In security, you need to stop the root mistake
November 29, 2009
Here is something that I have become more and more convinced of: if you want to actually solve a security problem, you need to stop the root mistake.
Many security problems have various surface issues that you can target, and then they have one (or more) root mistakes. It is tempting and easy to target surface issues, but if you do so you are not really solving the problem; you are simply causing the attackers to find another way to create the circumstances where the root mistake will be committed again.
As an example, let us consider phishing. In phishing, the root mistake is entering your username and password into the wrong site. However, there is a long history of anti-phishing precautions that try to get people not to go to the wrong site (persuasion, blocking access to bad sites, blocking ways of directly linking to sites, etc etc). Since these solutions are only targeting the surface issue, they have predictably failed any time attackers can figure out a new way to slide past the precautions.
So, to really fix the security problem you need to target the root mistake, and ideally make it not just more difficult but outright impossible to make that root mistake.
(If you merely make the root mistake more difficult, it just lowers the frequency of the security problem. And even that's not a sure thing.)
* * *
Atom feeds are available; see the bottom of most pages.