Joseph Ratzinger and Information Security
Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” [link to http://www.reuters.com/article/homepageCrisis/idUSLH936617._CH_.2400 no longer works] Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.”
Many of you are likely outraged. Saying, “sure, if only people would do that, then we wouldn’t need condoms. But people don’t behave that way.”
I’d like to explain what this has to do with information security. Some of you may be saying “sure, but we’re not that bad.”
In information security, we often keep saying the same thing over and over again, because we know it’s right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don’t, and yet we keep saying those things. We tell them they “have to” fix all the security problems all the time.
It’s my hope that we in information security will be less religious than the Pope, but there’s plenty of evidence that, like him, we offer advice that makes people shake their heads in disgust.
Wherever you work, whatever you do, it’s worth asking yourself: am I being dogmatic in what I’m asking of people?
Me, I’m being dogmatic about asking you all to keep it civil in the comments.
Adam,
Fascinating and apt analogy. The “blame the user” fallback has bothered me for years… and it truly is a fallback.
To follow on to your password example: Why do users write down their passwords? Because we insist they be complex, temporal, and different between systems. Why do we do this? So they’re not easily guessable. Isn’t, then, the authentication mechanism the problem? We have an obtuse, antiquated authentication mechanism that belies the nature of the beast using the system. We wouldn’t ask a donkey to type on a keyboard – what we have built here is the psychological equivalent. We don’t change it because it is hard – technologically, procedurally, institutionally – to do so. Therefore, we insist on a system poorly suited to today’s computing realities, and blame the user.
As you suggest, there are many manifestations of this, passwords being but one. Microsoft’s sage advice to mitigate Office vulnerabilities (“don’t click on attachments from people you don’t know”) is yet another of my favorites. But in the end, it seems many of these situations end up shifting the burden of blame to the end user, subjugating them to our whims of what is and isn’t “easy,” rather than facilitating their use of the equipment and letting them focus on what their real job is.
It’s going to be very, very hard for IT to break this very inviting habit…
Michael Cloppert
I am not sure that there is going to be much value in an analogy that starts with reference to a man who thinks he is (1) infallible (2) speaks on behalf of God and (3) was a member of the Hitler Youth as a child and an enabler for pedophiles as an adult.
If Ratzinger is right then God is a corrupt bigot with a medieval understanding of class, who is placated by the form but not the substance of rituals that bear a suspicious similarity to Roman pagan forms of worship such as the rites of Mythras.
I seem to recall that reform of a corrupt priestly caste that engaged in similar conduct is the central concern of the New Testament.
PHB: I don’t like Ratzinger either, but he’s not the issue. The issue that Adam raised is, how to get people to do what is good for them and protects them. I don’t think Ratzinger’s method is worth a damn, but to extend Adam’s analogy, what are the alternatives? Will people follow “best practices” advice and not have unprotected sex? Or not post their passwords on a Post-It note? If we can’t get people to get rid of the Post-It notes, how are we going to deal with the greater issues facing mankind? (One of the things I like about this blog is that it raises larger issues that make me think).
You evade the problem which is that the Pope is right. The only absolutely fail-proof way to avoid infection is through abstinence, just as the the only absolutely fail-proof way to avoid virus infection is to never connect to the internet.
People can certainly decide to be outraged, but you cannot disprove. I find it amusing how the very existence religious dogma freaks people out who consider themselves sworn to logic, as if ethics weren’t logical.
The analogy is great as it focuses on behavior people should practice to protect themselves versus the behavior that people DO practice. People practice bad password behavior. Without adequate tools to help them protect themselves, people will continue to get password related diseases.
I created one these tools (reknow.ca) and am trying to get companies to implement it to help their users protect themselves. It enables people to create secure and memorable passwords. Unlike password generators or password managers, Reknow.ca does not ever learn what the user’s password is.
Password tools can eventually solve the problem, but like condom use, adoption will require a level of motivation that right now seems to be lacking.
Cobb,
I don’t agree that the Pope is right. The question comes down to what is best–is best “the most effective way for a given person to act” or “the most effective rule if everyone followed it?” Here they’re different because (as the Catholic church agrees) people are failable, and we should consider giving them advice that fails is a mostly safe way, rather than in an unsafe way.
actually, that ‘best’ comparison is poor. need more coffee. 🙂
Michael, you beat me to it! I’ve not exactly been telling people to write their passwords down, but close to, and the only reason is probably I can’t figure out a pithy way to write it that won’t outrage the Pope.
Maybe that’s what Adam meant. Either way, the post is highly germane. The problem is, once we walk through all the ramifications of the claim, we are a bit stuck. The gulf between what a security person might say and what might be really useful to the client is rather large. We don’t have all the answers, and we don’t even have enough of the problem space for our answers to be reliable.
PHB: the good thing about the analogy is that it separates the thinkers from the haters.
Cobb: easily disproven, go ask the Red Cross about their blood banks, or hospitals about high-risk workers. Security is a relative, not an absolute. What the Pope has done is to conflate issues of religious dynamics with disease control, for purposes that are transparent. Similar enough to be confusing, he is not totally wrong in what he says, but he isn’t totally right, either, which makes him much the same as our popular security gurus.
A good analogy all round!
+1