High level: Security vs Ease of Use

I was listening to Martin McKeay’s Network Security Podcast this morning (26 July 2006 episode) and he said something early on that struck me:
“People say they want security, but what they really want is ease of use.”
I think it’s a mistake to separate the two; they’re not exactly part of a single continuum, but they’re close. If something is not easy to use, then people will work out ways around it, thus obviating the security. Consider that the most secure computer is one that is disconnected from a network, turned off, and physically isolated from anybody and anything. Not very easy to use it though. The easiest computer to use is one with no passwords, no accounts, and anybody can do anything they like to it – not very secure. The goal of security is to find some place in the middle, such that the users don’t have to work around your security in order to be able to actually use the damn thing. Force password changes every week? Users will alternate the same two passwords. Disallow that, and they’ll alternate three. Disallow re-use, and they’ll make them easy to remember: cat. dog. shit. assholemademechangemypasswordagain. Sooner or later, you get to the point where users are writing them down on stickies and putting them next to the machine.
If something is too difficult to use, it’s not secure, because nobody will use it. They’ll figure out another way to do the same thing, and that other way is likely less secure. Figure out with your users the best way to strike the balance.
That leads into a ranty-type post, and I don’t want to get into it right now because I’m still too close to the subject. But I will be talking about service levels, user expectations, and IT responses at some point.
(Edit: tried to send a trackback ping to Martin, no joy. sigh. I mess around too much during the day to want to mess around all night, I must be… gasp… getting old.)

Stolen laptops

uwstudent (via The Record) has a brief story on some stolen laptops here at UW. Doesn’t look like there’s much personal data on there, but this line: “The personal information in the computers is password protected and is not retrievable” (from Martin van Nierop, who’s not really a techie so I assume it was given to him from somebody else) is a red flag. What sort of password? What assurances do the people whose information got stolen have that the data really is safe?
I’m disappointed, I’d have liked to have thought that our world-class institution would be a world leader in terms of fessing up when things go wrong. I guess what it really means is we’ll follow along with the rest of the world. That line’s getting to be as bad as “going out and giving 110%” is in sports.
Edit: 570News has a story on this too. Same story: “UW says the data is protected by a password and is not retrievable.”

PGP keys

Per practising what I preach, I’ve switched my mail clients to using GnuPG signing by default, or have at least started on switching them – main work machine done, laptop and home Windows PC to go.
One of my complaints about email is that it’s difficult to verify the sender or the contents, but I don’t do anything to help people receiving my email to do so.
Plus, it started making more sense to me some time ago, protecting myself from people who might misquote me in order to cause harm to me professionally.
It’s not perfection, but it’s a start. My one bitch is Thunderbird/Enigmail will remember my passphrase for an arbitrary amount of time, but can’t be set to clear when the screensaver comes on, for instance. I poked about at gpg-agent, but couldn’t find any frontend for MacOS that seems to do that.

Air Canada vs WestJet, conclusion

WestJet and Air Canada settled, courtesy of the CBC. The PaulDotCom boys picked up on it in their podcast – I’d submitted the story to them, intending to get them to link to my writeup, but I never took the time so I just gave them the raw link. Now I’m taking the time, because I think they missed something in their show.
There’s a couple of interesting items here. First is the most obvious, and the one they caught: what was an employee who’d presumably left on poor terms (but left!) still doing with a login id and password, valid from off-site, for what is presumably a considerable length of time?
Second is the settlement. It’s curious that AC would settle for legal fees + litigation, and a contribution to charity from WestJet. Did they figure they couldn’t win the original $220m lawsuit? Are they essentially admitting guilt to the charge of trashing the WJ exec’s house? Either way, that’s a pretty interesting result to what appeared to be a relatively straightforward case of industrial espionage.