Security\Convenience Tradeoff?

Teslacuted

I'm new here but I think I'm suitably paranoid. Just wondering how far the average person is willing to go with data security? Or electronic access systems (eg US nucleur briefcase).
I have plans for everything from rolling-(pseudo)random number devices to polymorphic access codes, where you learn a code generation process with variables instead of a static code. (That's a personal creation but I'm sure it's been suggested before) but the issue with anything of this nature is how inconveniant it is, what would you consider 'too much'? Asymetrically encrypting your emails or just a simple cypher? That sort of thing....

Capt'n Midnight

The average person has a windows machine that connects to the internet.
Unless they have XP SP2 or had a firewall preinstalled then their machine was taken over 15 minutes after they first connected.

So the average person hasn't taken any steps on data security.

PGP exists for those who want to use it.

ressem

Learning a code generation process?
Being provided with a different n in f(n)=x at each login attempt and working out without pen + paper value of x. Or perhaps a calculator on the login screen allowing spectators to view the process.

If it's a rarity, then I'm sure that it would throw some casual hack attempts, but IMO I don't see a postfix string of */+-^ operations as being any different from a standard password, other than by necessity being shorter, using a restricted alphabet, and the computer has to keep an actual copy, not a "difficult to reverse" hash as you use with fingerprints, iris scans, Pa5sw0rdZ.

I think that SSH to deter hobbyist sniffers logging traffic is as far as most people will go currently. Even swapping PGP public keys is a bit cumbersome.
Personally I care more about availability and integrity of data than privacy, when privacy is needed it requires the whole procedure of keys in fireproof safe, redundant backups etc, to keep the former..

Teslacuted

The code generation system isn't meant for computing, as you said there are far better methods available, I'd like to see it used on house alarms etc (obviously a pretty valuable house) where it doesn't need any alterations to the standard keypad system.

I'm not very up to date on the standard internet encryption methods but their user-transparancy (in most cases) is excellent but still gives room for the more hard-core G\PGP systems.

As Capt'n Midnight said the average wintel user is barely aware of data encryption (but society has thought them to hate any type of 'hacker' - even when they don't know what a hacker is) and is hillariously reliant on MS to keep their systems secure but do you think these unfortunates would put up with decreased convenience in the name of security?

ressem

I'd like to see it used on house alarms

Is this part of an anti drink policy.

but society has thought them to hate any type of 'hacker'

Hardly surprising, who's going to bother explaning differences white hats/ black hats / phreakers / crackers /hackers/ coders. Even those in the industry assign different meanings to different labels to suit their audience, labelling say BSD/GPL programmers as hackers. In contrast to the original meaning of prankster.

what would you consider 'too much'?....do you think these unfortunates would put up with decreased convenience in the name of security?

For users, it can't be allowed to irritate/anger. Otherwise it'll be removed or worked around. That is determined by individual knowledge, patience, experience 1st and 2nd hand, of consequences. If the unfortunates you're describing are those that have little of one of the above then the answer is no, they won't put up with much.
I find myself, though I've little excuse, disabling AV to save a few minutes while doing multi gig transfers at home. Why should I expect users of software I create to act differently?



A problem sales & marketing people try to work around in personal firewalls/AV. You want to tell the user that they've been protected N times, so they feel smug when they see the horror stories in the papers, keep the subscription up to date and recommend to aquaintances, but also not to interrupt their work/gaming/movie.


Of course, I know someone willing to take apart their car dashboard to crush that seatbelt warning speaker. If you're trying to build a software product to sell to that market, don't count on them renewing each year.

Teslacuted

ressem wrote:

Is this part of an anti drink policy.

You could get fancy and install a breathalyser - allowing anyone in who's too drunk to know what they're doing in. The code idea is at least workable I think, and definatly a boost on a static code.

ressem wrote:

Of course, I know someone willing to take apart their car dashboard to crush that seatbelt warning speaker.

A worthy cause, I'd alter the fuel gauge too so that empty actually meant that even the fumes are gone.

ressem wrote:

For users, it can't be allowed to irritate/anger. Otherwise it'll be removed or worked around.

That depends on the user though, I used NAV for years but got sick of the auto-protect and all the system services it installed - it infects your system more than the average virus. I uninstalled it and my sytem gave me a BSOD on every shutdown. I decided I might as well redo windows and try SP2.

"For your security we have prevented you from dialing this connection"
"The windows firewall is now protecting your system"
"CAUTION! You have disabled the windows firewall, this is not recommended and your system is now open to threats. Would you like to re-activate it?"
"You have disabled automatic updates..."
You get the idea.

I'm using Kaspersky now and I'll soon be switching to FreeBSD but my point is that the measures that are being put in place now may let the average user feel warm and safe inside but get in the way of anything else. So it really is a per-user decision...