
Ask HN: Why do people just not bother about security? - quilombodigital
In my life I&#x27;ve always been involved with free software, patent and copyright law fights, and most of the time with anonymity and privacy issues.<p>I just can&#x27;t understand why people dont give importance to digital security.<p>I am baffled one project like SOLO (https:&#x2F;&#x2F;www.kickstarter.com&#x2F;projects&#x2F;conorpatrick&#x2F;solo-the-first-open-source-fido2-security-key-usb) is selling so little. 2.300 backers is ridiculous considering the world size. This is not an advertisement, since I dont even know the authors, but I follow them since the u2fzero project.<p>About 15 years ago I was sending my emails with public key privacy, using smartcards, encrypting hard drives, and after all this time, people are willing to just trust blindly the machine OS, the telecom companies and governments.
All I know is that for cars people have lojack, for houses and babies they have cameras, for bikes they have locks, and for computers.... they have nothing.<p>I just thought that having a simple physical key like SOLO would be the breakthrough barrier for adoption, but I can only feel they just dont care. Am I wrong?
======
drstewart
>In my life I've always been involved with free software, patent and copyright
law fights

In some sense, you're probably living in a bit of a bubble because this is a
topic that you're passionate about.

I don't necessarily mean this in a bad way. For example, my partner spends her
free time involvewith animal welfare, recycling, composting, minimalism, zero
waste fights. She'd probably wonder why you don't care about these topics --
yet I'm sure YOU wouldn't say you don't about them, but you probably don't
have the same level of passion she does.

To her, using a physical key isn't necessary to have good security. Passwords
are "good enough". To you, buying bamboo toothbrushes is probably not
necessary to minimize waste. Recycling cardboard boxes is "good enough".

That doesn't mean anyone is necessarily wrong, you just have different sets of
priorities.

~~~
quilombodigital
I understand your point of view that my priorities may not be the other people
priorities. :) Sometimes we judge the others thinking they should act as we
do... so I guess the answer is really.... they dont care. :)

~~~
lucozade
> so I guess the answer is really.... they dont care

That's not a reasonable characterisation of what drstewart wrote.

It would be fairer to say that they don't care _as much as you_. That's not
the same as not caring at all.

On the flip side, implied in your question is that you're caring the
appropriate amount. What makes that so?

~~~
quilombodigital
hum... ok... making the devil's advocate part, I cannot guarantee I am "caring
the appropriate amount". I certainly have a vision not shared by many, so it
is hard to say I am "right", when there are so many brilliant people that dont
share the same feeling about anonimity, for example. I accept I am expressing
I am worried for others, based on how "I" see the relation between freedom,
anonymity, privacy and secure communication.

------
anonunt
IMHO its because they are quite accurately measuring the value of investing
the time.

What is the likely damage? - if your photos etc. are backed up then most
people (as in most of 7 billion) can get new system up and running in probably
less than 100th of the time it would take them to even begin to understand how
to secure their system / accounts.

Secondly what are the chances of your security efforts actually making a
difference? very very very low i would have thought.. you are either a low
value target or you need to be an absolute expert to do anything about it.

Its a bit like locking your front door or car.. we like to kid ourselves that
it is what is making a difference whereas what is really important is that
most people are actually not evil and don't mean you any harm. in reality both
can be broken into in seconds with the most rudimentary of tools.

Hacks seem to be in the categories of: -Mass data collection to find nudes
etc. (you need to have something to hide to make this an issue) -Mass data
collection to sell your data (this is being done anyway legally in broad
daylight by google et al) -You have something of value (you need to hire a
security team to have any real hope of defending this)

If any form of mass hack really became an issue it would be an issue for
millions to billions of people, so in all likelihood it would be a world
changing event for everyone if there was an issue (regardless of if they were
specifically the victim or not). not to mention how much of your data will be
leaked through other peoples insecurity anyways.

I think more of the issue is actually the developers and the people selling
software being so desperate to make money or show off they have pushed the
world forward so fast that for most (all?) people being up to date with
technology and secure is an either or situation never a both.

Also the generally public don't believe how little major services have thought
about the security implications of what they do.. the erodes their motivation
in two ways: if the zuck himself cannot get security right how can I and there
is no way that these companies would suggest i do something or offer a service
that was inherently insecure.

so a lot of random thoughts there.. but overall i would say: it takes time and
those in tech need to take it more seriously first.

