Today, I had to take a trip to the Apple Store. Because of all of the things that could break on my computer, the most important one that I can’t live without started misbehaving: my trackpad.
After checking in, leaving a trail of umbrella drips from the front door to the upstairs Genius Bar, and getting my machine ready to be all fixed up, I was ready to surrender my darling little machine to the powers that be so that what was broken could be fixed in-warranty. I entertained a round of interrogation about the colorful stickers on my laptop— “Oh, that’s Threatbutt, it’s a totally innovative security thing that only the smartest people know about!’’ and once my machine was whisked away, I sat back and observed the interactions going on between the people near me.
To my right, an older woman had brought in her computer because it wouldn’t connect to the internet. She had been hunting down the perfect quilting pattern for her granddaughter’s wedding gift, and while downloading templates, she had somehow added 45 different extensions to her browser. Hidden in these malicious extensions were competing strains of adware that were running amok on her machine, making it impossible for it find its way to the internet and transfer any sort of data back and forth.
Behind me, another woman had a similar issue: her twenty-something daughter was telling her to download a new app that was just ~*to die for*~ on her computer, and she did. But once she downloaded it, the app disappeared and couldn’t be found on her computer or phone. For the past few days, she had gone to the web and searched for the app to download again, but didn’t understand why it wasn’t showing up on her device. A few minutes later, the was clear: after she downloaded the app from the first Google result on the web, she opened iTunes and tried dragging the app onto her phone while it was syncing with her computer. As a result of downloading software from an untrusted source, she had adware on her machine. When the technician explained what this was and why it happened, she sighed deeply and had a positively dejected look on her face.
“My daughter kept telling me to download this app on my phone— she lives in Miami— and I tried, I really did. My husband used to do these things for me and he was so patient, but he passed away last year…I have absolutely no idea what any of this is. Everyone else seems to be having so much fun with these apps and things, and I want to enjoy technology with them, but that just doesn’t feel like it’s ever going to happen. I spend more time scared I’m going to break the damned thing than I do having fun with it.”
Another quite sassy lady sitting across the table from us had a computer that just “wouldn’t listen to her.” When she “told” her computer to go to a website, it just went wherever it pleased, and she was “damned tired” of it acting like it’s “possessed.” And lest ye think that the Apple Store was full of damsels in distress on that very, very rainy day, there was a man behind me whose computer kept emailing people… but he couldn’t figure out how. When he searched, he couldn’t see or find the emails, and didn’t know how to make something that was invisible to him stop infecting the inboxes of his friends, colleagues and family. In the space of a half an hour, six more people around me were (very patiently, professionally and diligently) walked through the steps and given a few basic tools to help them solve security problems and avoid reintroducing them to their computers. Which got me thinking…
Far too often, security practitioners and technologists take the position of blaming users for security failures or thinking that users deserve all of the bad things that they might encounter out there on the web as a consequence of not knowing all of the ins and outs of technology. “People are the weakest link in security!” seems to be more of a comfortable excuse lean on than a rallying cry to actually do something to change the status quo. While we might be able to master protocols, grok complex technological concepts, and break whatever we feel like whenever we want… those skills and the highly specialized language surrounding them isolate us from the people we are defending.
(“Wait, what?! When we do this security stuff, we’re defending people?! People are SO dumb.” … Um, yes, what in the hell did you think you were doing when you took that security job?)
To date, billions of people have literally bought into the idea that their computers would change their lives (and sometimes they do), and we know quite a bit about how and why they interact the ways they do with technology. We know that no one has taken on the responsibility of truly educating most people about the risks that come with the very many rewards the internet has to offer. And then many of us fault them for not knowing things, especially the things that they had no way of knowing or learning about them whatsoever. But tell me…
When was the grandmother making a quilt for her granddaughter’s wedding supposed to learn basic online security principles? How should she have known where to find information that she didn’t know she needed to know?
When would a 75-year-old lady ever have learned that the machine she uses for knitting needs backing up? Who would have explained to her the value of her data?
How was the widow going to learn all of the ins and outs of technology when her husband was the one with years of tech experience?
How should little old ladies navigate operating system updates when the quilting software they use for sewing isn’t compatible with the latest, greatest and shiniest new thing out? (“Use better software” isn’t an option.)
Where would someone who had never before been exposed to an App Store ever learn about how any of those things work?
And how would someone whose use case of the internet never, ever gave them reason to think of malicious uses of the internet? How would anyone in this situation know to take proactive security measures against them?
At the end of the day, sitting around and speaking poorly of end users doesn’t help any of us fix the eleventy twelve billion problems at hand, and it doesn’t make end users smarter and wiser either. Neither does ignoring reliable data, psychology, science, usability studies, or the reality that we will need a multitude of tactics to truly get end users and technologists doing everything they can on both sides to help us take care of the web.
After spending days, months, years, and thousands of hours behind a computer, it’s sometimes hard to remember what it felt lie to sit in front of one of these things and have absolutely no fucking idea how it worked. It’s almost impossible to recall what it felt like to not know that there were so many things you didn’t know. Should we all have to be experts in every single detail of technology to be able to use it? No— and that’s just not going to happen given the ease with which anyone, even in developing countries, can gain access to the connected world. (And seriously, show me someone who is deserving of such a thing, an absolute and total expert in every technological capacity — I’ll wait.)
