Are Usability and Security Two Opposite Directions in Computer Systems? Konstantin Rozinov krozinov@gmail.com Department of Computer and Information Science Polytechnic University Brooklyn, NY 11201 Abstract Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words, the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases where both computer security and computer usability went hand in hand with each other and actually improved together. In the last few years security has been the biggest buzzword in computer systems and as such has become part of our computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also do it securely. Can the two continue growing together? We believe they can, as evident by the most recent Indian Assembly Election. 1. Introduction The question of whether usability and security are two opposite directions in computer systems is not a trivial question to try to answer. It requires a careful analysis, instead of simple reflexive yes or no answer. This question has been around since the beginning of computing, and can even be said to date back to biblical times.1 In this essay we will analyze and try to answer this question by clearly defining usability and security in Section 2, giving clear examples of where the two have complemented each other in Section 3, and where they have been at odds with each other in Section 4. In Section 5, we will present our conclusions. 2. Background Information In order to begin to try to answer this question, it is important to first define the terms computer security and computer usability so we know exactly what each refers to and there’s no ambiguity. It will also make it easier to recognize when the two ideas are at odds with each other or when they supplement each other. What is computer security? This seemingly simple question is extremely difficult to answer in a concise and allencompassing manner. Depending on who you ask, you’ll get different answers. If you ask one end-user, you may hear something like “computer security is me being able to buy books on Amazon.com without worrying that my credit card numbers will be stolen.” If you ask another end-user, you may hear “computer security is me being able read my email without getting a virus.” If you ask a developer, you may hear something like “computer security revolves around developing robust applications from the ground up, with no bugs (buffer overflows, of-by-one errors, format string attacks, etc.) and a well-tested and safe design.” And if you ask a system administrator, you may hear something like “computer security is having only the necessary services running, the system patches being up-to-date, and file permissions set up correctly.” And if you ask a network administrator, you may hear something else, such as “computer security starts at the perimeter of the network, with the firewalls, proxies, and routers being properly configured to allow only certain things in.” This list can go on and on. As you can see the term “computer security” has vastly different meanings depending on who you ask. But for the purpose of this essay we can succinctly define computer security as the following: Computer security is defined as technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.2 Matt Bishop, a well-respected Computer Science professor at UC-Davis, agrees, stating that “computer security rests upon confidentiality, integrity, and availability.” He goes on to define confidentiality as “the concealment of information or resources,” integrity as the “trustworthiness of data or resources,” and availability as “the ability to use the information or resource desired.”3 Now that we’ve defined computer security, let’s define computer usability. Most people know when something is userfriendly and thus easy to use and when something is not. This can range from an easy to use graphical user interface (GUI) to an ergonomically-shaped mouse and keyboard. It can also mean easy and quick access to relevant information (i.e. an old e-mail) or just a simple interface with a small learning curve (i.e. a simple PDA interface). All these are part of computer usability. However, for the purpose of this essay, let’s formally define computer usability as the following: Usability is the measure of the quality of a user's experience when interacting with a product or system - whether a Web site, a software application, mobile technology, or any user-operated device. Usability is a combination of factors that affect the user's experience with the product or system, including ease of learning, efficiency of use, memorability, error frequency and severity, and subjective satisfaction.4 A highly usable system is one that is easy to learn, easy to use, easy to remember how to use, where it’s easy to recover from errors, and one that is liked by its users. At this point we have a clear understanding of what computer security and computer usability is. 3. Examples of How Security and Usability Are Inversely Proportional It has often been said that “security and usability are often inversely proportional.”5 In other words, the more security you add to a system, the less usable it becomes, and vice versa. Let’s take a look at several examples of this. First, let’s look at P2P networks and search engines. The advent of peer-to-peer (P2P) networks has improved usability, specifically in terms of how people share and acquire various data and how easily it can be done (simply connect and type in what you’re looking for). But at the same time, the (lack of) security of these applications has made the security of the computer system virtually non-existent. For example, most users of P2P networks don’t know that they are most likely sharing their entire drive and thus a lot of private personal information with the rest of the world. For example, everything from credit card numbers and family photos to bank records and personal letters can be and has been unintentionally shared through P2P networks.6 You can say goodbye to the confidentiality of your data if you incorrectly use your P2P software. Similarly with Google (and other search engines), even supposedly “hidden” private