We are the generation of instant gratification and the Internet is our medium. Users have an ever-increasing hunger for information, cyber-offerings and interactive entertainment. Time of market is measured in hours and minutes and the first kid on the block if often the leader, even if he’s not the biggest and strongest. This culture has three distinct characteristics, all of which are impacting security today.

Firstly, the Internet culture is anonymous. We have free email, free web-space, free anonymisers and free Unix shells. We can register domains online, with credit cards; we can set up DNS servers for no charge. Cybercafes are open 24 hours a day and using them requires no identification. It is even possible to create totally fictitious services, companies or corporations – offering services that don’t exist. It’s easy to be anonymous on the Internet.

Secondly, the culture is spoiled – always giving users exactly what they want. As the Internet becomes more and more mainstream, companies design software to be more and more “user-friendly”. It’s an OK/Continue button clicking culture and the less the user understands of what’s actually going on, the better.

Thirdly, the Internet is about hype. Chain letters from Apple claiming that you could get a free iPhone flood Internet links everyday. Users believe that Bill Gates will pay them each $1000 if they forward messages to everything in their address book telling them about Microsoft Office.

It is this culture that has made Microsoft one of the most successful software companies in the world. Microsoft gives people what they want. What people want is software that is simple and easy to use and that masks the technical complexity. It’s this requirement that creates security problems. If people don’t understand how the technology works they’ve never understand the security issues. There will always be bad people tricking dumb users into making their computers do things they shouldn’t. So how do we safeguard against these types of “social-technological” attacks?

The problem is complex and can’t be solved simply by throwing more and more technology at it. What’s required is a paradigm shift – probably uncomfortable but essential for a long-term stable Internet economy. Here are some suggestions:

Education of users

The problem with the Internet is that many people accept anything offered to them over the Internet as OK the same way they believe ‘the computer is always right’. Users need to be educated not to trust everything they’re offered. This is largely the responsibility of software houses and service providers.

Fix the software

Software should be written to be more security-aware. Practices like enforcing the verification of server certificates protect the user, and force site builders and administrators to implement SSL in the correct way. Today’s software provides too many possibilities for the user to screw themselves without knowing it.

Accountability

Why do we require drivers to have a license when driving on the roads while users surf the information highways without any identification at all? In Malaysia, one if required to provide positive identification before using Internet connected computers in cyber cafes. A raised level of accountability on the Internet will go a far way to discourage criminals using the Internet as their vehicle.

Conclusion

The weakest link will always be the user. We’ll never be able to encrypt that post-it note on the screen. It is only by security awareness and user education that we make IT security technology work for us. Don’t assume that a person who does stupid things in real life is not going to do them in an online world. Computers don’t make people intelligent.

Credits: Roelof Temmingh