
Comparing how security experts and non-experts stay safe online - devhxinc
http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html
======
modeless
_[Non-experts] mistakenly worry that software updates are a security risk._

I think this betrays a lack of thought about the risks to non-experts. Tons of
malware masquerades as legitimate updates, and non-experts don't always have
the knowledge to distinguish legitimate updates from malicious ones.
Therefore, to non-experts software updates _are_ a security risk.

Edit: And this is why Chrome's policy of updating automatically and completely
silently is the right thing to do, and everyone else (Adobe, Oracle,
Microsoft, looking at you) is doing it wrong.

~~~
bsilvereagle
> And this is why Chrome's policy of updating automatically and completely
> silently is the right thing to do

Not everyone is hooked up to unlimited broadband 24/7\. To anyone who is
frequently jumping between capped satellite & 3G/4G networks, silent auto-
updating software not only unexpectedly slows down your already non-ideal
connection, but also eats up lots of your capped data.

Lots of services tend to forget about the users who aren't hooked up to
broadband 100% of the time.

~~~
sliverstorm
The proliferation of mobile devices and the convergence of mobile and
traditional end user operating systems is solving this one. Android and
Windows 8.1 both have the ability to mark an arbitrary WiFi network as
metered, and many core services as well as third party apps will happily
discriminate between unlimited WiFi and metered WiFi/cellular connections.

------
joosters
But are the security experts actually safer online?

The study seems to assume that they are. It may be a fair assumption, but it
would be interesting to know if it actually is true or not. It would also help
validate the security practices.

If it turns out that the security experts got infected just as much, or only
slightly less than the non-experts, then following their practices might not
be worth the effort...

~~~
lucb1e
Very good question, but I'm not sure how you imagine this could be addressed.

Security experts may use a lot more password managers and want to use unique
passwords, but you could say that's just because they have a lot more accounts
than normal people. Most people have a couple accounts for social networking,
their bank, perhaps a local library... experts usually work in the field,
spend their days online in an office, and have lots of accounts for various
tasks or activities.

The attack surface is very different: lots of accounts versus just a couple.
Lots of time online browsing various sites versus browsing your average social
network in spare time. Perhaps I'm overgeneralizing, but it probably matches a
good percentage.

And then there is the definition of "safer" or "expert". Are you an expert
when you got a degree in the field? When you followed some online courses?
When you work in the field? Or when you read a lot about security?

~~~
joosters
The paper acknowledges the problem in defining a security expert (see 5.1:
Limitations)

 _Defining a security “expert” is challenging, and we settled upon a
definition that is simple (5+ self-reported years of experience in the area)_

------
tptacek
The thing that software security people do that most normal people don't do
is: browsing and accessing email in a virtual machine, not their actual
machine.

~~~
ihsw
Can we settle for containers instead?

For example, running Chrome in a Docker container. Why not? Drawbacks?
Security risks? Feasibility?

I understand that users _download_ things but personally I can't recall doing
that in recent memory, other than things like news/tech spec PDFs for later
review. Moving downloaded files out of the browser's container would involve a
fair bit of ceremony (physically selecting files/folders and dragging them out
of the browsers "Download" folder and onto the host's file system, disallowing
saving files outside of that folder, and so forth) but it doesn't seem that
bad.

What do most users do with a browser other than open the thing, browse
websites, and download files for later?

~~~
tptacek
No. I'm barely on board with the pain/benefit of running an isolation VM.
Containers provide so much less isolation than VMs, it's hard to imagine
they're worth the inconvenience.

(I hate VMs so much I just use two computers).

~~~
thematt
Why do you hate VM's so much? Usability? Or is there some technical reason?

~~~
MichaelGG
Because VMware has essentially abandoned their client virtualization software?
(Workstation 11 is a paid minor bug fix.) While it's way better than
VirtualBox, it's still annoying. Stuff like USB devices will randomly not
work. You need more system resources, which heats up the machine, making it
hot to the touch. Oh and it crashes at times, too. With Windows-on-Windows
setup, I was having daily crashes. VMware doesn't seem to care and offers no
support with the product (gotta buy a company support plan). They even had a
kb article to the effect of "Known issue: Workstation crashes when you run
Office 2007".

It's usable, just a bit annoying. I feel little option but to run Windows as a
host OS in order to get best driver/video/battery support, so VMware is
essentially mandatory.

It's also a huge attack surface.

------
taeric
I am personally concerned with the "patch, patch, patch" message. Stated that
way, I completely agree with it. However, for many it is just "update, update,
update."