~~~
anonunt
And yes i know that for example a software dev or similar IT role may get real
value out of securing their system as:

Your system may provide access to other systems and it is is not to hard to
make sure you are not low hanging fruit for an automated hack.. so its totally
worth investing the time and effort.. plus your online persona etc. is
statistically probably more important to you for all kinds of reason..

but really that type of user accounts for a very low percentage.

Also note that corporate PCs (which are a much more valuable target for
general hacks) often have lots more security including hardware 2 factor etc.

Also note i am no security expert, i am just talking about what its like
trying to get people i talk to to care about security / privacy.

------
laurentl
No, you’re not wrong.

People don’t care. They don’t even know that they should care. People have no
clue how their PC or smartphone or internet access work. They don’t know what
a hard drive is, they don’t know what encryption does, and their brain will
explode if you try to explain what a MITM attack is. They just know that they
had to return to the store last time they forgot their password so the geek
with the “Apple Genius” T-shirt could reset it for them. So now it’s set to
the kid’s birthdate. Because they don’t know how any of that stuff works, they
have no choice but to trust the closest thing they have to an authority on the
subject: their ISP, the guys who make their smartphone or their bank’s
website, that salesperson at Best Buy who told them to install an antivirus.

Security is hard. Remembering passwords is complicated, picking good passwords
is near impossible if you don’t have a tool to do it for you, and remembering
_those_ passwords is impossible. 2FA is a pain to set up even if ou know what
you’re doing, and don’t even get me started on configuring “advanced” options
(in which I bundle Fido2 / U2F for the foreseeable future). And recovery keys
you’re supposed to print out and store in a safe, seriously?

Data is intangible. Contrary to a car theft or a house break-in, people
struggle to assign a value to data loss or theft. Hell, I work in IT and I
couldn’t begin to estimate the prejudice if someone were to gain access to my
personal data. LoJacks and baby monitors help secure something that people can
place a value on. What’s the value of my holiday pics?

Because of all this, security doesn’t sell. So companies have no incentive to
invest in security, so security remains complicated and rare, so nobody gets
to use good security and find out that it has a value, so security doesn’t
sell.

I can’t even say that it will get better over time, as the young generations
were raised to hand over control of their digital lives to corporate data
harvesters.

Sorry for the bleakness of this post, but I’ve chosen to be jaded rather than
depressed.

~~~
quilombodigital
Ok, in your opinion the digital security concept is hard to grasp for the
common user. What is the excuse for the average company to _not_ enforce a
policy?

~~~
BjoernKW
> What is the excuse for the average company to not enforce a policy?

Oh, but most companies do enforce such a policy. Often, however, these
policies do more harm than good such when they require passwords of a specific
length and composition or demand you change those every 30 days.

Rules like that lead precisely to passwords that are easy to guess but hard to
remember. I suppose nobody can even tell anymore who originally came up with
these rules but they're widespread and ingrained in many companies' cultures.

Getting rid of this security cargo cult and replacing it with better practices
(such as using password managers and allowing for easily pronounceable,
diceware-like passwords) is surprisingly hard.

------
ecesena
Thank you for this, I'm one of the creators of Solo.

BTW, to add to your point, a couple interesting numbers.

1) Search "login" on Kickstarter [1]. All 22 campaigns from 2011 to 2018 have
failed!

2) Search "security" [2], and the most backed project doesn't even reach 10k
people.

It's indeed a really hard space.