and personal sites and files on the web, are gobbled up by these spiders and cached for easy reference. For example, simply typing the search term "# FrontPage-" inurl:service.pwd7 into Google returns many password files. Unless the user proactively tries to protect (via passwords or a robots.txt file) his/her data, no data can be assumed safe and “hidden” from a search engine. Now let’s take a look at the basic UNIX file permissions. Say we have an Apache web server running on a UNIX box. Typically Apache runs as the user nobody and as group nobody and thus has limited access to various files. Now, suppose you have a web form being served up by this Apache web server that stores the user’s input in a file. In this particular case, the rules stipulate that all the data in this file must be kept confidential and pristine from everyone except the intended parties. This means that security must be in place to offer the confidentiality and integrity of this data. One simple way to achieve this is via UNIX file permissions. First we can make this file owned by the user nobody (so that Apache can read and write to this file). Then we can change the permissions of this file to be only readable and writable by the user nobody, as such: -rw------- 1 nobody nobody 1242 Aug 14 01:56 data.txt So, the confidentiality and integrity of the file are enforced and only root and Apache can access this (typically normal users do not have the same ID as the user nobody). However, how does this effect usability? Well in this case, if a webmaster (user: webmaster) needs to read this file or modify it, he/she simply can’t. The webmaster would first have to elevate his/her privileges to root or nobody (which would require a password and possibly membership in the wheel group) and only then would he/she be able to read and write to this file. This poses an inconvenience and thus makes the system harder to use and harder to remember how to use. In addition, when the webmaster tries to elevate his/her privileges, the password may be “sniffed” if a clear-text protocol such as telnet is being used to connect to the system. So this also poses a security threat. This leads us into our next example, the use of telnet. Typically most UNIX and Windows systems today come with telnet pre-installed. This adds to the convenience and usability factor because now the administrator or user can remotely access other systems. But it throws security out the window. Telnet is a clear-text protocol, meaning that a sniffer such as Snort or tcpdump can easily look at and understand all the traffic being passed between two systems. So any information including user logins and passwords can be intercepted and viewed. Thus, all aspects of computer security (confidentiality, integrity, and availability) are not enforced in this case. If the login information is known, then all of the user’s files can be viewed, modified or deleted, thus effecting confidentiality, integrity and availability. To counter this threat, many administrators and users now use SSH which is similar to telnet but encrypts all the information being sent between the two systems. However, to use SSH, you must first download it, install it, configure it, learn how to use it, and remember to use it (the hardest part for most users). This detracts immensely from the usability factor of the system and product, but at the same time adds security to the system. Another example is macros in Microsoft Office documents. Macros are typically small programs that are embedded inside documents and are used to automate frequent tasks. Ideally, they can be used to enhance the user experience and provide better computer usability. In the past, macros often ran automatically when a document was opened and initially this proved to be a very convenient and usable feature. However, with time, macro viruses began to appear in the wild. These were nothing more than macros that spread automatically and/or did something malicious. Since macros could execute automatically when a document was opened, these viruses spread quickly and caused a lot of damage. In order to mitigate this threat, Microsoft updated its software to present a dialogue box prompting the user whether he/she wanted to enable or disable macros for a particular document. Most of these users had no idea what macros were and did not understand the possible ramifications of executing them. They would get confused and discouraged by these prompts, or worse, make incorrect decisions, and subsequently productivity would go down. The complexity of this security measure implemented by Microsoft reduced the usability of the product. Our next example deals with passwords. Wouldn’t it be nice to not have to remember passwords but still be assured of the security of the system and the data on it? That would definitely improve usability, since users would never have to remember their passwords. Well that’s why developers started working on Passfaces or Visual Passwords. Instead of remembering letters, numbers, and special characters, users would have to remember faces or other images (since it seems people remember faces and images better than words like #$Fl0r^d@). The goal was for security to stay the same (or even improve), but for usability to go up. However, a study done by the Computer Science Department of University College London found the opposite to be true: On the computer facilities regularly chosen by participants to log in, Passfaces took a long time to execute. Participants consequently started their work later when using Passfaces than when using passwords, and logged into the system less often. The results emphasize the importance of evaluating the usability of security mechanisms in field trials.8 4. Examples of How Security and Usability Go Hand In Hand To see how computer security and computer usability can complement each other in a system, let’s take a look at the Microsoft’s Xbox gaming system and Xbox Live online service. Xbox is nothing more than a computer system with special video and network enhancements to make it more game-friendly. Xbox Live is Microsoft’s online service that allows Xbox