Staying holed off in our own little corner of the internet and fighting with each other about the most senseless of things isn’t helping us in any way, and yet some days it feels like we’re good at doing very little else than that. We complain that people are why security fails all of the time, but then forget that at the core, we’re people too and we are no better than anyone (everyone) else. When we ignore the facts of the situation— that the web is supposed to belong to everyone, not just the technological geniuses and cool kids who can hack this then whack that— and isolate ourselves from ever having to interact with people not like us, we fail everyone and we make our jobs much harder than they truly have to be.
But what do I know? I just went to the Apple Store to get my computer fixed one day. And now a bunch of people know that Taylor Swift and her squad are basically one badass hacking gang.
jessysaurusrex 
Great article. I see it all the time. I’m bombarded daily by posts about security and my absolute responsibility to spend a gazillion dollars every year on special hardware to protect my users’ names from being disclosed and exploited. But really, the greatest threat to our data and productivity is a small picture in Facebook with the caption: “This lady tried to make a quilt – you won’t believe what happened next!”.
When PCs first came out in the ’80s, we had pretty much the same situation. I was teaching people the easiest/best/safest way to do things on this new technology. All the while, bashing the software companies. I don’t know who they were hiring, but no one seemed to know what it was like to be an actual user.
Worst case story: A dentist I knew in the mid ’80s had to spend so much time tweaking his top-of-the-line software package that he didn’t have enough time left over to do the work of being a dentist. He actually lost his business trying to keep on top of software issues.
Best suggestion I have is to make computers/software like cars. You get in, you turn the switch, you go. You don’t have to know how the transmission works or have to repair one yourself. You don’t have to know how to shape a camshaft or set the timing. You just use it. I’ve campaigned for user-centric computing for decades and, here we are: still stuck in the same place. You are so right Jessy when you say most people making this stuff are stuck in their personal spaces, arguing with each other about meaningless (to users) things.
Awesome write up. I think we (techies) forget how confusing technology can be to those who are not involved in it daily. I have seen a lot of what you described, and always have to take a deep breath, slowed down and simplify things to non-technical people.
Oh wow! That quote from the widow was heart breaking! It made me think of my loved ones and how totally helpless they actually are when it comes to the subject of computer security. I often want to be mad at them for being ignorant about the topic, but this post really hit home and makes me want to do something to help people have an opportunity to become just a little more educated on the basic topic. Thanks for the story!
This resonated with me a lot, as I support end users in my work, and come across this sort of thing regularly. I have introduced people to use 1Password, which sometimes starts humorously “But I already use one password for everything”. For some with basic needs iCloud Keychain is helpful, but it’s too easy to wipe all the passwords when setting up new devices.
Anyway, I have a client who is 92 years old. She uses email and Google. Over the year she’s had various Windows PCs. When her last XP laptop died she was advised to buy a new laptop with Windows 7. For her very basic uses I would’ve suggested an iPad, some of her friends have them also. So things were going ok. She uses a cellular connection for Internet, prepaid data, expensive in Australia.
One day, I was contacted because everything has changed, her email had gone, Google didn’t work. Couldn’t open her files. Her games were gone. She didn’t remember approving anything, but this is what happened:
-Windows 10 automatically predownloaded itself, consumed all her cellular data “but I’ve paid till July!”
-Windows 10 installed itself, radically changing the UI from what she knew. (Better than Windows 8 though)
-Windows 10 doesn’t have drivers for her cellular USB modem, no internet, and data was used up anyway.
She initially called a neighbor to help who is “good with computers” and he tried Windows 10’s “Refresh PC” option which helpfully is labeled “you won’t lose your files or apps, just your programs” or similar. This process:
-Removed the Rollback to Win7 option
-Removed Office 2013 disc version (my files won’t open)
-Removed Windows Live email client (emails are gone)
And did not fix the internet issues, obviously.
Windows 10 also removes the card games that Windows always shipped with, which she liked.
So all she had was a blank desktop, with a word file with her will, and an excel file with funeral plans, neither of which would open.
I backed up all her data (under 400MB including photos!) and wiped and reloaded 7 and everything, all the updates, disabled win10 update, reloaded office and live mail, imported her old POP email, not on the server, and got things back to how they were.
But the experience was horrible for her and she was quite downcast by it all and very very angry at Microsoft for forcing it (Win10) on her. “It’s just not right!”
My work is all Mac. Our home is all Mac. But I do help people with Windows also.
What amazes me though, even at 92, is she new her POP email a password which was an 8 letter mixed case randomized xN3jLWs8 style password, off by heart, and told it to me verbally when I asked, despite not using webmail and it being saved in her mail client.
This really hit home. I will admit I use the term “end users are stupid” all the time. This actually makes me rethink that statement because most of the time I say it in context of employees thinking they should know better. However, why should they? The best Security Warners programs still can’t cover everything. There are some aspects of skepticism that’s innate in Security Professionals that causes us to question certain things which help keep us out of harms way. And for geeks, the pure curiosity of technology tend to allow them to navigate around some of the pitfalls. However, the average person may not have these traits and could easily fall for what we sometimes feel as obvious scams. Thank you for this post. I am changed after it and may actually give a presentation at an upcoming conference about it with credit to your article.