Ask HN: Why do people just not bother about security?

&gt;In my life I&#x27;ve always been involved with free software, patent and copyright law fights<p>In some sense, you&#x27;re probably living in a bit of a bubble because this is a topic that you&#x27;re passionate about.<p>I don&#x27;t necessarily mean this in a bad way. For example, my partner spends her free time involvewith animal welfare, recycling, composting, minimalism, zero waste fights. She&#x27;d probably wonder why you don&#x27;t care about these topics -- yet I&#x27;m sure YOU wouldn&#x27;t say you don&#x27;t about them, but you probably don&#x27;t have the same level of passion she does.<p>To her, using a physical key isn&#x27;t necessary to have good security. Passwords are &quot;good enough&quot;. To you, buying bamboo toothbrushes is probably not necessary to minimize waste. Recycling cardboard boxes is &quot;good enough&quot;.<p>That doesn&#x27;t mean anyone is necessarily wrong, you just have different sets of priorities.

IMHO its because they are quite accurately measuring the value of investing the time.<p>What is the likely damage? - if your photos etc. are backed up then most people (as in most of 7 billion) can get new system up and running in probably less than 100th of the time it would take them to even begin to understand how to secure their system &#x2F; accounts.<p>Secondly what are the chances of your security efforts actually making a difference? very very very low i would have thought.. you are either a low value target or you need to be an absolute expert to do anything about it.<p>Its a bit like locking your front door or car.. we like to kid ourselves that it is what is making a difference whereas what is really important is that most people are actually not evil and don&#x27;t mean you any harm. in reality both can be broken into in seconds with the most rudimentary of tools.<p>Hacks seem to be in the categories of: -Mass data collection to find nudes etc. (you need to have something to hide to make this an issue) -Mass data collection to sell your data (this is being done anyway legally in broad daylight by google et al) -You have something of value (you need to hire a security team to have any real hope of defending this)<p>If any form of mass hack really became an issue it would be an issue for millions to billions of people, so in all likelihood it would be a world changing event for everyone if there was an issue (regardless of if they were specifically the victim or not). not to mention how much of your data will be leaked through other peoples insecurity anyways.<p>I think more of the issue is actually the developers and the people selling software being so desperate to make money or show off they have pushed the world forward so fast that for most (all?) people being up to date with technology and secure is an either or situation never a both.<p>Also the generally public don&#x27;t believe how little major services have thought about the security implications of what they do.. the erodes their motivation in two ways: if the zuck himself cannot get security right how can I and there is no way that these companies would suggest i do something or offer a service that was inherently insecure.<p>so a lot of random thoughts there.. but overall i would say: it takes time and those in tech need to take it more seriously first.

No, you’re not wrong.<p>People don’t care. They don’t even know that they should care. People have no clue how their PC or smartphone or internet access work. They don’t know what a hard drive is, they don’t know what encryption does, and their brain will explode if you try to explain what a MITM attack is. They just know that they had to return to the store last time they forgot their password so the geek with the “Apple Genius” T-shirt could reset it for them. So now it’s set to the kid’s birthdate. Because they don’t know how any of that stuff works, they have no choice but to trust the closest thing they have to an authority on the subject: their ISP, the guys who make their smartphone or their bank’s website, that salesperson at Best Buy who told them to install an antivirus.<p>Security is hard. Remembering passwords is complicated, picking good passwords is near impossible if you don’t have a tool to do it for you, and remembering <i>those</i> passwords is impossible. 2FA is a pain to set up even if ou know what you’re doing, and don’t even get me started on configuring “advanced” options (in which I bundle Fido2 &#x2F; U2F for the foreseeable future). And recovery keys you’re supposed to print out and store in a safe, seriously?<p>Data is intangible. Contrary to a car theft or a house break-in, people struggle to assign a value to data loss or theft. Hell, I work in IT and I couldn’t begin to estimate the prejudice if someone were to gain access to my personal data. LoJacks and baby monitors help secure something that people can place a value on. What’s the value of my holiday pics?<p>Because of all this, security doesn’t sell. So companies have no incentive to invest in security, so security remains complicated and rare, so nobody gets to use good security and find out that it has a value, so security doesn’t sell.<p>I can’t even say that it will get better over time, as the young generations were raised to hand over control of their digital lives to corporate data harvesters.<p>Sorry for the bleakness of this post, but I’ve chosen to be jaded rather than depressed.