gamers to play against each other. Recently, the Xbox Live team discovered that due to security breaches, modified Xbox consoles were connecting to the service and allowing players to cheat. It is best to quote Major Nelson, Director of Programming for Xbox, on this discovery: The Xbox Live team has noticed and received reports from the Xbox Live community about users connecting to the Xbox Live service using modified Xbox consoles. In most cases, these users have used the modifications to gain an unfair advantage over other players, such as racing modified, faster cars in Project Gotham Racing 2. By doing this, users are breaking the Terms of Use that must be agreed to when a gamertag is created. The Xbox Live team will not tolerate this unfair activity and have taken steps to protect our community from this cheating. Xbox Live has recently initiated additional security measures to ensure that those connecting to Xbox Live with modified hardware will be removed from the system. Modified consoles will be banned, and information about those banned machines will be tracked to prevent them from connecting to the service again. It’s important to the Xbox Live team that we work to provide an environment that is free of cheating and gives all players an opportunity to compete fairly online, and that's why I wanted to ensure that the community knows this. Xbox Live constantly monitors for users attempting to bypass security measures and gain unfair advantages over other players, and will take additional action as needed.9 So with newly-added security mechanisms and policies, the Xbox Live service has increased its usability by preventing cheating and improving their service. Specifically, usability was improved because gamers were given a level playing field and the trustworthiness of the service as well as user-satisfaction was increased. The rapid growth of the personal firewall industry is proof that people are becoming more security-conscious and aware of the threats. We believe personal firewalls have improved the usability of computer and software systems immensely. Initially, there may be a small a learning curve in acquiring, installing, and configuring the personal firewall, but that is the same with any new product. Today’s personal firewalls are very easy to use and have good manuals and tutorials on how to correctly configure them, so their effectiveness is only growing. In addition, the default settings of most of these products make sure that the firewall is started at boot time (and now with Service Pack 2 for Windows XP, the firewall is installed and on by default). Prior to personal firewalls, users and administrators were never really sure if there were covert network connections coming and going to and from the computer. And one would never be sure which applications accessed the Internet without your permission. Security of the computer system was greatly diminished, as was its usability. Prior to personal firewalls, you could never really tell if there was a malicious program on your computer that was sending your personal files to someone on the other side of the world. Thus, confidentiality could be compromised and you would never know. Similarly, you could never be sure if a program was listening and waiting to upload something unto your computer, thus violating the integrity of your system. Availability could have also been diminished since an attacker could use your machine as a staging point for a DDoS (Distributed Denial of Service) attack other with a flood of packets, thus effectively preventing legitimate connections. Now, a user has much greater control over which ports are opened, which applications can access the network, which applications can accept connections from the network, and even which users or hosts can access the network. In terms of usability the administrator is more satisfied that he/she has more control over his/her system, worries less about unexpected connections, and doesn’t have to remember to use or activate the firewall, since it’s always on. This directly improves the usability of various applications and computer systems and the user feels more comfortable using it. At the same time, security has been improved because the user has much greater control over his/her applications and systems. Another example of where security and usability grew together is the adware/spyware and pop-up arena. Adware and Pop-ups are advertisements that pop up in a small window when you visit (or leave) a website, when you boot up your computer, or at random times. Spyware are applications that send back personal information (such as your surfing habits, keystrokes, emails, documents, etc.) about you to various companies or individuals who can then use or sell this data for monetary gains. They have affected computer security in all three aspects, confidentiality by allowing others to see your private data, integrity by seeming to be innocuous programs that actually betray your trust and “spy” on you, and availability by eating up memory and CPU resources and sometimes even crashing your system. We believe pop-up blockers and anti-spyware applications are one of the most useful recent developments in computing. They have improved usability countless times for countless users. Prior to them, it was very difficult if not impossible to surf the Internet with tens of pop up ads popping up every time you visited a website or booted up your computer. They would consume memory and CPU time and sometimes even crash the system, thus diminishing the usability factor considerably. You were never sure if your keystrokes were being logged or if your personal data was being sent to someone else. Thus the user would eventually lose trust in the system and would start to dislike using it. With the advent of pop-up blockers and spyware detection and removal tools, security was improved as well as usability, as trust in the system would be retained. Another example of a successful synergy between computer security and computer usability is role based access controls, present in Security-Enhanced (SE) Linux, and Solaris 8. For system and network administrators, the