For various reasons, some related to having children, over a period of time I have come to be fascinated by Fairy Tales – one of my latest book purchases was The Great Fairy Tale Tradition: From Straparola and Basile to the Brothers Grimm (Norton Critical Editions) – this isn’t your common and garden Disney fairy tale stuff – this is the original, violent, gory, beautifully bizare strories of the 14th and 15th century. The ones that are not designed just to entertain your kids, but the ones that are there to teach them morals, behaviour and a healthy fear of monsters. Fairy Tales, like parables, are supposed to have a meaning and a purpose ( other than increasing the value of shares for large animation houses ) which has been lost a lot in their sanitisation for modern audiences. This, however, led to my warped mind taking a little wander down a fairy tale lane – what can Fairy Tales teach us about information security ?
Today’s story, children, is Rumplestiltskin … *
The parts that directly relate to the IT industry come thick and fast in this story:
|Story Line …||IT translation …|
|A man, seeking to make himself seem more important than he really is, lies that his daughter can spin straw into gold.||Don’t trust salesmen who promise that their product can do everything that you want it to.|
|The king hears the mans boasts, and, demands that they should be demonstrated to him three nights in a row,
otherwise the girl will be put to death.
|You can guarantee that senior management will believe the salesman, and you will be required to deliver – or pay.|
|When all seems lost, an odd, ugly, little man turns up, and in exchange for jewellery, more jewellery, and the girls first born
child, spins the straw into gold for her.
|In exchange for cash, more cash and your first born, you can get an odd, ugly consultant in to make things work.|
|The king is so impressed that he marries the girl, and soon, they have a child …||Management are so impressed, they make you in charge of the new system …|
|… but the odd, ugly, little man comes back and demands the final part of his payment …||… but you don’t know how it works and you are indebted to the consultant, who wants more than you can afford …|
|… after much pleading, he relents, saying that if she can guess his name in three days, then he’ll lay off.||… however you realise that if you can guess the root password, you can do all of the work without them.|
|After much guessing, the man is overheard saying his name in the woods, it is repeated to him and he disappears, never to return.||After much guessing, you try the consultants name, root is yours and the consultant disappears, never to return.|
So what are we left with in the way of real morals ? Well,”don’t trust everything you hear” is a good start, possibly, “if you don’t know who’s problem it is, it’s yours” is another, and ultimately, and the one that actually occurred to me first, “obscurity is not the same as security”.
This last one is really important to remember, and it’s a difficult one to really grasp – there is a difference between a secret ( which is something that _only_ you know ) and an obscure thing ( like running SSh on port 222 instead of 22 ) – obscurity might slow people down a little, but ultimately that’s all it is – obfuscation – not prevention of discovery.
*( I must admit that this is one of my favourites anyway … )