Security usability: Difference between revisions

From JookWiki
(Background)
(Usability)
Line 1: Line 1:
'''This is a WIP page, come back later.'''
'''This is a WIP page, come back later.'''


summary
This is a quick page on my feelings towards security and how most security software fails to be usable.


== Background ==
== Background ==
Line 9: Line 9:


== Usability ==
== Usability ==
When you look at the current state of open source you tend to see two things:
* Security software is near perfect, able to prevent attacks from state actors
* People don't use the security software correctly
There's generally two places you could blame for this:
* Developers for making unusable software
* Users for using software incorrectly
In recent years the latter camp of blaming the user has died down given it's not very actionable to solve.
People have predictable patterns when it comes to usability:
* Pick the easiest way to accomplish a task
* Become complacent and skip tasks
* Do things wrong
* Fail at impossible tasks
Any process that humans interact with have to account for these patterns and lower risk to an acceptable level.
== Hypothetical case studies ==
Some concrete example of applications
user patterns
user patterns


Line 16: Line 40:


== Trust ==
== Trust ==
security is a software problem to a social issue
libertarian threat model
libertarian threat model



Revision as of 08:58, 2 March 2022

This is a WIP page, come back later.

This is a quick page on my feelings towards security and how most security software fails to be usable.

Background

Recently I read the article F-Droid: how is it weakening the Android security model? which provides a critique of F-Droid's security model and recommends people use Google Play Store.

The GrapheneOS developers provided similar critique but it contains numerous uncorrected errors. Instead of correcting this information they have chosen to threaten SylvieLorxu with legal action for pointing out these mistakes. I strongly recommend reconsidering any trust towards GrapheneOS and its developers given their priorities shown here.

Usability

When you look at the current state of open source you tend to see two things:

  • Security software is near perfect, able to prevent attacks from state actors
  • People don't use the security software correctly

There's generally two places you could blame for this:

  • Developers for making unusable software
  • Users for using software incorrectly

In recent years the latter camp of blaming the user has died down given it's not very actionable to solve.

People have predictable patterns when it comes to usability:

  • Pick the easiest way to accomplish a task
  • Become complacent and skip tasks
  • Do things wrong
  • Fail at impossible tasks

Any process that humans interact with have to account for these patterns and lower risk to an acceptable level.

Hypothetical case studies

Some concrete example of applications

user patterns

how people actually work

exceptions vs reality

Trust

security is a software problem to a social issue

libertarian threat model

not how reality works

bitcoin, keys