I'm all for getting the latest security patches. Or any security patches,
really. I'm growing tired of getting the latest possibly risky feature from a
product because it is the only way I can get a security patch.

~~~
wlesieutre
Just yesterday, Windows Update automatically installed a driver for my GTX
970. It broke OpenGL and I had to go to Nvidia's website to get their standard
driver and reinstall it.

And since Windows 10 breaks the ability to block specific updates, I'll
probably have to keep the installer around and reinstall it _every damn time_
that Windows Update decides that the driver MS is distributing is better than
the one from nvidia.com.

I'm a techy and I completely understand why users ignore updates. Either it's
invisible and the user doesn't know it happened, or it breaks something with
no obvious way to revert, or it arbitrarily changes things that were fine how
they were. So their perception ends up being "every time it updates, things
get worse."

~~~
fluidcruft
I am extremely, extremely skeptical that Microsoft doesn't have a way for
nvidia to fix this.

As a heavy desktop Linux user, hearing about examples of half-assed,
incompetent, hacky, lazy product support by nvidia isn't exactly new
territory.

Nvidia is causing your pain, not Microsoft.

~~~
wlesieutre
I'm not sure sure you can blame it all Nvidia. The versions that Microsoft
ships are written by Nvidia, yes, but they're torn down to essentials with a
bunch of features removed. Among those, Nvidia's various control panel type
addons, and apparently some important OpenGL extensions that LWGL relies on.

By going through WHQL, Nvidia gets to have better out of the box support on
Windows, and Microsoft gets to ship a stripped down driver without Nvidia's
control panel cruft and with better support for DirectX than OpenGL.

I don't see what Nvidia's motivation for the last part is unless Microsoft
said "Don't bother including all of the OpenGL capabilities, DirectX is fine
for basic drivers."

------
phlo
Brilliant. Measuring how well typical users understand/implement security
measures has long been overdue.

Personally, I find Figure 2 (on Page 5) of the paper most interesting: it
shows the difference between expert and non-expert mentioning certain
practices -- which to me seems roughly equal to how under-/overappreciated
that practice is.

The top contenders for underrated (i.e. used more frequently by experts
compared to non-experts) are: System updates, 2-factor-auth, password
managers, unique passwords and checking for https. Most overrated: antivirus,
password changes, only visiting known sites and using strong passwords.

As a security community, we appear to have gotten the point across when it
comes to antivirus and strong passwords. Anyone giving general advice should
consider this and emphasize the "underrated" measures.

~~~
sarciszewski
> Anyone giving general advice should consider this and emphasize the
> "underrated" measures.

Funny enough, we did exactly that last month!

[https://paragonie.com/blog/2015/06/guide-securing-your-
busin...](https://paragonie.com/blog/2015/06/guide-securing-your-business-s-
online-presence-for-non-experts)

Unfortunately, Archive.org did not crawl us before this Google blog post came
out, so I can't prove that I did not ninja edit the post. Google has a cache
from July 8, though:
[https://webcache.googleusercontent.com/search?q=cache:-ovweQ...](https://webcache.googleusercontent.com/search?q=cache:-ovweQsOFBMJ:https://paragonie.com/blog/2015/06/guide-
securing-your-business-s-online-presence-for-non-
experts+&cd=1&hl=en&ct=clnk&gl=us)

------
zzzcpan

      > The high adoption of antivirus software 
      > among non-experts ... might be due to the 
      > good usability of the install-once type of 
      > solution that antivirus software offers.
    

Or due to the fact, that antivirus companies make money on selling antivirus
software to non-experts and have a long history of advertising it to non-
experts as a security solution.

~~~
iulia_ion
Yep, it seems that marketing works. :D

------
emergentcypher
One bit of advice that should be up there is to run an ad blocker and a flash
blocker (not so relevant anymore now that FF started blocking by default). I
know, I know, websites depend on ads for revenue. But ads are also a great way
to deliver exploits, in addition to all the personal tracking ad networks do.
Our number one priority is to protect ourselves, not to protect website
revenue.

~~~
Balgair
For the lazy:

[https://addons.mozilla.org/en-
us/firefox/addon/ublock/](https://addons.mozilla.org/en-
us/firefox/addon/ublock/)

[https://www.ghostery.com/en/](https://www.ghostery.com/en/)

[https://cs.nyu.edu/trackmenot/](https://cs.nyu.edu/trackmenot/)

[https://addons.mozilla.org/en-us/firefox/addon/self-
destruct...](https://addons.mozilla.org/en-us/firefox/addon/self-destructing-
cookies/)

[https://noscript.net/](https://noscript.net/)

Anything I missed?

~~~
asquabventured
ublock origin is the original creator maintaining the code. it is better than
ublock!

[https://addons.mozilla.org/en-US/firefox/addon/ublock-
origin...](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/)

Some others potentially worth installing:

[https://www.eff.org/https-everywhere](https://www.eff.org/https-everywhere)

[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger) I
prefer this over Ghostery. You can also for the most part replicate Ghostery
by just downloading an appropriate filter for Ublock Origin.

[https://addons.mozilla.org/en-
US/firefox/addon/betterprivacy...](https://addons.mozilla.org/en-
US/firefox/addon/betterprivacy/)

------
JupiterMoon
Do security experts place less emphasis on virus scans because they do their
browsing on OS for which virus scanning is less important?

EDIT This question is partly motivated by wondering if a Linux browsing user
should be running a virus scanner?

