Thursday, August 08, 2013

Hubris: the biggest security risk

A couple days ago on Hacker News, the thread about Chrome's security for stored password erupted and culminated with one of Chrome's security mavens posting responses. Within that chain, he posted this quip:

I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome.

This response rubbed me really the wrong way, I couldn't put my finger on exactly why. The obvious thing that rubbed me the wrong way was the patronizing "novice" bit, but it was more than that. Patronizing responses are par for the course on the internet. Why did this particular one stick in my craw?

Then it dawned on me: prior experience should have nothing to do with evaluating security. It's essential to evaluate any and all opinions about security, over and over and over. Security is the ultimate area requiring a meritocracy to succeed. No subject can ever be put to rest, having been decided forever and ever.

Case in point for Google: my brand new Chromebook comes configured out of the box to allow someone to view all of my saved Chrome passwords. It doesn't require a password when I open it up by default (edit: when I close it and re-open it later after having logged in). Google itself is shipping Chrome, on their own box, with no security for saved passwords. If they believed in these best practices for securing web passwords by securing the machine, maybe they should re-evaluate their own products.

The funny thing is, all you need to do to see the same claim made about "putting users in control of their own machine security" is go back to 1996. Check out this thread about ActiveX. It's up to the user to secure their machine by clicking no, of course! How'd that work out?

My advice to the Chrome team is to take a long, hard look at how you form your opinions about users, be open to changing those opinions. And if you have security practices that you believe in, you have to make sure your entire org is following them. Because right now, any user with a Chromebook, by default, is absolutely unsecured when they close it and leave it.

No comments: