tecosystems

Best Defense: History or Technology?

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

It’s not often that I disagree with Jon Udell, but I’m not sure that I can quite convince myself of his latest argument that implies dramatic and potentially long term consequences for the compromise of weak authentication common to many blogging systems.

Jon’s responding to Tim Bray’s post, which in turn was a response to Tim O’Reilly‘s post, which in turn was a response to the horrifying Kathy Sierra situation. Still with me?

The gist of Bray’s argument, and the one that Udell clearly concurs with is that one should be held responsible – not to mention accountable – for what appears on your website. I happen to agree with both of them – with an important exception.

The exception, of course, is the precise scenario that is the implicit topic of Udell: the vulnerability of all of accounts – blog, del.icio.us, Flickr, whatever – to hijack. I think you should be held accountable, in other words, to what you post or allow to be posted to your website. Due to the weak authentication/authorization mechanisms typically employed by such systems, as he discusses, “we are frighteningly vulnerable to impersonators.” All true.

I could argue the point on a frequency basis – I can’t remember the last time anyone I knew personally had an account taken over – but that it can and does happen is not in dispute.

What I’m not convinced of, however, is the longer term concern. Specifically, Jon’s belief is that in such cases, “impersonators…could irreparably damage our online reputations.” Is that really true?

I don’t question the short term damage. Nor do I question the possibility of lingering damage. But I’d like to believe, as I discussed with someone at the IBM conference last week, that if some of the hideously offensive anti-Kathy posts appeared in this space, you’d all know better than to think they came from me. That you’d know that something was amiss. Call me naive, but I’d like to think that my track record here counts for something, and that something completely out of line with that track record would be identified and credited as such.

Not that that helps with the casual browser, of course, who might visit once, read something maliciously posted and firm permanent conclusions as a result. But the regular readers, I’d hope, would give me the benefit of the doubt. Await an explanation for a clearly anomalous datapoint.

I agree with Jon that there’s no perfect defense. And I somewhat agree that “cryptographically strong multi-factor authentication” login systems would be helpful, although I have yet to see one that would pass the “average user” test. I believe, however, that the best defense is actually a strong track record – a history of behavior against which you can be judged. Just as Alex would have his body of work take the place of his resume, so too would I have mine be my defense in cases where my ethics or integrity are questioned. But maybe that’s just me being a Pollyanna.

3 comments

  1. “Call me naive, but I’d like to think that my track record here counts for something.”

    It counts for a lot, and I rely on mine in just the same way for the same reasons. But: counts /for whom/? Will the millions who were first introduced to Kathy Sierra and Chris Locke on CNN yesterday explore their track records and reach their own conclusions?

    More to the point, what about Alan Herrell’s track record? I would be inclined to explore it but I can’t, now, without digging it out of the Google cache.

    The best defense is a strong track record /and/ an online identity that’s as securely yours as is feasible.

  2. […] Stephen O’Grady asks whether history (i.e., a person’s observable online track record) or technology (i.e., strong […]

  3. […] and so on, but for all of that it’s just one incident. Much as I’d like to be judged on my body of work rather than a single post, I’ll judge Sun’s openness – or lack thereof – on their […]

Leave a Reply to Jon Udell Cancel reply

Your email address will not be published. Required fields are marked *