2009-03-19

What passwords and condoms have in common

I just read my favorite blog post of the month, by Adam on Emergent Chaos comparing the Holy See's comments on condoms in Africa to our often-dogmatic approach to Information Security. His comments:
In information security, we often keep saying the same thing over and over again, because we know it's right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don't, and yet we keep saying those things. We tell them they "have to" fix all the security problems all the time.
I'd like to go further, and do, in my reply to his post. At issue is our propensity to reflect all of the hardest problems in security today onto those who are least equipped or capable of handling them: end users. Nobody asks to get in the security business when they buy a computer, they want to entertain themselves, or positively contribute to some task, or fill an everyday need... yet we do. We ask everyone who buys a computer to join us in our perverse universe of paranoia. This is a lazy, improper, and unsustainable approach. If anyone is looking for the hardest problems to solve in our industry, look no further than your parents' complaints about their computer, your friends' complaints about websites, or your coworkers' complaints about corporate policy. We've left them holding the bag on the hardest problems.

My comment on Adam's post is reproduced below.

Adam,

Fascinating and apt analogy. The "blame the user" fallback has bothered me for years... and it truly is a fallback.

To follow on to your password example: Why do users write down their passwords? Because we insist they be complex, temporal, and different between systems. Why do we do this? So they're not easily guessable. Isn't, then, the authentication mechanism the problem? We have an obtuse, antiquated authentication mechanism that belies the nature of the beast using the system. We wouldn't ask a donkey to type on a keyboard - what we have built here is the psychological equivalent. We don't change it because it is hard - technologically, procedurally, institutionally - to do so. Therefore, we insist on a system poorly suited to today's computing realities, and blame the user.

As you suggest, there are many manifestations of this, passwords being but one. Microsoft's sage advice to mitigate Office vulnerabilities ("don't click on attachments from people you don't know") is yet another of my favorites. But in the end, it seems many of these situations end up shifting the burden of blame to the end user, subjugating them to our whims of what is and isn't "easy," rather than facilitating their use of the equipment and letting them focus on what their real job is.

It's going to be very, very hard for IT to break this very inviting habit...

Michael Cloppert

I write on this topic frequently... I can only hope more people begin to realize the seriousness of this problem, and that we must begin to make it a tractable one.