We know security and usability are orthogonal - do you?

Heated debate


Our recent article about the fine line between security and usability started some very interesting discussions and active criticism, most of which was targeted at us - suggesting that security and usability do not form a one-or-the-other type relationship (or are at least far more independent than dependent on each other).

We already know that, and now you know that.

Why we chose to represent it that way is because many developers, users, and administrators don't see it any other way. To them, if you improve the security of a piece of software it generally means they believe they have given up some usability to achieve that goal, and vice versa.

While a greater understanding of secure development practices and security as a part of the design process means that more applications are being created without needing to sacrifice usability for security, many users have been conditioned into thinking that a tightening of security means reduced usability.

If you still think that is not the case, consider two recent examples that have affected both Apple and Microsoft.

In Apple's case, the way its firewall handled incoming connections to various services when "Block all incoming connections" was selected was not very well defined - leading to public criticism and complaints. While the firewall was performing an okay job, the lack of accurate information presented to the user marked an example where usability trumped security and there was a perceived problem. An update to OS X to address this issue brought security and usability into more harmony, without either having to suffer.

In Microsoft's case, the User Account Control (UAC) feature associated with Vista is a security mechanism that seeks to help protect the user and warn the user of applications and data that is trying to access system components that would otherwise require an administrator-level account.

The only problem is that decades of applications being able to run at administrator equivalent levels has resulted in a glut of software that claims to require administrator access to successfully install and operate on Windows. The net result is that the user encounters a usability issue with their shiny new operating system, as a security component seems to be running in overdrive and actually reducing the efficiency of the user with seemingly constant interruption.

Even a simple Google search for "UAC Vista" brings up numerous guides and how-tos for disabling UAC, immediately after the Microsoft TechNet entry describing what UAC is. If the added security provided by the UAC wasn't causing such a usability problem, then those guides on disabling UAC would not appear so prominently (and so many of them) on a simple, generic "UAC Vista" search.

Other criticism focused on the discussed JET engine vulnerability. As far as it is concerned, differentiating between "not critical" and "critical" is something that can be a hot topic.

Some recent comments suggested the vulnerability may not be as bad as initially reported, since it is possible to use the .mdb file as a vehicle to execute other code, such as scripts or anything that might wipe out a database. This is true, but if access to JET-dependent software has been properly ACLed then it only affects the local user/what the user has access to. What has been described by cocoruder is a mechanism that does not rely upon this behaviour - instead it exploits a stack overflow to take control over the system running the JET service.

This is a critical problem as it allows a lower privileged user, who has access to operate access, the ability to take full control of the system - a problem when it comes to shared environments like web hosts. Normally they would have the ability to go haywire in the context of their account access, but now it offers them the ability to reach outside their account and gain system-wide access.

It would be like discovering that .vbs files could be compromised to run at SYSTEM level through a simple overflow, when it is already well known that they can contain system commands and any number of other potentially harmful directives.

That is why it is considered a critical vulnerability.

Doubters are welcome to argue their position, and all criticism is welcome. Before you do, though, consider the arguments raised above and whether they completely address what you would argue from.

This article originally appeared on Sûnnet Beskerming.

© 2007 Sûnnet Beskerming Pty. Ltd.

Sûnnet Beskerming is an independent information security firm.


Other stories you might like

  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • Old school editor Vim hits version 9 with faster scripting language
    All of the famed user-friendliness and ease of use, but 'drastically' better performance

    Old school editor fans, rejoice: some two and a half years after version 8.2, Vim 9 is here with a much faster scripting language.

    Vim 9 has only a single big new feature: a new scripting language, Vim9script. The goal is to "drastically" improve the performance of Vim scripts, while also bringing the scripting language more into line with widely used languages such as JavaScript, TypeScript, and Java.

    The existing scripting language, Vimscript, remains and will still work. Only scripts beginning with the line vim9script will be handled differently. The syntax changes are relatively modest; the important differences are in things like local versus global variables and functions, and that functions defined with :def will be compiled before they are run. This allows many errors to be caught in advance, but more significantly, compiled functions execute from 10× to 1000× faster.

    Continue reading
  • Iceotope: No need to switch servers to swap air-cooled for liquid-cooled
    Standard datacenter kit just needs a few tweaks, like pulling off the fans

    Liquid cooling specialist Iceotope claims its latest system allows customers to easily convert existing air-cooled servers to use its liquid cooling with just a few minor modifications.

    Iceotope’s Ku:l Data Center chassis-level cooling technology has been developed in partnership with Intel and HPE, the company said, when it debuted the tech this week at HPE’s Discover 2022 conference in Las Vegas. The companies claim it delivers energy savings and a boost in performance.

    According to Iceotope, the sealed liquid-cooled chassis enclosure used with Ku:l Data Center allows users to convert off-the-shelf air-cooled servers to liquid-cooled systems with a few small modifications, such as removing the fans.

    Continue reading
  • Gartner predicts 9.5% drop in PC shipments
    Stark contrast to 11 percent increase year-over-year in 2021 shipments

    The party is over for PC makers as figures from Gartner suggest the market is on course for a breathtaking decline this year.

    According to the analysts, worldwide PC shipments will decline by 9.5 percent, with consumer demand leading the way – a 13.5 percent drop is forecast, far greater than business PC demand, which is expected to drop by 7.2 percent year on year.

    The PC market in the EMEA region is forecast to fare even worse, with a 14 percent decline on the cards for 2022. Gartner pointed the finger of blame at uncertainty caused by conflicts, price increases and simple unavailability of products. Lockdowns in China were also blamed for an impact in consumer demand.

    Continue reading

Biting the hand that feeds IT © 1998–2022