{"id":305366,"date":"2011-12-20T12:20:25","date_gmt":"2011-12-20T20:20:25","guid":{"rendered":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/?p=305366"},"modified":"2016-10-13T10:42:12","modified_gmt":"2016-10-13T17:42:12","slug":"fresh-perspective-internet-security","status":"publish","type":"post","link":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/blog\/fresh-perspective-internet-security\/","title":{"rendered":"A Fresh Perspective on Internet Security"},"content":{"rendered":"

By Douglas Gantenbein, Senior Writer, Microsoft News Center<\/em><\/p>\n

People don\u2019t do enough to protect themselves on the Internet. They don\u2019t use good passwords. They\u2019re poor at recognizing the URL of \u201cphishing\u201d sites. They ignore certificate errors.<\/p>\n

Yet, to Cormac Herley<\/a>, that\u2019s perfectly rational behavior, because people sense that all the headaches of keeping up to date on security probably aren\u2019t worth the trouble. Time spent constantly changing passwords or taking other security steps is valuable time lost, he says. By comparison, Herley says, the reduction of risk of having an account hacked or another security problem is relatively minor.<\/p>\n

\"Cormac

Cormac Herley<\/p><\/div>\n

Herley\u2014a principal researcher in Microsoft Research\u2019s Redmond<\/a>\u2019s Machine Learning Department\u2014has gained attention for his argument that much of what security experts insist people do to protect themselves not only ignores the real threats out there, but it\u2019s also a waste of money.<\/p>\n

\u201cAn ounce of prevention may be worth a pound of cure,\u201d he says, \u201cbut a pound of prevention is not better than an ounce of cure. If you can\u2019t quantify how much of each you need, you\u2019re simply hand-waving.\u201d<\/p>\n

In the past five years, Herley\u2014working solo or with colleagues\u2014has written about 20 papers that address many aspects of computer security: the prevalence of cybercrime, security advice for computer users, phishing prevention, and much more. With a deep background in signal processing and data analysis, he has taken an empirical approach to the problem of security, casting a critical, cost-benefit eye on what \u201ceveryone knows\u201d is the best way to stay safe on the web.<\/p>\n

In particular, Herley says, we rely too much on password strength. We are encouraged to use \u201cstrong\u201d passwords that go beyond the name of a pet or \u201c12345\u201d\u2014and to change them regularly.<\/p>\n

Such guidance isn\u2019t necessarily a bad thing.<\/p>\n

\u201cA strong password does make it harder for someone to guess or brute-force your password\u2014this is unarguably true,\u201d Herley says. \u201cStronger passwords have benefit. But they also have a cost. What\u2019s unclear is whether the benefit is greater or less than the cost.\u201d<\/p>\n

Hidden Costs of Security<\/h2>\n

That\u2019s because adhering to strict security standards takes time and effort. In a paper published in 2009, Herley argues that people who break the usual password \u201crules\u201d\u2014using weak passwords, not changing passwords regularly, using the same password for multiple accounts\u2014are acting rationally, not simply being lazy or careless.<\/p>\n

In his paper So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users<\/em><\/a>, Herley notes that Internet users, on average, have 25 password-protected accounts to manage. Most also have an average of 6.5 passwords, using each of them at an average of 3.9 sites\u2014breaking the common guidance to avoid reusing passwords.<\/p>\n

Adhering to guidance against reusing passwords, Herley argues, costs a user a 3.9 times the effort, yet the benefit is hard to quantify.<\/p>\n

Or, as Herley writes, with 180 million online adults in the United States, an hour of user effort is worth $2.6 billion and a minute per user per day is worth $15.9 billion per year. Instead of viewing users as incomprehensibly lazy, he suggests that security experts should treat them \u201cas a professional who bills at $2.6 billion per hour and whose time is far too valuable to be wasted on unnecessary detail.\u201d<\/p>\n

These are the \u201cexternalities\u201d\u2014such as assuming that computer users\u2019 time is free, when, in fact, it adds up rapidly\u2014to which Herley refers in the title of his paper.<\/p>\n

Fishy Approach to Phishing<\/h2>\n

Herley says that other common efforts to enhance security suffer from similar faults. Because of phishing and other spoofing attacks, it\u2019s clear that Internet users need protection.<\/p>\n

