> systems and websites need to be truly easy to use. Truly easy — not just easy for the designer. This is something I struggle with almost daily. Consider an IBM product called WebSphere Application Server. Fifteen years ago all WAS instances used the same pre-installed default certificate. IBM provided instructions on how to replace them and secure the clustered network cell but the reality was almost all web commerce sites running on WAS at the time used the default certificate and anyone could hack in. These days WAS generates a lightweight Certificate Authority, generates unique certs for every server instance, securely exchanges certificates within the network cell, and manages the certs through their lifecycle, all at time of installation and all without any human intervention. The admin *can* intercept or replace the process to make it shop-specific or add capabilities, but need not do so. Now it's almost impossible to hack into a WAS server with an out-of-box default configuration and it's because the *designer* of the product shifted the responsibility from users to the vendor and encapsulated the hard parts into the default settings and the installer package. But when it comes to MQ, another IBM product, there are no publicly reported breaches to drive demand and of the 10,000 global customers for this software most don't know how much they don't know and therefore don't insist the product be enhanced assume a secure by default stance. The result is IBM sees the work to implement it as something that increases their cost without any return in revenue whereas in reality it's a categorical feature. Most consumer-grade tech is in that same boat. Everyone skilled in the art knows for a fact the target market doesn't understand the issues or understand the importance when the issues make the news from time to time. That is, after all, what it means to target consumers at large: people who just use the product as delivered and the innards are expected to be opaque. This creates huge opportunities to externalize what should be categorical features such as saving development cost by not caring that a modal window can completely take over the executable displaying it, not including that use case in your test model, and denying that is' obvious until after sufficient exploits happen that deniability is no longer plausible. Which is what this is. Externalization of product development and manufacturing costs. When Duke Power allowed giant coal ash pits to contaminate ground water here in NC we didn't have the option to switch to another electricity supplier. The externalized costs were not pushed back on Duke Energy but rather spread out among taxpayers across the state. When ad-tech externalizes costs by failing to keep malvertising out of their delivery pipeline we *do* have options. We can refuse to accept delivery of the ads and we can switch to alternative content providers. Forcing the externalized costs to be realized as lost revenue or lack of traffic is the one way we as individual can combat externalization and provide the incentive to design a system that can deliver revenue and ad content *safely*. Using a super-cookie to "opt-out" doesn't cut it. Accepting the risk doesn't cut it. Becoming an Internet Luddite doesn't cut it. Telling me I can't use ad- and script-blockers while this situation exists (or that I'm bad for doing so) doesn't cut it. But more than anything else, and to your point, designing a system in which user vigilance is the primary safety control and all responsibility and costs of failure are externalized doesn't cut it. Kind regards, -- T.Rob T.Robert Wyatt, Managing partner IoPT Consulting, LLC +1 704-443-TROB (8762) Voice/Text From: Guy Higgins [mailto:
] +1 T. Rob, Thank you for sharing this story. I suspect that I’m in the target demographic, age-wise, and I certainly don’t share the software expertise that most of the members of this group have, but I do have pretty decent cyber-hygiene thanks to help from this group and others. That said, I agree completely with you about designs. Info tech is advancing so rapidly that there will always be a significant number of people who find it difficult to keep up for any number of reasons as they get older — designers need to become aware that those folks in the “long tail” of the distribution comprise a truly large number of people. It’s not enough to provide for large print — systems and websites need to be truly easy to use. Truly easy — not just easy for the designer. Designer need to become aware of something called “The Curse of Knowledge.” Just because you know something (the curse) doesn’t mean that everyone else knows it (the cursED). Anyone can create Soviet designs (need more concrete, need more steel), It's hard to create an elegant design – one that is easy to use, efficient and works because the laws of physics on on the your side not working against you. Thanks again for sharing, Guy From: "T.Rob" <
">
> We spent a couple days either side of New Year's Eve in the hospital with my father in law. Afterward my mother-in-law started searching for all the conditions and meds mentioned in his discharge paperwork. Next thing you know, she's picked up ransomware which as best as I can tell was delivered through an ad rendered while she was reading email in Outlook Live. As I mention in the linked post, I can't ever know for sure that the malware specifically targeted sick and elderly people but based on the ads she's now seeing it would be hard to win an ad placement bid right now for any other criteria. So right after nearly losing her husband of 60+ years, emotionally and physically exhausted and unable to sustain her normal levels of web vigilance and security hygiene, she suddenly becomes a ripe target for malware delivered in ad-tech that ransoms all her family photos and correspondence. It took hours to recover her PC and she was practically in tears the whole time. Which to me is a big part of the problem. Much of the discussion of ad tech and ad blockers centers around tech-savvy mainstream users, not the elderly parent or grandparent whose online experience is determined largely by default settings of their devices and technology-specific cataracts that blind them to how this stuff works. Designing for the least abled among us results in designs that everyone can use. Designing to the 80th or 90th percentile is much easier but renders millions of people "statistically insignificant" even to the point of creating new classes of disability where once there were none. I understand that web sites need to make money to deliver high quality content but any web property owner or manager who believes the number of users who are actually victimized through malvertising is statistically insignificant needs to look my mother-in-law in the eye while they explain to her just how insignificant she personally is to their revenue stream and why. Until ad-tech can be directly accountable to its victims site owners don't get to whine about ad blockers. https://medium.com/@tdotrob/dont-claim-your-web-site-depends-on-ads-d1aec0d45b3f# Kind regards, -- T.Rob T.Robert Wyatt, Managing partner IoPT Consulting, LLC +1 704-443-TROB (8762) Voice/Text |
Archive powered by MHonArc 2.6.19.