Security and the Unforeseen Use Case

Posted on Monday March 15 2010 by hell if i know
Copyright © What The Hell? Security

Paul Vixie, venerable champion of DNS, writes a brilliant piece titled What DNS Is Not.

Vixie understands what most people don’t, or if they do, they’re too damn quiet about it. When you take a solution to one problem, and apply it against a different problem, you can create a whole new problem. Which — surprise! – somebody will try to solve with a solution to a completely different problem.

The fundamental issue here is one of unforeseen use cases. Our eyes are pretty good at spotting them in the physical world. Sometimes they’re handy, like the Ikea server rack. And then there’s the unfortunate Husqvarna fingernail trimmer.

But when it comes to software, our eyesight is pure crap.

Take the almighty HTTP cookie. Its initial purpose was to tell Bianca’s Smut Shack when you last visited. Next thing you know, it’s telling your brokerage to liquidate your NASDAQ:NSCP holdings and wire the proceeds to Kenya.

So who’s to blame? Let’s make this simple and boil it down to one of two representative scapegoats:

  1. The smart guy who implemented cookies to manage HTTP state
  2. The dumb guy who confused “HTTP state” with “user authentication”

Hint: It’s not the dumb guy.

See, the smart guy wasn’t smart enough. If he had been, he would have foreseen that unforseen use cases would arise. By definition he had no way of knowing what they would be. But he should have known that there would be at least one. For anything useful there always is.

The smart guy should have recognized that by building a solution intended for universal adoption, he inherited the responsibility to shout out not just the kinds of things that cookies might be used for, but also the kinds of things they should never be used for. Foreseeing their use of as authenticators wasn’t exactly a big stretch.  Especially since he was Netscape. (So was the dumb guy by the way.)

See, you can’t foresee the unforeseeable.  But you can — and must — foresee that there will be unforeseeables. Account for that, and you’ll find yourself making much smarter decisions.

Unfortunately  — as Vixie knows all too well — nobody riding on your coattails is obligated to do the same.

Advertisement

Filed under: security, security sense, security soapbox

« »

2 Responses

  1. Tweets that mention Security and the Unforeseen Use Case « What The Hell? Security -- Topsy.com, on Thursday June 3 2010 at 4:49 AM said:

    [...] This post was mentioned on Twitter by Hart Rossman, Hart Rossman and Joshua Corman, Rugged. Rugged said: 'Thank you! Very few [security]/people get this. "Security and the Unforeseen Use Case" http://bit.ly/d3EcLz an interesting piece.' #Rugged [...]

    Reply
  2. joe jackson, on Wednesday June 2 2010 at 9:43 PM said:

    Nicely done. Very much in line with the rugged software manifesto.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.