But to \u201cread\u201d a URL for phishing, an Internet user must look for numeric IP addresses, subtle spelling changes in the address bar, incorrect top-level domains, misplaced punctuation, and more. All of that takes time\u2014again, against a threat that might be remote or mitigated relatively easily.<\/p>\n

In Herley\u2019s analysis, efforts by web users to master the intricacies of phishing should average no more than 2.6 minutes per year<\/em>. Anything more, and the individual costs begin to outweigh the annual cost of phishing in the United States, about $60 million.<\/p>\n

The same caution pertains to recognizing certificate errors, which occur when a browser is not connected to a website via a Secure Sockets Layer (SSL), indicated by the \u201chttps\u201d in the URL, rather than \u201chttp.\u201d<\/p>\n

But Herley says that to gain the benefit of SSL connections, the user must type the entire URL, including \u201chttps\u201d, or have the secure URL bookmarked. They also need to pay more attention to browser warnings about certificate errors.<\/p>\n

And for all of that, there is relatively little benefit. He asserts that virtually 100 percent of certificate errors are false positives caused by legitimate sites that have name mismatches or expired certificates.<\/p>\n

\u201cThe effort we ask of people is real,\u201d Herley writes, \u201cwhile the harm we warn them of is almost always theoretical.\u201d<\/p>\n

Herley certainly believes in web security. Strong passwords can prevent some attacks, for instance. But he advocates an approach to passwords that recognizes that people tend to pick common words to use. Why not take an approach that lets people use whatever they want\u2014as long as that password has not reached a certain threshold of popularity within a website? He and two co-authors suggest that in a 2010 paper, Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks<\/em><\/a>.<\/p>\n

For the most part, Herley argues that most of what security experts ask people to do ignores the biggest threats. Forcing a password change every 60 days makes no sense if a person\u2019s computer is infected with a keystroke-logging program, which captures keystrokes people use\u2014including passwords\u2014and directs them to a malicious recipient. The new password will be compromised immediately. It would be better to invest in software that detects a logging virus than to constantly change passwords and then try to remember them.<\/p>\n

Laughs During a Conference<\/h2>\n

Herley has delved into security issues relatively recently. He earned his bachelor\u2019s degree in electrical engineering at University College Cork in his native Ireland, received a master\u2019s degree in the same field from Georgia Tech, then earned a Ph.D. from Columbia University.<\/p>\n

Early in Herley\u2019s career, he specialized in image processing and signal analysis. But in the mid-2000s, he saw that password practices had been the subject of almost no rigorous research.<\/p>\n

\u201cIt was very under-studied, which surprised me,\u201d he says. \u201cPeople were spending all sorts of energies on lots of different security problems, but there was this gigantic elephant in the room, which was passwords. As far as the 2 billion users of the Internet are concerned, that would seem to dwarf everything else, yet it was receiving almost no attention.\u201d<\/p>\n

Herley realized he was on to something in 2007, when he was giving a talk on a paper he had co-written with Microsoft Research colleague Dinei Flor\u00eancio<\/a>, titled A Large-Scale Study of Web Password Habits<\/em><\/a>. The paper examined the password behavior of a half million web users\u2014their average number of passwords, how often they are changed, password strength, and more.<\/p>\n

During the talk, given to a crowd of security experts, Herley noticed that whenever he showed a slide or graph depicting poor password habits, he got a laugh.<\/p>\n

\u201cI\u2019m used to giving dry technical talks, and usually, you really have to work for the laugh,\u201d Herley says. \u201cSo I thought this was odd. What\u2019s funny about it?\u201d<\/p>\n

Herley began to think that security experts\u2019 mockery of everyday web habits showed that the experts were the ones out of touch, not the Internet users.<\/p>\n

\u201cThe job of the security experts is to produce technology that serves the need,\u201d he says. \u201cIf it isn\u2019t serving the need, don\u2019t laugh at it. Maybe some people on the web are dumb and lazy, but they are what they are.\u201d<\/p>\n

Rather than acknowledging that, Herley says, the security world instead keeps blasting people with more advice: Change passwords! Read URLs! Watch for phishing attacks!<\/p>\n

\u201cThe stuff has been accreting for 40 years,\u201d Herley says of security guidelines. \u201cIt never goes away.\u201d<\/p>\n

The Media Tunes In<\/h2>\n

Herley began to look at the costs of adhering to web-security practices, compared with the benefits. That led to the 2009 So Long, and No Thanks<\/em> paper, in which he made his case that most security advice achieves relatively little and comes with a cost.<\/p>\n

