How to make security more approachable? Jessysaurusrex roars (Q&A)
WASHINGTON, D.C.—It’s hardly news that everything is hackable, even security software like password manager LastPass, as revealed here last month. But the fact that even security software makers have a hard time building and updating their products should force security firms to be more responsive and communicative, Jessy Irwin says.
Perhaps the most potent example of cybersecurity experts’ communication challenges was Edward Snowden’s struggle to explain the complexities revolving the vast trove of National Security Administration documents he leaked in 2013, says Irwin, a sort of Jill-of-all-trades who recently started working for LastPass competitor 1Password as a security evangelist.
On Comedy Central’s Last Week Tonight news comedy show in April, host John Oliver distilled the complex questions surrounding the NSA’s spying abilities into one pointed question: “Oliver asked Snowden, ‘Can the NSA see my dick pics?’ And suddenly, regular Americans [became] the biggest privacy advocates,” Irwin says. “We have to find out a way to make security issues understood by everybody.”
Best known online by her Twitter handle, Jessysaurusrex, through which she prolifically advocates for more secure software development, hard-to-crack passwords, and better online-security education, Irwin has made decreasing the fear, uncertainty, and doom in security a professional mission. She can discuss security and privacy topics across a range of ages and backgrounds, and she has taken to distilling complicated security issues into slogans that appear on signs held by bunnies. Here’s one encouraging VPN use on public Wi-Fi:
And another on the importance of securing your home Wi-Fi router:
Irwin sat down with The Parallax here at the recent high-energy hacker conference ShmooCon to discuss her presentation on making computer security less intimidating. Here is an edited transcript of our conversation.
Q: Why is it so hard for security experts and companies to talk to their users?
A: You have to know your audience. If mine is a room of 8-year-olds, I need to think of simple facts that they don’t know—and then blow their minds with them. If I say, “There’s a series of chips in your computer that transmit light back and forth to each other,” they’re going to say, “What?” All it takes is one fact that is exciting but seems impossible, and they’re hooked on learning more.
Snowden took a major blow for the team when he leaked those documents, but when he did that interview with John Oliver, he didn’t know how to break it down for the average person.
Are security software developers trying to do right by their users?
Some of the people I thought would be the scariest hackers to deal with said I had good points about the importance of good communication. They admitted that they’re bad at making things easier for users, and they tried something new. I’ve seen some hard-core hackers advocate for nontechnical people, but there’s still a fair number of people who say it’s not important or their problem.
We’ve spent 19 months developing 1Password for Teams. We’ve spent 5 to 6 of those months working with our “chief defender against the dark arts” on a 50-plus-page security whitepaper. In security, many people say being transparent costs nothing, but in reality, time is money, and this was an investment we knew we needed to make for our users.
What advice would you give to nontechnical people?
Update every tool you use. It only takes about eight hours for someone to exploit a newly disclosed vulnerability and release malware somewhere.
But there’s no point in using strong encryption, or even antimalware, if you don’t use strong passwords. You can take it from a personal-privacy perspective: We know from the documents leaked by Snowden that the NSA can crack seven-word passphrases, so to stay ahead, you should be creating passwords of at least eight words. We’re dealing with the same cryptography problems that we’ve been dealing with in the 1990s.
We hear a lot right now about newer technology that is supposed to replace passwords. We know that Google’s working on it, and PayPal is working on it, but we haven’t seen any such technology come to market. Why is that?
Passwords aren’t just something we can change in North America and export to the rest of the world. I can’t name companies because of nondisclosure agreements, but generally, American startups tend to use offshore developers to shorten the time it takes to get a product to market. It’s a common process, and it’s something that is happening in the software market right now. I’ve recently seen companies build software using tech that was sunset in 2008.
Most developers care more about access to the tech that works than they care about the security piece because at the end of the day, they’ve got shit to do online.