Thank you for this, I&#x27;m one of the creators of Solo.<p>BTW, to add to your point, a couple interesting numbers.<p>1) Search &quot;login&quot; on Kickstarter [1]. All 22 campaigns from 2011 to 2018 have failed!<p>2) Search &quot;security&quot; [2], and the most backed project doesn&#x27;t even reach 10k people.<p>It&#x27;s indeed a really hard space.<p>If I can criticize our community of technical people, we&#x27;re not really inviting &quot;normal people&quot; to join. Some of my friends tried to read throughout the comments, only found technical details or complains, and simply gave up and left. I&#x27;m sure many potential backers do the same. It&#x27;d just take the effort to go to github, nerd about whatever we like there, and leave the Kickstarter cleaner for regular people to participate. It is what it is, of course we&#x27;re more than happy with the result so far. Lesson learned for the next one. :)<p>[1] <a href="https:&#x2F;&#x2F;www.kickstarter.com&#x2F;discover&#x2F;advanced?term=login&amp;sort=magic" rel="nofollow">https:&#x2F;&#x2F;www.kickstarter.com&#x2F;discover&#x2F;advanced?term=login&amp;sor...</a><p>[2] <a href="https:&#x2F;&#x2F;www.kickstarter.com&#x2F;discover&#x2F;advanced?term=security&amp;category_id=16&amp;sort=most_backed" rel="nofollow">https:&#x2F;&#x2F;www.kickstarter.com&#x2F;discover&#x2F;advanced?term=security&amp;...</a><p>Edit: grammar

Re: Solo, it was funded in 20 minutes. It&#x27;s entirely plausible a lot of people are going to play wait and see, and get one only once they start shipping. Also, there are available competing products, and openness is just one possible path to trust.<p>Further, it&#x27;s completely non-obvious to 99+% how to use a hardware key, let alone why they should. 1% who get it, might even be generous. And then, quite a lot of people have devices that can&#x27;t use hardware keys, or shouldn&#x27;t. I have any number of clumsy friends who shouldn&#x27;t have something like a hardware key sticking out of their laptop at all hours of the day: I call it, inevitability.<p>Someone using a hardware key, probably uses random passphrases for each of their online services, stuffed into a password manager. Ergo they aren&#x27;t low hanging fruit even without a hardware key. How much safer is someone who uses push authentication as their second factor, switching to a hardware key?<p>Anyway, a big part of what I think you&#x27;re getting at is ordinary people lack the imagination of the risk they&#x27;re taking; but then there&#x27;s symmetry here because you lack the imagination that they have so little of it themselves.

People trust (wisely or not) in the big companies Google etc. to do the right thing. That&#x27;s because they have other priorities in their life, and limited head space. They need to be convinced this is an issue. I am not even convinced it is the most pressing issue for me, and I am a techie. I do minimal stuff (password managers, 2FA, try to avoid sending stuff by email) but I&#x27;m not going to start buying keys off Kickstarter.<p>The only exception is a small amount of Crypto which I have been a bit more paranoid about (see money is at stake so I care a bit more!), for example I have the myetherwallet source and run it locally instead of using the site as that is a very attractive honeypot. I could get f&#x27;d using the source but it is less likely. I check for recent dodgy looking commits and check the news.<p>Not saying I am right but just sharing my point of view.

Because for &quot;normal&quot; (non-technical people) security is: - Hard - Tedious - Error prone - Difficult to understand - Annoying<p>Most people have a rough enough time using their technology to understand security, and even when they do, it&#x27;s a tradeoff between usability and security. I also think that people feel they are &quot;secure&quot; as long as they have a password and possibly a virus scanner.

Actually if you think about it, computers already have a security response. Anti-virus to protect them from malware and find my computer&#x2F;tablet&#x2F;phone to protect against theft. These protect against the most common security attacks, that the average user experiences.