That\u2019s when Herley became a media sensation. The New York Times<\/em> published an article (opens in new tab)<\/span><\/a> on it. The Boston Globe<\/em> and ZDNet<\/em> (opens in new tab)<\/span><\/a> did, too, and dozens of other online sites and blogs followed suit. Almost all were sympathetic to the plight of password-afflicted Internet users.<\/p>\n

\u201cI was surprised by all that, having worked in different areas on various dry papers,\u201d he says. \u201cIt was hard to believe that I\u2019d tapped into something like populist rage.<\/p>\n

\u201cBut that is an advantage when you come at something from the outside. You haven\u2019t been captured by the consensus view\u2014\u2018Well, everyone knows this. We don\u2019t even think about it anymore.\u2019 And I was lucky to articulate some of this stuff in a way that resonated with a lot of people who are consumers of technology.\u201d<\/p>\n

Herley intends to keep poking at conventional wisdom.<\/p>\n

\u201cI learn far more when people come up to me and say, \u2018Herley, you\u2019re completely wrong, and here\u2019s why,\u2019\u201d he says. \u201cIt\u2019s bad for any field when everybody is agreeing with each other.\u201d<\/p>\n

Credits Microsoft Research<\/h2>\n

Herley, who joined Microsoft Research in 1999 after a stint at HP Labs, the central research lab at Hewlett-Packard, credits the atmosphere at Microsoft Research with giving him the freedom to be creative and take risks.<\/p>\n

\u201cThere is just so much energy that comes from being around so many smart people,\u201d he says. \u201cAnd you get a lot of feedback here. Whenever you have kind of a crazy idea, it helps a lot to be able to bounce that idea off people who say, \u2018I don\u2019t work in that area, but it makes sense to me.\u2019<\/p>\n

\u201cAnd when you see so many people doing quality work, it really makes you want to raise the level of your own game. It really is a unique environment. I\u2019m amazed at the freedom it has given me.\u201d<\/p>\n

When not taking on the security status quo, Herley loves to hike in the Washington Cascades, and haunts fringe theater in Seattle.<\/p>\n

\u201cI like these underground garage places where they put on slightly edgier stuff and take some risks,\u201d he says. \u201cSometimes, it works, and sometimes, it doesn\u2019t, but \u2018if you\u2019re afraid of seeing bad theater, you\u2019re never going to see really great theater.\u2019<\/p>\n

\u201cI think the same is true of research. If you\u2019re afraid of having a project flop on you, you\u2019re never going to do really great stuff.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

By Douglas Gantenbein, Senior Writer, Microsoft News Center People don\u2019t do enough to protect themselves on the Internet. They don\u2019t use good passwords. They\u2019re poor at recognizing the URL of \u201cphishing\u201d sites. They ignore certificate errors. Yet, to Cormac Herley, that\u2019s perfectly rational behavior, because people sense that all the headaches of keeping up to […]<\/p>\n","protected":false},"author":39507,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","msr-author-ordering":[],"msr_hide_image_in_river":0,"footnotes":""},"categories":[194489],"tags":[201057,214145,214139,186803,214142],"research-area":[13558],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-305366","post","type-post","status-publish","format-standard","hentry","category-security","tag-computer-security","tag-cybercrime","tag-internet-security","tag-passwords","tag-phishing-sites","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[199565],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[],"related-projects":[],"related-events":[],"related-researchers":[],"msr_type":"Post","byline":"","formattedDate":"December 20, 2011","formattedExcerpt":"By Douglas Gantenbein, Senior Writer, Microsoft News Center People don\u2019t do enough to protect themselves on the Internet. They don\u2019t use good passwords. They\u2019re poor at recognizing the URL of \u201cphishing\u201d sites. They ignore certificate errors. Yet, to Cormac Herley, that\u2019s perfectly rational behavior, because…","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/posts\/305366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/users\/39507"}],"replies":[{"embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/comments?post=305366"}],"version-history":[{"count":2,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/posts\/305366\/revisions"}],"predecessor-version":[{"id":305378,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/posts\/305366\/revisions\/305378"}],"wp:attachment":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/media?parent=305366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/categories?post=305366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/tags?post=305366"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=305366"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=305366"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=305366"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=305366"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=305366"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=305366"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=305366"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=305366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}