If I can criticize our community of technical people, we're not really
inviting "normal people" to join. Some of my friends tried to read throughout
the comments, only found technical details or complains, and simply gave up
and left. I'm sure many potential backers do the same. It'd just take the
effort to go to github, nerd about whatever we like there, and leave the
Kickstarter cleaner for regular people to participate. It is what it is, of
course we're more than happy with the result so far. Lesson learned for the
next one. :)

[1]
[https://www.kickstarter.com/discover/advanced?term=login&sor...](https://www.kickstarter.com/discover/advanced?term=login&sort=magic)

[2]
[https://www.kickstarter.com/discover/advanced?term=security&...](https://www.kickstarter.com/discover/advanced?term=security&category_id=16&sort=most_backed)

Edit: grammar

~~~
quilombodigital
I that must say thank you for your effort... About the kind of person you
tried to attract, well, at least you gave them many colors to choose! I found
the color choosing strange, why someone concerned about security should bother
about color, but I see it was your attempt to attract more people. Maybe if
you place a tamagotchi inside it people will be more interested. :) just
kidding. I really respect your project!

~~~
ecesena
Thank you! Yes, the color is exactly an attempt to attract other people.

And yes, your comment is exactly my point :)

> why someone concerned about security should bother about color

First: why do we have colored phones then? Why someone concerned about talking
should bother about color.

Second: how this helps the cause, versus sharing on twitter something like
"how cool are colors! it's the first time in the industry someone thinks about
colors"

Not saying this to point a finger at you, but trying to explain why it's so
incredibly hard to talk about security. Many don't care. And who cares doesn't
help. :)

------
cmurf
Re: Solo, it was funded in 20 minutes. It's entirely plausible a lot of people
are going to play wait and see, and get one only once they start shipping.
Also, there are available competing products, and openness is just one
possible path to trust.

Further, it's completely non-obvious to 99+% how to use a hardware key, let
alone why they should. 1% who get it, might even be generous. And then, quite
a lot of people have devices that can't use hardware keys, or shouldn't. I
have any number of clumsy friends who shouldn't have something like a hardware
key sticking out of their laptop at all hours of the day: I call it,
inevitability.

Someone using a hardware key, probably uses random passphrases for each of
their online services, stuffed into a password manager. Ergo they aren't low
hanging fruit even without a hardware key. How much safer is someone who uses
push authentication as their second factor, switching to a hardware key?

