I recently purchased my first power tool ever, a DeWalt Compound Mitre Saw, an intimidating piece of machinery that can not only rip through huge pieces of wood, but potentially chop your hand/arm clean off. As such I was very nervous when I received it, to include reading through the safety manual several times and numerous YouTube videos. Once I had reviewed everything and started playing with this tool, I came to an amazing realization. This device is so well designed from a safety perspective that I would have to try really hard to harm myself. Even better I did not have to really think about all the safety measures as they were built into the device, they were designed to work with me, not against me. I list some of the key safety features that impressed me at the bottom but something really else hit home for me. Why are we struggling so hard to do the same for security? Right now IoT is one of our biggest security challenges, with millions of IoT devices being used for DDoS attacks. The challenge? People are not changing the default passwords.
Our communities response? Security professional around the world are lamenting why people are so stupid/lazy as not to change the default passwords.
*sigh*, this says it all right here about our profession and why we are failing. Instead of blaming people, we should be taking a long, hard look at ourselves. Why do IoT devices even need a password? If they do, why are those passwords so hard to find/change on the device? Remember, you may think changing a password is easy, but security is your job. For most people they don't want to think about security and/or find technology intimidating (like I found the Mitre Saw). In addition, when you have 5, 10 or even 15 IoT devices changing passwords on all of them becomes a real PITA. Just like DeWalt and any other large power tool company, we need to take people into account and make security simple. We have to stop blaming others and look at ourselves. Until we do, the bad guys are going to continue to win.
By the way, here are some of the key safety features that are built into the DeWalt Mitre Saw. Notice in all three of these examples you do not have to do anything special, just use the device. This is how we need to think from a security perspective.
- Safety Cover: There is a plastic safety cover that protects the entire rotating blade. The only time the blade is actually exposed is when you lower the saw to actually cut into the wood. The moment you start to raise the blade after cutting, the plastic cover protects everything again. This means to hurt yourself you have to manually lower the blade with one hand then insert your hand into the cutting blade zone.
- Power Switch: Actually, there is no power switch. Instead, after the saw is plugged in, to activate the saw you have to depress a lever. Let the lever go and saw stops. This means if you fall, slip, blackout, have a heart attack or any other type of accident and let go of the lever, the saw automatically stops. In other words, the saw always fails to the off (safe) position.
- Shadow: The saw has a light that projects a shadow of the cutting blade precisely on the wood where the blade will cut. No guessing where the blade is going to cut.
Safety is like security, you cannot eliminate risk. But I feel this is a great example of how security can learn from others on how to take people into account.