use of roles and domains has given them much greater flexibility in allocating permissions to do various things. For example, in SELinux: Each process has an associated role. This ensures that system processes and those used for system administration can be separated from those of ordinary users. Each user role has an initial domain that is associated with the user's login shell. As users execute programs, transitions to other domains may, according to the policy configuration, automatically occur to support changes in privilege. The type enforcement component defines an extensible set of domains and types. Each process has an associated domain, and each object has an associated type. The configuration files specify how domains are allowed to access types and to interact with other domains. They also specify automatic transitions between domains when programs of certain types are executed. Such transitions ensure that system processes and certain programs are placed into their own separate domains automatically when executed. 10 Security and usability is improved simultaneously. Security is improved because it greatly enhances the “all or nothing” access controls of traditional UNIX security policies (you’re either root or a non-root user) by creating various roles and domains that give finely-grained control to the administrator. Usability is improved because, for example, now a webmaster does not have to know the root password and su into root to read that data file that the Apache web server uses (see Section 3). The webmaster user can simply be part of a role that is allowed access to all files in the web server documents directory and is allowed to reconfigure and restart the web server.11 Another example of how computer usability can grow with computer security is the new anti-virus products on the market. The new ones, like Symantec’s Norton Anti-Virus 2004, provide real-time protection that is both fast and almost unnoticeable by the user. In other words, it integrates wonderfully with the current user environment. “Auto-Protect,” as it’s known in Norton Anti-Virus, is described as follows: Auto-Protect loads when you start your computer to guard against viruses, Trojan horses, worms, and other malicious threats. It checks programs for viruses as they are run and monitors your computer and removable media for any activity that might indicate the presence of a virus. When a virus or virus-like activity is detected, Auto-Protect alerts you.12 Security is enhanced for obvious reasons, but usability is also enhanced because it allows the user to use the computer system in a more worry-free fashion. The user can be assured that the majority of viruses from emails and web sites will be caught and deleted automatically before they can do damage. In addition the user interface of this particular product is very simple and easy to navigate and use, so the learning curve will be very small. 5. Conclusions Although in the past it has usually been the case that computer security and computer usability have been inversely proportional, we believe this trend is starting to change. Security has been the most important issue in the computing industry for the last couple of years. Prior to that computer systems were designed to do things as fast as possible and as easily as possible (to reduce costs). Now computer systems and all of their components (software, hardware, networks, etc.) have to do it securely as well (once again to reduce threats and possible costs). You can see this trend in all aspects of computer systems, from system and network administration to personal desktop users installing and using personal firewalls, pop-up blockers, and anti-virus solutions. The vendors see this trend and consequently provide easy-to-learn and easy-to-use user interfaces that still provide effective computer security. We believe this trend of combining secure computing and ease of use, speed, and quality will not go away, but instead will grow in the next few years. Perhaps, this is most evident in the most recent Indian Assembly Election, which took place this past May.13 This was a clear example of how security and usability can co-exist. The election was fully conducted using Electronic Voting machines, which were simple, fast, and easy to use for the hundreds of millions of voters that participated. At the same time, their simplicity added to their security by doing a few simple things really well, instead of a lot of different things poorly. The usability of this system was extremely good, as only about 100 polling sites (out of the tens of thousands) had to conduct the election again. This shows that the error-frequency of the system was very low. Now if only Diebold could learn something from our Indian friends. References 1 F. Avolio. Internet Security and Usability: Who's Winning? http://www.avolio.com, 2001. 2 Texas State Library and Archives Commission. http://www.tsl.state.tx.us/, 2001. 3 M. A. Bishop. Computer Security: Art and Science. Addison-Wesley, 2002. 4 U.S. Department of Health and Human Services: Usability. http://www.usability.gov, 2004. 5 Security Axioms. http://www.avolio.com/papers/axioms.html, 2004. 6 See What You Share on P2P. http://www.seewhatyoushare.com, 2004. 7 “I’m Johnny. I hack stuff.” http://johnny.ihackstuff.com, 2004. 8 S. Brostoff & A. Sasse. Are Passfaces more usable than passwords? A field trial investigation. In McDonald S. et al (Eds) ‘People and Computers XIV - Usability or Else’, Proceedings of HCI 2000, Sunderland, UK, pp 405-424, 2000. 9 Major Nelson’s Random Thoughts: Xbox Live Security. http://www.majornelson.com/blog/2004/10/xbox-livesecurity.html, 2004. 10 SELinux: Security Policy Abstractions. http://www.nsa.gov/selinux/info/policy.cfm, 2004. 11 This is clearly exemplified in the following two articles: • K. Rozinov. SUMMARY: RBAC on Solaris. http://www.sunmanagers.org/pipermail/sunmanagers/2000December/000589.html, 2000. • P. B. Galvin. Role-Based Access Control. Sys Admin Magazine, 2001. 12 Symantec Help Center. Auto-Protect Description. 2004. 13 Techaos. Indian EVM compared with Diebold. http://techaos.blogspot.com, 2004