Anyway, a big part of what I think you're getting at is ordinary people lack
the imagination of the risk they're taking; but then there's symmetry here
because you lack the imagination that they have so little of it themselves.

~~~
quilombodigital
Of course I lack imagination! That's why I asked HN! :)

------
quickthrower2
People trust (wisely or not) in the big companies Google etc. to do the right
thing. That's because they have other priorities in their life, and limited
head space. They need to be convinced this is an issue. I am not even
convinced it is the most pressing issue for me, and I am a techie. I do
minimal stuff (password managers, 2FA, try to avoid sending stuff by email)
but I'm not going to start buying keys off Kickstarter.

The only exception is a small amount of Crypto which I have been a bit more
paranoid about (see money is at stake so I care a bit more!), for example I
have the myetherwallet source and run it locally instead of using the site as
that is a very attractive honeypot. I could get f'd using the source but it is
less likely. I check for recent dodgy looking commits and check the news.

Not saying I am right but just sharing my point of view.

------
tinktank
Because for "normal" (non-technical people) security is: \- Hard \- Tedious \-
Error prone \- Difficult to understand \- Annoying

Most people have a rough enough time using their technology to understand
security, and even when they do, it's a tradeoff between usability and
security. I also think that people feel they are "secure" as long as they have
a password and possibly a virus scanner.

------
twunde
Actually if you think about it, computers already have a security response.
Anti-virus to protect them from malware and find my computer/tablet/phone to
protect against theft. These protect against the most common security attacks,
that the average user experiences.

------
psionan
My personal take: most people seem to have a password for their PC, then
backup files if they’re smart.

Why encrypt? That’s a good discussion to have with people. Need to take it one
step at a time.

Also does a cellphone require all the stuff you mentioned? No, it doesn’t.
Maybe PCs are the problem?

------
cm2012
People passionate about security are also equally passionate about disliking
marketing, so that may be a factor in its lack of popularity!

------
anigbrowl
Because you can't see an attack happening so it's too hard for most people to
use their imagination constantly. Fire, water, someone punching you in the
face, those are real things. Someone defeating your firewall and engineering
your password to get decrypt some of that beautiful data which you should have
salted but didn't cause you couldn't pick the right flavor...that's too many
layers of abstraction.

I think and practice security but realistically I know I have a much bigger
attack surface than I ought to because I just can't be bothered to to run
around chasing after every possible vulnerability. Frankly, it's too much
work.

If bad actors get access to your computer, the downside risk is potentially
huge, and you might think that would incentivize people to spend more time and
effort on security. But security isn't productive or consumptive, it's
reactive and people don't want to be in a constant state of anxiety.

 _for cars people have lojack, for houses and babies they have cameras, for
bikes they have locks, and for computers.... they have nothing_

All the other things you mention are easy, install/purchase once and then they
mostly just work* with minimal overhead. I totally agree with you about the
value of something like the SOLO but that's subject to a few problems;
physical connectors are different on different devices, the easier it is the
use the easier others can use it or force/trick you into unlocking your stuff,
and most people don't have the time or know-how to assess the open source
stack and verify the truth of its security. I have been interested in
encryption technology for 25 years and am moderately knowledgeable about it
but when I OK the latest update to Signal or an operating system I'm basically
doing so on faith.

* Cameras are in-between security tools. They can help you but also be used against you as part of an oppressive surveillance society or actually create the incentive for people to come after your data. I've had police come to my door before asking to see my camera footage to identify suspects in a crime that happened near my property. I declined but most people do whatever they're asked without thinking much about the consequences.

To improve security, don't get into an unwinnable arms race about how can
design the best lock. Make better tools for system administration that quickly
and intuitively represent activity patterns so that people can notice unusual
modes of access. Do so without interrupting people to death - you don't judge
the health of a tree by counting the leaves, and if the leaves of a tree show
signs of poor health you don't catalogue and measure them unless you're a
biologist.

We need much better _representations_ of what is going on inside computers and
how data is flowing. Right now if I want to know what's happening on my TCP
ports I get a _list_ of processes and ports which I need to either monitor
until I get square eyes or automate triggers on. Could you imagine telling
people that the first step in dealing with a pest infestation was to make a
list of every lifeform in a house and then filter that for ants or mice?
Ridiculous. Why aren't there graphical traffic/packet monitors that make the
backend of my network stack look like a videogame that I could actually get
interested in and enjoy playing? Right now for security tools 'graphical'
generally means it has a GUI and maybe a bar chart or cuddly icons - if you're
lucky. Real time animations of data flow don't exist outside of movies,
despite the fact that almost every computer has a decent GPU and there are
fantastic free and sometimes open videogame stacks available.

People will get engaged on security when they can see what's going on, and by
that I mean seeing things represented in a 2d or 3d virtual environment that
doesn't require deep forensic knowledge to interpret and interact with - like
a videogame. You don't need to write code to pick up, enjoy, or even be great
at a videogame, although it might get you interested in code or coding ability
may help. And I don't mean some stupid game like picking out which tiles show
vehicles in a captcha, but a responsive environment whose parameters are
mapped onto system internals in a way that makes it easy to notice intrusions
and disruptions without necessarily understanding them fully.

~~~
quilombodigital
heh. digital security "gamification" is an interesting concept...

~~~
anigbrowl
I'm perplexed that the concept hasn't been applied to system administration
already. I mean a few people have tried but most efforts are basically the
same as 20 years ago.

