tecosystems

Best Defense: History or Technology?

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

It’s not often that I disagree with Jon Udell, but I’m not sure that I can quite convince myself of his latest argument that implies dramatic and potentially long term consequences for the compromise of weak authentication common to many blogging systems.

Jon’s responding to Tim Bray’s post, which in turn was a response to Tim O’Reilly‘s post, which in turn was a response to the horrifying Kathy Sierra situation. Still with me?

The gist of Bray’s argument, and the one that Udell clearly concurs with is that one should be held responsible – not to mention accountable – for what appears on your website. I happen to agree with both of them – with an important exception.

The exception, of course, is the precise scenario that is the implicit topic of Udell: the vulnerability of all of accounts – blog, del.icio.us, Flickr, whatever – to hijack. I think you should be held accountable, in other words, to what you post or allow to be posted to your website. Due to the weak authentication/authorization mechanisms typically employed by such systems, as he discusses, “we are frighteningly vulnerable to impersonators.” All true.

I could argue the point on a frequency basis – I can’t remember the last time anyone I knew personally had an account taken over – but that it can and does happen is not in dispute.

What I’m not convinced of, however, is the longer term concern. Specifically, Jon’s belief is that in such cases, “impersonators…could irreparably damage our online reputations.” Is that really true?

I don’t question the short term damage. Nor do I question the possibility of lingering damage. But I’d like to believe, as I discussed with someone at the IBM conference last week, that if some of the hideously offensive anti-Kathy posts appeared in this space, you’d all know better than to think they came from me. That you’d know that something was amiss. Call me naive, but I’d like to think that my track record here counts for something, and that something completely out of line with that track record would be identified and credited as such.

Not that that helps with the casual browser, of course, who might visit once, read something maliciously posted and firm permanent conclusions as a result. But the regular readers, I’d hope, would give me the benefit of the doubt. Await an explanation for a clearly anomalous datapoint.

I agree with Jon that there’s no perfect defense. And I somewhat agree that “cryptographically strong multi-factor authentication” login systems would be helpful, although I have yet to see one that would pass the “average user” test. I believe, however, that the best defense is actually a strong track record – a history of behavior against which you can be judged. Just as Alex would have his body of work take the place of his resume, so too would I have mine be my defense in cases where my ethics or integrity are questioned. But maybe that’s just me being a Pollyanna.