Shostack + Friends Blog Archive


Nielsen on Security

Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions.

He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats a nit.

His suggestions include:

  • Polish security features’ usability: This is a very valuable suggestion. We could, for example, try to ensure that questions are always asked in a form like “Allow others to share my printers?” rather than “Prevent others from sharing my printers (Yes/No?)” the latter form is hard to parse, and requires a double negative for the `secure’ position.
  • Automate all updates: I think he gets this wrong. Automated updates break things, and adding places where the computer ‘just stopped working’ is not helpful.
  • Turn on all security settings by default: He correctly points out that this requires making it easy to make exceptions.

He doesn’t mention a great feature that the Mac has, which is that to install software for all users, you need to (either) be in the admin group, or type your password. This would break a lot of malware installs by drawing attention to the installation activity. A bit of sandboxing around the browser would go a long way

(Via Cory @ BoingBoing.)

2 comments on "Nielsen on Security"

  • It’s actually better than that; you have to be in the admin group *and* type your password (or have an admin user/password pair you can provide to the dialog box).

  • (Okay, correction: you can put things in Applications without typing the password, but you can’t add to, say, Startup Items without doing so.)

Comments are closed.