John Viega Talks About Beautiful Security

by James Turner | comments: 1

John Viega is the co-editor of Beautiful Security, the latest in O'Reilly's "Beautiful" series. He recently talked to me a bit about what makes security beautiful, and what demands modern security problems place on end users and administrators.

James Turner: With Beautiful Code and Beautiful Data, you can think about code or data that's elegant or has a simplicity to it. When you think about security, you tend to think about diligence and slogging and going through logs and not things you would associate with being beautiful. How do you make security beautiful?

John Viega: The idea behind Beautiful Security was that -- you're right, security is not beautiful in the same way that code is. It's often a lot of grunt work, and it's just very challenging to build a good system, not necessarily fun. Although, there are a lot of people who do enjoy it. The idea behind Beautiful Security is more that it's beautiful when you can actually provide somebody an experience that's both secure and easy to use.

James Turner: To some extent, isn't that, in most organizations, diametrically opposed in that the more secure things get, the more you start hearing, "Oh, we can't do that because we can't open that port up or whatever"? And, in my experience, the more of one you get, the less of the other you get.

John Viega: It's usually the case that as you add more security, the usability goes away or as you add more usability, the security goes away. But it doesn't have to be that way. With a well designed system, often you can make it both easy to use and more secure at the same time. And there are certainly examples of that in Beautiful Security, the book. Things like password systems, for instance. If you do them very well, you can make something that's more easy to use and more secure than a traditional password system.

James Turner: When you think about security, there's different layers depending on your level of savviness and the needs you have. If we could just take a couple of minutes to address the various levels. Let's start at the lowest level. For Joe Blow, home user with cable or a fiber or a DSL line, has it gotten to the point where they have no way of realistically knowing if they're secure or not?

John Viega: For the home user, I think the security industry does a disservice about making things seem a lot worse than they really are. The security industry sells fear, uncertainty and doubt. Pretty recently, it was revealed that Symantec had been giving gross overestimations of the number of people infected by Conficker, I think. The average home user, as long as they are not doing anything dangerous that leaves them prone to social engineering or out in a very hostile environment like potentially a conference, they're usually okay. So on your home network, you're behind a NATing firewall usually. So there's really little threat from the outside world, except what the user browses to. And then there are tools like Site Advisor that can help make the browsing experience a lot more safe as well.

(continue reading)