People passionate about security are also equally passionate about disliking marketing, so that may be a factor in its lack of popularity!

Because you can&#x27;t see an attack happening so it&#x27;s too hard for most people to use their imagination constantly. Fire, water, someone punching you in the face, those are real things. Someone defeating your firewall and engineering your password to get decrypt some of that beautiful data which you should have salted but didn&#x27;t cause you couldn&#x27;t pick the right flavor...that&#x27;s too many layers of abstraction.<p>I think and practice security but realistically I know I have a much bigger attack surface than I ought to because I just can&#x27;t be bothered to to run around chasing after every possible vulnerability. Frankly, it&#x27;s too much work.<p>If bad actors get access to your computer, the downside risk is potentially huge, and you might think that would incentivize people to spend more time and effort on security. But security isn&#x27;t productive or consumptive, it&#x27;s reactive and people don&#x27;t want to be in a constant state of anxiety.<p><i>for cars people have lojack, for houses and babies they have cameras, for bikes they have locks, and for computers.... they have nothing</i><p>All the other things you mention are easy, install&#x2F;purchase once and then they mostly just work* with minimal overhead. I totally agree with you about the value of something like the SOLO but that&#x27;s subject to a few problems; physical connectors are different on different devices, the easier it is the use the easier others can use it or force&#x2F;trick you into unlocking your stuff, and most people don&#x27;t have the time or know-how to assess the open source stack and verify the truth of its security. I have been interested in encryption technology for 25 years and am moderately knowledgeable about it but when I OK the latest update to Signal or an operating system I&#x27;m basically doing so on faith.<p>* Cameras are in-between security tools. They can help you but also be used against you as part of an oppressive surveillance society or actually create the incentive for people to come after your data. I&#x27;ve had police come to my door before asking to see my camera footage to identify suspects in a crime that happened near my property. I declined but most people do whatever they&#x27;re asked without thinking much about the consequences.<p>To improve security, don&#x27;t get into an unwinnable arms race about how can design the best lock. Make better tools for system administration that quickly and intuitively represent activity patterns so that people can notice unusual modes of access. Do so without interrupting people to death - you don&#x27;t judge the health of a tree by counting the leaves, and if the leaves of a tree show signs of poor health you don&#x27;t catalogue and measure them unless you&#x27;re a biologist.<p>We need much better <i>representations</i> of what is going on inside computers and how data is flowing. Right now if I want to know what&#x27;s happening on my TCP ports I get a <i>list</i> of processes and ports which I need to either monitor until I get square eyes or automate triggers on. Could you imagine telling people that the first step in dealing with a pest infestation was to make a list of every lifeform in a house and then filter that for ants or mice? Ridiculous. Why aren&#x27;t there graphical traffic&#x2F;packet monitors that make the backend of my network stack look like a videogame that I could actually get interested in and enjoy playing? Right now for security tools &#x27;graphical&#x27; generally means it has a GUI and maybe a bar chart or cuddly icons - if you&#x27;re lucky. Real time animations of data flow don&#x27;t exist outside of movies, despite the fact that almost every computer has a decent GPU and there are fantastic free and sometimes open videogame stacks available.<p>People will get engaged on security when they can see what&#x27;s going on, and by that I mean seeing things represented in a 2d or 3d virtual environment that doesn&#x27;t require deep forensic knowledge to interpret and interact with - like a videogame. You don&#x27;t need to write code to pick up, enjoy, or even be great at a videogame, although it might get you interested in code or coding ability may help. And I don&#x27;t mean some stupid game like picking out which tiles show vehicles in a captcha, but a responsive environment whose parameters are mapped onto system internals in a way that makes it easy to notice intrusions and disruptions without necessarily understanding them fully.

My personal take: most people seem to have a password for their PC, then backup files if they’re smart.<p>Why encrypt? That’s a good discussion to have with people. Need to take it one step at a time.<p>Also does a cellphone require all the stuff you mentioned? No, it doesn’t. Maybe PCs are the problem?