Users being lazy about security doesn't excuse companies from being lazy about security. I don't know if the latter is true in this case, but the line of thinking you have presented is surely flawed.
They’re not incorrect. They are, however, wrong to think that users not caring about security means they don’t have to care either. Product makers have a duty of care beyond what their customers have.
I am definitely not arguing users should not be responsible for what they do. My point is that companies (especially billion dollar companies) can, and should be (more) secure by default.
I am also making the observation that this does not seem to get fixed by itself, rather it seems it needs regulation, which includes GDPR.
I feel bad for users who have to deal with supposedly-security minded companies who cite weak, historical reasons for not doing the right thing now.
Companies who ignore the actual solutions proposed to them, and instead attack a straw-man. Claiming they're being asked to make backwards incompatible changes for all existing users, instead of providing an an opt-in alternative for users who actually care about their security.
Companies whose culture is so inept that they blindly commit the most basic of engineering fallacies: Rejecting solutions on the basis of minor flaws, while defending a incumbent solution with massive flaws, simply because it is incumbent.
One of the most annoying habits of computer professionals when talking about security is how we object to every idea by showing how a stupid/lazy end-user could render it useless.
It's not that users will never do that: it's that users can't get into secure habits if we paralyse ourselves into not providing reasonable tools.
The revealed preference is that the industry doesn't really care about security. We follow "industry best practice" - that is, we do the minimum to stop users complaining - but users don't buy based on security, and so it's not worth putting marginal effort into.
From a purely economic point of view: if the end user doesn't care about security, then why bother having security?
Regarding users caring about security, there's three possibilities:
- Users should care about security but they don't because they're dumb/ignorant.
- Users don't care about security because it's not worth the cost/it doesn't affect them, so they're right in not caring (they have 'nothing to hide').
Maybe their product has features that would give users actual security, but are incorrectly implemented so they only provide the illusion of security. Which would fit the article perfectly, but I don't know if that's something I would mention in public if I was the CEO.
They're dismissing risk as a non issue since they've displaced responsibility on the user. Their system isn't more secure because it is reliant on the user. Time and time again it's been shown that the user is the weakest link which is why some many of these types of systems are in place.
Downvoted without replies... Does anybody find statement that most users don’t spend too much time to ensure security of their machine offensive or incorrect? I know only myself and few other fairly geeky people doing that...
It's a convenience vs. security tradeoff. The fact is, most people can afford to adopt a flawed security model to give themselves greater convenience, because most people aren't being specifically targeted and attacked. I doubt many people realize that they are making such a tradeoff, but that's more about dishonest advertising...
I'm in so much agreement, though I would disagree with the last line. I've seen people wave away security concerns because they don't want to be bothered.
Developers waste plenty of time (we're all on here chatting away for one!) but ask someone to even think about security seems to offend them in the way that asking a teenager to clean their bedroom would.
reply