In information security, we often keep saying the same thing over and over again, because we know it's right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don't, and yet we keep saying those things. We tell them they "have to" fix all the security problems all the time.I'd like to go further, and do, in my reply to his post. At issue is our propensity to reflect all of the hardest problems in security today onto those who are least equipped or capable of handling them: end users. Nobody asks to get in the security business when they buy a computer, they want to entertain themselves, or positively contribute to some task, or fill an everyday need... yet we do. We ask everyone who buys a computer to join us in our perverse universe of paranoia. This is a lazy, improper, and unsustainable approach. If anyone is looking for the hardest problems to solve in our industry, look no further than your parents' complaints about their computer, your friends' complaints about websites, or your coworkers' complaints about corporate policy. We've left them holding the bag on the hardest problems.
My comment on Adam's post is reproduced below.
I write on this topic frequently... I can only hope more people begin to realize the seriousness of this problem, and that we must begin to make it a tractable one.