Comments on: Joseph Ratzinger and Information Security

By: chantix

chantix — Sun, 17 May 2009 21:57:34 +0000

By: Iang

Iang — Sat, 21 Mar 2009 15:57:16 +0000

PHB: the good thing about the analogy is that it separates the thinkers from the haters.
Cobb: easily disproven, go ask the Red Cross about their blood banks, or hospitals about high-risk workers. Security is a relative, not an absolute. What the Pope has done is to conflate issues of religious dynamics with disease control, for purposes that are transparent. Similar enough to be confusing, he is not totally wrong in what he says, but he isn’t totally right, either, which makes him much the same as our popular security gurus.
A good analogy all round!

By: Iang

Iang — Sat, 21 Mar 2009 15:48:17 +0000

Michael, you beat me to it! I’ve not exactly been telling people to write their passwords down, but close to, and the only reason is probably I can’t figure out a pithy way to write it that won’t outrage the Pope.
Maybe that’s what Adam meant. Either way, the post is highly germane. The problem is, once we walk through all the ramifications of the claim, we are a bit stuck. The gulf between what a security person might say and what might be really useful to the client is rather large. We don’t have all the answers, and we don’t even have enough of the problem space for our answers to be reliable.

By: Adam

Adam — Sat, 21 Mar 2009 11:29:46 +0000

actually, that ‘best’ comparison is poor. need more coffee. :)

By: Adam

Adam — Sat, 21 Mar 2009 11:24:24 +0000

Cobb,
I don’t agree that the Pope is right. The question comes down to what is best–is best “the most effective way for a given person to act” or “the most effective rule if everyone followed it?” Here they’re different because (as the Catholic church agrees) people are failable, and we should consider giving them advice that fails is a mostly safe way, rather than in an unsafe way.

By: martin

martin — Fri, 20 Mar 2009 13:35:12 +0000

The analogy is great as it focuses on behavior people should practice to protect themselves versus the behavior that people DO practice. People practice bad password behavior. Without adequate tools to help them protect themselves, people will continue to get password related diseases.

I created one these tools (reknow.ca) and am trying to get companies to implement it to help their users protect themselves. It enables people to create secure and memorable passwords. Unlike password generators or password managers, Reknow.ca does not ever learn what the user’s password is.

Password tools can eventually solve the problem, but like condom use, adoption will require a level of motivation that right now seems to be lacking.

By: Cobb

Cobb — Fri, 20 Mar 2009 13:15:54 +0000

You evade the problem which is that the Pope is right. The only absolutely fail-proof way to avoid infection is through abstinence, just as the the only absolutely fail-proof way to avoid virus infection is to never connect to the internet.
People can certainly decide to be outraged, but you cannot disprove. I find it amusing how the very existence religious dogma freaks people out who consider themselves sworn to logic, as if ethics weren’t logical.

By: beri

beri — Fri, 20 Mar 2009 10:21:20 +0000

PHB: I don’t like Ratzinger either, but he’s not the issue. The issue that Adam raised is, how to get people to do what is good for them and protects them. I don’t think Ratzinger’s method is worth a damn, but to extend Adam’s analogy, what are the alternatives? Will people follow “best practices” advice and not have unprotected sex? Or not post their passwords on a Post-It note? If we can’t get people to get rid of the Post-It notes, how are we going to deal with the greater issues facing mankind? (One of the things I like about this blog is that it raises larger issues that make me think).

By: PHB

PHB — Thu, 19 Mar 2009 22:00:01 +0000

I am not sure that there is going to be much value in an analogy that starts with reference to a man who thinks he is (1) infallible (2) speaks on behalf of God and (3) was a member of the Hitler Youth as a child and an enabler for pedophiles as an adult.
If Ratzinger is right then God is a corrupt bigot with a medieval understanding of class, who is placated by the form but not the substance of rituals that bear a suspicious similarity to Roman pagan forms of worship such as the rites of Mythras.
I seem to recall that reform of a corrupt priestly caste that engaged in similar conduct is the central concern of the New Testament.

By: Michael Cloppert

Michael Cloppert — Thu, 19 Mar 2009 13:11:59 +0000

Adam,
Fascinating and apt analogy. The “blame the user” fallback has bothered me for years… and it truly is a fallback.
To follow on to your password example: Why do users write down their passwords? Because we insist they be complex, temporal, and different between systems. Why do we do this? So they’re not easily guessable. Isn’t, then, the authentication mechanism the problem? We have an obtuse, antiquated authentication mechanism that belies the nature of the beast using the system. We wouldn’t ask a donkey to type on a keyboard – what we have built here is the psychological equivalent. We don’t change it because it is hard – technologically, procedurally, institutionally – to do so. Therefore, we insist on a system poorly suited to today’s computing realities, and blame the user.
As you suggest, there are many manifestations of this, passwords being but one. Microsoft’s sage advice to mitigate Office vulnerabilities (“don’t click on attachments from people you don’t know”) is yet another of my favorites. But in the end, it seems many of these situations end up shifting the burden of blame to the end user, subjugating them to our whims of what is and isn’t “easy,” rather than facilitating their use of the equipment and letting them focus on what their real job is.
It’s going to be very, very hard for IT to break this very inviting habit…
Michael Cloppert