?

Log in

No account? Create an account
Security and usability - Arvind Narayanan's journal [entries|archive|friends|userinfo]

Security and usability [Mar. 21st, 2005|04:19 am]
Arvind Narayanan
[Tags|]

Security and usability of software are inherently conflicting goals. If you improve one you must necessarily compromise on the other. A great deal of the difference between Windows and Linux can be explained by differing design choices in terms of the security-usability balance.

But there is such a thing as going too far. Look at this error dialog in nautilus:

Bad error dialog


It is a disaster from a usability perspective.
  • First, the text is far too long. Users simply don't read text in dialog boxes more than a sentence long, and even that is doubtful. Joel of Joel on Software once wrote about his experiences getting support calls about a dialog box, because users wouldn't read the text in it. The text was 11 words long. In the next version they shortened it to two words. That might have been an extreme case, but it illustrates my point that this dialog is ridiculously verbose.
  • The title is wrong. "Cannot open" is too generic. The problem is that the second time I get this dialog, I have to read the text again to see why the file can't be opened. If the title is more specific I would have to read only the title, and I know what it's talking about because I've encountered the problem before.
  • If you're putting in a "feature" like this that has the potential to be extremely annoying (and it is for me. I run into it all the time), then you'd better be sure to get it right. In particular, nautilus should know that plain text files are not executable and should let me open the file.
  • Why should I have to manually rename it? I mean, computers exist to automate things. The intention was probably to "protect the user from their own stupidity", but IMHO this is an improper application of that principle. Gnome's focus on usability necessitates relaxing the traditional Unix stance of security paranoia, so get with the program!
  • And what's with 'the correct extension for "plain text document"'? The user has to know all about extensions? If this is some kind of joke its not funny. I really hope it was because the someone was too lazy to do a lookup on the file type, and not because they thought a user deserved to view the file only if they were smart enough to know what the file type was, because that's elitism of the absolute worst kind.

A somewhat improved dialog would be:



OK, my glade skills suck, and the More Info button should probably be moved to the bottom left, but you get the idea.

On a related note, the security-usability tension was pointed out way back in the late 60s/early 70s by Saltzer, one of the Multics people, in more than one influential paper. You'd think that 30 years was enough time for this to sink into people's heads. Microsoft has always understood this; for instance an analysis of the Windows 2000 source code on K5 came to the conclusion that the code was in general of excellent quality; most of the kludges which led to security holes were caused by the goal of maintaining backward compatibility (which is IMHO much more important to the desktop market than security).

The open source community has had some trouble understanding this. Sadly, some have even deluded themselves into believing that security and usability go hand in hand. Oil and water don't mix. Science and religion don't mix. Security and usability don't mix. Delusions are bad for you.

Of course, a large part, perhaps a majority of the world's security holes come from implementation bugs rather than design flaws, and therefore have nothing to do with usability.

If you've read this far... there's a community called gnome_users, you might want to join it.
LinkReply

Comments:
From: seedar
2005-03-21 07:22 am (UTC)
guess .. you should use lj-cut here
(Reply) (Thread)
[User Picture]From: arvindn
2005-03-21 03:16 pm (UTC)
Dude, its my own blog. Its not like I'm spamming anyone. If you don't like it you're free to not read it.
(Reply) (Parent) (Thread)
From: seedar
2005-03-21 06:40 pm (UTC)
Bah! You know I posted that only as a suggestion.
(Reply) (Parent) (Thread)
[User Picture]From: haran
2005-03-21 09:38 am (UTC)

Questions

a) People use Nautilus to open files!?
b) What security risk could there possible be in opening Log files?
(Reply) (Thread)