Log in

No account? Create an account
27 December 2015 @ 10:17 am
Security through apathy  
So Steam fucked up big.

I got kind of lucky in that softlykarou and I were at my parents' house, so I wasn't on Steam at all, and I only learned about the problem when scrolling through Twitter and someone retweeted a Kotaku tweet telling people to go in and remove their payment info. Except that's literally the worst thing they could have said, because as the top article says, it was page-caching error, and logging in would probably just give you someone else's page while adding your own page to the cache and letting other people see it. And you still couldn't make changes. Oops. It didn't expose people's credit card information as far as I know, but full name and address was visible.

I still haven't gotten an e-mail or anything from Valve about this, by the way.

This is just feeding into my conviction that computer security doesn't exist for the end user. You can make things worse, by using the same password everywhere or running unsecured Java or whatever, but unless you rigidly practice OPSEC when feeding information to different websites, you're only as secure as the company you deal with who cares the least about security is. And none of them will care that much until the cost of breaches is higher than the cost of letting things slide, because for the average end user, on the security <---> usability sliding scale, things are already too far toward the security end.

It's why I talk about "security through apathy." Your best defense is hoping that no one cares enough to target you personally. And most of the time you'll be right, but if you're not...  photo Kirby_Shake_WaddleDee_Emoticon_by_D.gif
Current Mood: pessimisticpessimistic
Current Music: Jake Kaufman - The Betrayer (Enchantress Final Form)
fristle on December 27th, 2015 08:07 pm (UTC)
As soon as I saw this Steam thing, it didn't look like a hack, so I just LOLed and went about enjoying my day off. But even if it had been a hack, a cardholder's payment info being compromised in a data breach is officially not the cardholder's problem, which is how the system is structured – the cost of fraud is carried by everyone as a group. So maybe it wasn't apathy, but just a perfectly rational response? If I was the average Steam user with hundreds of games maybe it would have been a small panic moment, maybe.

There is a lot of discussion in the security business about "hur hur user is always the weak link" which invites some to call for more awareness training, and others to ask why we aren't making systems that don't fail so easily in the first place.

I believe we've actually made a lot of progress towards the latter. But in any case where liability for breaches doesn't fall on individual users, it's natural for them to be apathetic.
dorchadasdorchadas on December 27th, 2015 09:33 pm (UTC)
I know that for me, the main thing I worry about with fraud is having to change all my information everywhere and accidentally missing a payment somewhere due to a new card number, because that's something that's actually happened to me.

But in any case where liability for breaches doesn't fall on individual users, it's natural for them to be apathetic.

Yeah. And there's little enough that users can do in a lot of cases that putting responsibility on them would just increase overall anguish without really driving any changes. I'm not sure there's any way thread the needle between "data breaches won't happen to me, so I don't need to do anything" and "data breaches happen all the time, do anything I do is pointless" among a wide enough section of the public to make a difference.