~~~
Zikes
Security experts have more faith in their ability to avoid triggering a
scenario where a virus has the chance to gain a foothold. That's why there's
such an emphasis on patches, to plug the holes they can't see to personally.

------
medmunds
Not entirely surprising the experts ranked "install software updates" #1, but
it didn't even make the non-experts' top 5.

We, as an industry, still have a long way to go in making it easy and safe for
consumers to keep their software up to date. Have you ever tried to explain to
someone (outside the industry) which "click to install the latest version"
messages are important to obey, and which are malicious?

~~~
jacquesm
And which, even when they are not intended to be malicious will break your
system in an unrecoverable way...

------
peterwwillis
This seems misleading. Good security jerks know that there isn't a rule that
works for everything. This list might be a little misleading to the non-
security jerks.

For example, 'software updates' are half the battle, but the other half of the
battle is configuring your software to be more secure (browser sandboxing,
NoScript, pop-up blockers, malware detectors, OS hardening).

All the rest of the security concerns are authentication-based, but there are
very few accounts that are important enough to need a secure account. Banks
and money transfer services, business accounts (taxes, professional services,
ebay/etsy merchants, etc), followed e-mail accounts, are probably the only
really critical accounts most people have. You can hack my Facebook or my
Huffington Post account; it doesn't really threaten my safety.

I think the one thing _nobody_ does that would actually matter to them
eventually is keep offline backups. Facebook might lose all your pictures and
FB messages tomorrow. They have _zero_ responsibility to keep that crap for
you. If you do get hacked and someone deletes all your pictures, don't go
crying to Facebook; they have enough problems.

At the end of the day, the biggest threat to your online safety in general is
malware. Once malware is on your device it's game over.

------
Canada
Something obvious seems missing:

Our systems can be hacked, expert or not. Minimize online footprint. Do not
keep years and years of email and other stuff on Internet connected devices,
back it up to external media.

------
nhf
A plug for our paper, also at the SOUPS conference. We tackled a similar
topic, but with a different method and broader focus (how experts and non-
experts in general conceptualize the internet as a system):
[https://www.usenix.org/system/files/conference/soups2015/sou...](https://www.usenix.org/system/files/conference/soups2015/soups15-paper-
kang.pdf)

It's great to see a large company like Google focusing on this kind of work
though.

------
platz
How do I apply my patch,patch,patches to TurboTax, Adobe Reader, and Skype?

I don't think we're talking about the same applications here when comparing
security experts and non-experts.

------
progmal1
I am going to have to go with the non-experts on items 4 and 5.

~~~
JupiterMoon
In terms of only visiting websites you know. Unless you block adverts most
websites you know serve a lot of content from organisation you don't know.

------
cmurf
I've had my mom use lastpass for a couple of years, and just recently enabled
grid multifactor auth (free). The main thing about their multifactor options
is you can optionally "trust" a computer and only do multifactor on it once.
So she won't have to ever use multifactor, but it's mandatory elsewhere which
essentially keeps everyone else out while not changing her workflow.

------
noipv4
Namebrand home router vs pfSENSE router.

------
ozim
Seems like another attempt of google to get phone numbers from users. Experts
are using two factor authentication, review your security settings and give us
your phone number. Maybe I am a bit paranoid...

------
ipsn
Odd that they did not mention VPN, Tor, User Agent spoofing, tracker blockers,
flash blockers, and so on.

------
rilita
What kind of security experts are they talking to... My personal list of most
important things to do:

1\. Run a version of Linux ( Windows is simply insecure )

2\. Use Firefox + NoScript and only ever temporarilly allow JS to run as
needed. ( JS is -not- safe and at any point in time there are at least a
handful of zero day exploits )

3\. Use an offline password manager ( KeePass )

4\. Use a secure anonymous non-logging VPN for all internet use

5\. Use a paid private email account, not some free one

6\. Use VMs for running software that may not be safe

~~~
eldridgea
Those sounds good but I'm shying away from Firefox at the moment for security.
I love their open source approach and would prefer my browser to be open
source.

However Firefox does not have tab sandboxing, extension sandboxing, or process
isolation. These are pretty standard features in most browsers now (except for
process isolation which seems to be Chrome only at present).

