Security through apathy
2015-Dec-27, Sunday 10:17![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
dorchadas
So Steam fucked up big.
I got kind of lucky in that![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
softlykarou and I were at my parents' house, so I wasn't on Steam at all, and I only learned about the problem when scrolling through Twitter and someone retweeted a Kotaku tweet telling people to go in and remove their payment info. Except that's literally the worst thing they could have said, because as the top article says, it was page-caching error, and logging in would probably just give you someone else's page while adding your own page to the cache and letting other people see it. And you still couldn't make changes. Oops. It didn't expose people's credit card information as far as I know, but full name and address was visible.
I still haven't gotten an e-mail or anything from Valve about this, by the way.
This is just feeding into my conviction that computer security doesn't exist for the end user. You can make things worse, by using the same password everywhere or running unsecured Java or whatever, but unless you rigidly practice OPSEC when feeding information to different websites, you're only as secure as the company you deal with who cares the least about security is. And none of them will care that much until the cost of breaches is higher than the cost of letting things slide, because for the average end user, on the security <---> usability sliding scale, things are already too far toward the security end.
It's why I talk about "security through apathy." Your best defense is hoping that no one cares enough to target you personally. And most of the time you'll be right, but if you're not...
I got kind of lucky in that
softlykarou and I were at my parents' house, so I wasn't on Steam at all, and I only learned about the problem when scrolling through Twitter and someone retweeted a Kotaku tweet telling people to go in and remove their payment info. Except that's literally the worst thing they could have said, because as the top article says, it was page-caching error, and logging in would probably just give you someone else's page while adding your own page to the cache and letting other people see it. And you still couldn't make changes. Oops. It didn't expose people's credit card information as far as I know, but full name and address was visible.I still haven't gotten an e-mail or anything from Valve about this, by the way.
This is just feeding into my conviction that computer security doesn't exist for the end user. You can make things worse, by using the same password everywhere or running unsecured Java or whatever, but unless you rigidly practice OPSEC when feeding information to different websites, you're only as secure as the company you deal with who cares the least about security is. And none of them will care that much until the cost of breaches is higher than the cost of letting things slide, because for the average end user, on the security <---> usability sliding scale, things are already too far toward the security end.
It's why I talk about "security through apathy." Your best defense is hoping that no one cares enough to target you personally. And most of the time you'll be right, but if you're not...
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2015-Dec-27, Sunday 20:07 (UTC)There is a lot of discussion in the security business about "hur hur user is always the weak link" which invites some to call for more awareness training, and others to ask why we aren't making systems that don't fail so easily in the first place.
I believe we've actually made a lot of progress towards the latter. But in any case where liability for breaches doesn't fall on individual users, it's natural for them to be apathetic.
no subject
Date: 2015-Dec-27, Sunday 21:33 (UTC)But in any case where liability for breaches doesn't fall on individual users, it's natural for them to be apathetic.
Yeah. And there's little enough that users can do in a lot of cases that putting responsibility on them would just increase overall anguish without really driving any changes. I'm not sure there's any way thread the needle between "data breaches won't happen to me, so I don't need to do anything" and "data breaches happen all the time, do anything I do is pointless" among a wide enough section of the public to make a difference.