completely ignores a key issue: users will ignore anything that gets in their way.

The average user doesn’t bother reading even the first paragraph of their software license agreements. Error dialogs are like flies and are swatted away as quickly as possible. Anything that’s optional and requires brain power is just a distraction and should be ignored. If they can get something done a different way with less fuss, they’ll do it that way.

This is where security gets really hard. Access controls and audit logs are must-haves for most software, but it’s extremely difficult to come up with a good user interface for them. If the access controls need more than a couple of clicks, they become a barrier and stop being used. Audit logs need to be filtered so that only important events are shown, otherwise they become a sea of white noise.

While I wish the project all the best, I think they’ve got a long way to go to meet their goals.


Project Zero publishes an unpatched Windows security flaw

The tech news has been abuzz recently about a Windows security vulnerability that has been published by Google’s Project Zero. The interesting thing here is that the details of the flaw are relatively unimportant. What is important is the way in which the vulnerability was published.

One of the key concepts behind Project Zero is that when a vulnerability is found and reported to the vendor, the vendor has a 90 day window in which to release a patch. The details of the vulnerability are kept secret until either a patch is released, or the 90 day window has elapsed.

The controversy here is that the is that with this particular vulnerability, the 90 day window ran out before Microsoft had come up with a fix. This means that the details of a zero-day vulnerability have been made available to all and sundry, including a proof of concept exploit. This is obviously Not A Good Thing™. Continue reading Project Zero publishes an unpatched Windows security flaw