Listening to users is the first step in making them secure

Quinn Norton's lecture A Network of Sorrows: Small Adversaries and Small Allies at Hack.lu (helpfully transcribed by the Open Transcripts folks!) is a great call-to-arms for user-centered security.


Norton says that the only way we'll make things secure is if we listen to users when they explain their insecure behavior, but points out that the users who need security the most will never be able to afford to speak to real security experts: the kids at the public schools and the nurses at the hospitals that are taken over by ransomware creeps.

So, peo­ple are not stu­pid about their secu­ri­ty and their pri­va­cy. But they’ve been lied to. And that’s part of the prob­lem that we as a com­mu­ni­ty are in a posi­tion to help with, to fix. And one of the oth­er things I think gets dis­con­nect­ed between tech­ni­cians of all stripes and the peo­ple who are not in their fields is that we often think peo­ple don’t lis­ten or don’t care because we for­get that this isn’t oth­er people’s jobs. If you are sit­ting in this room, to some degree peo­ple are pay­ing you to use a long pass­word. People are pay­ing you to to wor­ry about key man­age­ment. If you are a trash col­lec­tor or radi­ol­o­gist or a lawyer, this takes away from your work day.


So hon­est­ly, one of the rea­sons we want to bring good tools to where peo­ple are is because if you have a radi­ol­o­gist, you don’t want your radi­ol­o­gist to learn PGP. I promise. You want your radi­ol­o­gist to look at your frick­in’ scans. You want them to look at it again. You don’t want them to wor­ry about whether their com­mu­ni­ca­tions with you are encrypt­ed. Because that’s time that they’re going to take away from try­ing to spot some­thing on your lungs. Which would you real­ly rather they do?

So, we spe­cial­ize in soci­ety for a rea­son. Because we real­ly want peo­ple to pick up our trash. We real­ly want peo­ple to defend us, or pro­tect us, from the law. We real­ly want doc­tors to find the things and fix them that are wrong with us. And we real­ly don’t want those peo­ple tak­ing their time away from that to learn how to do what we do. Until you are ready to go spend a day of the week pick­ing up every­body else’s trash, you’re not in a posi­tion to tell every­body else to learn how to do your job.


A Network of Sorrows: Small Adversaries and Small Allies [Quinn Norton/Hack.lu]


(via 4 Short Links)