I don't agree with 100% of this article, but it's sufficiently true and well explained that it's worth reading the whole thing. Quinn Norton reports that "Everything is broken":
It was my exasperated acknowledgement that looking for good software to count on has been a losing battle. Written by people with either no time or no money, most software gets shipped the moment it works well enough to let someone go home and see their family. What we get is mostly terrible.This near-perfectly expresses the problem with software. The only point I'd differ on is that it's not even that it "works well enough" - in reality it's shipped when it's perceived to work well enough by people who generally aren't able to tell how well it's actually working.
It's certainly true that people are awful users of software. This is generally because software is written and tested by people who are completely unrepresentative of the software user base. Here's an example from today. I try to connect, using Firebox, to a website which I happen to know has a problem with its security certificate (it's been revoked by the owner). Here's what I get:
OK, so let's suppose that I'm my mother. What the hell am I supposed to do with that information? It's good that Firebox has recognised that the site is broken and has stopped me connecting to this site - but "Please contact the website owners to inform them of this problem"? Seriously? How do I even know who the "website owners" are? Chrome is a little bit better - it warns that "if you try to visit [site] now you might share private information with an attacker" and suggests reloading the site in a few minutes or using a different wifi network, but it says that "something is interfering with your secure connection" when it would be better to say something like "I can't make a secure connection to this website - I've checked a couple of other websites and secure connections to them are OK, so it's probably just something wrong with this particular website". Chrome and Firefox's error messages in this situation are reasonably useful, but they're written for reasonably technically-savvy people - not for the vast majority of their user base.
As Quinn notes, for relatively non-technical people who don't generally have control over their computers, security is essentially impossible:
What's the best option for people who can't download new software to their machines? The answer was unanimous: nothing. They have no options. They are better off talking in plaintext I was told, "so they don’t have a false sense of security."I think this is slightly pessimistic. Doing everything in plaintext makes it trivially easy for the intelligence agencies, crackers and other ne'er-do-wells to scoop up everything. Better is to ensure that the world uses such a diverse and changing ecology of software and hardware that even concerted efforts to compromise a security system will only yield a relatively small fraction of the world - we can't stop those people from compromising our security if they really want to, but at least we can make the bastards work hard for it.
No comments:
Post a Comment
All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.