I would guess that at this point everyone in the world knows about this week’s “leak” where lots of private pictures from celebrities were stolen and then shared in the open. And if you’re interested in this sort of stuff, you’ve probably read quite a few opinions ranging from “why do these pictures exist” and “why are they saved anywhere online” to “what are the big companies doing about this”.
I’d normally avoid hot topics like this like the plague because of the kind of silly discussions that usually gravitate towards them, but in this case, there is a point that I would really like to make. That point is…
It is not the user’s fault.
It’s very easy, as an engineer, to look at this and breathe out with relief that nothing really got “hacked”, it was just phishing, brute forcing, guesswork and other hacks that involve humans more than technology. It’s just bad user passwords and people putting them where they’re not supposed to, it’s not our fault, our system was intact, nothing leaked through the holes. It’s especially good because deep inside there is a little voice telling you that this will not be the case every time, so at least on this one occasion, you can escape the blame, go home have dinner and sleep well at night.
Unfortunately this is an inadequate reaction, to say the least, and it’s a very wrong position to take, if you really care about the users and the industry.
We want people to use our stuff. We also want to make things as easy for them as possible. Just turn the phone on, it will just work. Just install the app, it will just work. Just take some pictures, it will just work and we will automagically back these up for you so that you can never lose them, you don’t need to do a single damn thing, it’s all magic from us techy wizards over here, don’t worry, love the cloud, life is good, please give us a 5 star rating and buy our stuff!
That is what we want, we want to make it *magical* and the magic happens when the complexity is hidden away. Unfortunately as soon as something goes wrong, the complexity starts leaking out in a big flood of user-blaming.
The user has set a bad password. The user does not have a PIN. The user does not use an encrypted connection. The user does not have a password on their wifi. The user has an easily-guessable password on all their accounts that they haven’t changed in five years. The user is wrong, our magic is INTACT, we cannot be faulted, the user has used our product wrong.
No, they f*ing haven’t. They used it in the way in which you told them they can use your magical device, in the super-duper-uber-simple way. You didn’t ask them to take a network defence course and a crypto book and understand why Password1 is about as secure as leaving your door unlocked and pictures with where your laptop is located outside. You told them that you have this covered and they don’t need to worry about a darn thing because *you* are the magician and they are muggles. The truth is that you lied and now you’re trying to blame the user to save face.
Instead of asking why do people still set incredibly poor passwords, here are some more interesting questions:
– Why do we allow users to set incredibly poor passwords?
– If hackers just brute-force and guess passwords, why don’t we try to brute-force our own passwords and make users change them when we succeed?
– Hey, why do we still have passwords? Is this really still the only way to authenticate a person?
– If we think two-factor authentication helps, why is it an elusive option that you have two dig out instead of the enforced standard?
– If secret questions and answers can be so easily guessed, why do we still ask for these? Surely we have better options available?
We are the wizards, we hold the keys to the magical kingdom and we expect users to trust us that this magic is good and it helps them and they have nothing to fear from it. Everytime the magic fails, everytime the user is hurt, they will trust us less. They will see the magic as more black than white, something to be feared and avoided. Fear kills innovation, fear kills sales, fear kills the magic.
It is not the user’s fault, it is the magician’s fault. The trick has failed, the complex machinery behind the magic hat has not only been revealed, but it killed the rabbit in the process. There is no one else to blame, we need to just accept our fault, sincerely apologise and do our best to make sure that this doesn’t happen again. And we need to do that fast before we lose all confidence and the magic show turns into a witch hunt.