What makes someone "good at technology?" In part, it's an understanding of the underlying technical principles and industry conventions - what a "power on" icon looks like, say. I have a lot of that. But there's another component, one that's often invisible to people like me: the extent to which your technology was designed to suit your needs.


I have a lot of that, too. I'm a 50 year old, middle-class, tech-industry adjacent professional man with an honorary PhD in computer science. Not only do tech designers think like and about me when they create new products - they often *ask* me what I think I need.

Several times per year, I'll get on a call with product managers and researchers at both big and small tech companies to discuss some planned product. I am good at tech, but tech is also good at me.


It doesn't just meet me halfway - it bends over backwards to meet my needs.

Some years ago, I joined the advisory board for Simply Secure, a nonprofit that helps tech designers build strong security tools that are intended to be usable by non-technical people.


In my first call with the org's founder, Meredith Whittaker, I suggested a slogan for the products we helped with: "So easy, even your boss can use them."


You see, I've been an IT manager, and in that rule, I've had to institute security policies, like minimum standards for passwords, mandatory VPN usage, and other important (but often cumbersome) measures.

In these circumstances, I always did my best to explain to my co-workers that these measures were not me being high-handed or sadistic, loading them up with pointless busywork.


I tried really hard - with pretty good success - to convey the rationale behind these measures and the risk I was trying to mitigate.

This isn't just a matter of being respectful to the people I was working to protect, it was also key to that protection - when people don't accept security measures, they circumvent them. As this amazing ethnography of security-bypassing medical professionals puts it, "You Want My Password or a Dead Patient?"



It's really important to get rank-and-file workers to understand why you're asking them to endure the inconvenience of a security measure, but it's far more important to get your *boss* to understand this. After all, even if your co-workers don't buy in, you have some authority to mandate their cooperation, whereas your boss gets to override you.


Everyone who's worked in security has had experience with this: you get a call from the CEO like, "Look, Poindexter, I don't give a monkey's asshole about the VPN or whatever. I need to download a presentation to raise the capital to pay your salary, and as soon as the kid in the lobby of this Comfort Inn is done Reddit shitposting on the shared lobby iMac, I need to download that file to this USB stick I found in the parking lot of an Arby's and transfer it to my laptop. Make it happen!"


This is why I suggested "So easy your boss can use it," as a replacement for the odious "So easy your mom can use it." Bosses have the social clout to force the universe to rearrange itself to your comfort.

Moms, not so much.

Tech designers are notoriously indifferent to the needs of moms - and other marginalized users - when they plan their products.


The emblem of this was the Honeywell Kitchen Computer, a $10,600 recipe-organzing database system the size of a kitchen counter, offered for sale in the 1969 Nieman-Marcus Christmas catalog:


The men who designed this computer didn't ask their wives - whose nightly dinner-cooking duties they set out to automate - whether they needed a $10,000, 100lb recipe organizer that you queried by punched paper tape. Not one unit sold.


Everything your mom does with a computer is twice as hard as the things that I do with a computer. Even if your mom gets more consideration from product designers today than she did in 1969, I'm getting more consideration. When I use a computer, I'm playing the game of life on the lowest difficulty setting:



But as easy as things are for me, they're even easier for your boss, who doesn't just play on the lowest setting - your boss gets to play in God Mode. They get highest-level access to company systems *and* they get to ignore the security policies their underlings must obey.


Hence IFL Science's study of CEO passwords for Nordpass, which found that the median CEO uses a password that is "startlingly dumb," in the phraseology of the headline for *PC Gamer*'s article on the study, by Katie Wickens:



The study analyzed 290 million data-breaches and clustered the leaked passwords by job title, finding that the most popular passwords for the highest-ranking employees were typical of the worst password choices: "123456," "picture1," "password," and names like "Tiffany," as well as mythological animals like "Dragon."

These passwords aren't *worse* than the median breached password, but they should be *better*.


With great power comes great responsibility, after all. C-Suite Impersonations are extremely dangerous to companies - forged emails from top execs have led to millions of losses at a swoop, when the impersonator orders an underling to transfer millions to pay a bogus invoice.



It's a safe bet that the IT managers who work for these execs know about the risk of C-Suite account takeovers, and it's a sure bet that the execs who chose these bad passwords had heard advice about choosing strong passwords. But unlike your mom, your boss gets to overrule IT policies.


Passwords suck and they're hard to do well. You (and your mom, and your boss) should be using a password manager and using a different, strong, randomly generated password for every service.


You should also turn on two-factor authentication for every service, using either a hardware token or a standalone 2FA app (*not* SMS!):




Meanwhile, let's normalize saying, "So easy my boss can use it" and banish "so easy my mom can use it" to the scrapheap of history.


· · Web · 1 · 9 · 23
Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

Mamot.fr est un serveur Mastodon francophone, géré par La Quadrature du Net.