I spend a fair amount of my commute time reading. Mostly just catching up on a seemingly endless pile of magazines covering topics of interest to me professionally and personally. Among my most favorite is IEEE Security & Privacy. It always manages to capture my attention, and holds my interest until I’ve wound up reading the issue very nearly cover-to-cover…sometimes with a chuckle or two.
Usually when an article on the very serious issues surrounding computer security and privacy produces a chuckle or laugh, it seldom has anything to do with the topic, or the author’s coverage of it. Most often, I get tickled over my own mental contortions of what is being said…generally, outside of the original context. As an example:
In the March/April 2006 issue of S&P, Whittaker and Ford wrote a piece titled, “How to Think about Security”. It is a very thoughtful piece on the importance of carefully evaluating the effectiveness of security within system design by thinking like one of the “bad guys” to identify all the potential attack vectors. Almost toward the end of the article they touch on the very real problems of web application security when it comes to having to trust the end-user’s browser to do the right thing for any security-related decisions. Taking this a little further, because computer systems can simulate human on-line behavior (think “bots”), one must be a bit more paranoid about the design assumptions made, because it only takes one malicious exploit to break the trust instilled in the application by its legitimate users. Bottom-line, you cannot trust what cannot be controlled. They sum this up with:
“Trust can’t be assumed; it must be enforced”.
Here’s where I laughed. Within the systems context, their statement is very true. In order to trust an application or end-user to make the right decisions, you must remove options to make the wrong decisions. “Trust” in this context is synonymous with “trussed”. Taken out of context, say into the world of human-to-human interaction, it becomes a contradiction of sorts, which I found very amusing.
In the world of human relationships, trust is an assumption. The assumption your employee will make the right decisions to perform job duties, the assumption the CEO is on-the-ball looking out for the company’s best interests, and the assumption your significant other isn’t “playing cards” with the “milk man”. Trying to enforce trust in any of these human interactions ultimately results in broken trust…and a bad situation for everyone involved.
My mind immediately jumped to an employment scenario where this playing out might be funniest…imagine trussing (like binding them to their cubicle by one of those cool Kensington cable locks that secure computing equipment) your employee so much that they would never ever be able to consider leaving the firm, and may actually get bored enough to over-achieve with thier job duties. Be honest…someone jumped to your mind immediately. Now, that’s trussed!