Thursday, 9 August 2007

Long tail security analogy

My wife saw something on the BBC website about a new mashup search tool called SPOCK and asked me all about the security of it. Obviously I made stuff up because I didn't want to admit I'd never heard of it, and then waited until she'd gone to bed to read what I could find. Such is the way of the husband.

The BBC had this to say about, which launched today, also trawls social networking sites. The search engine claims that it currently has more than 100 million people indexed, but like Wink it has big ambitions. Its co-founder Jay Bhatti told the news agency AFP that he hoped it would eventually be able to provide a search result for everyone in the world., like, and other search engines such as ProfileLinker and Upscoop, allows users to take control of their profiles. Rather than letting the fate of your profile be left down to what is written about you on the web, the sites allow users to amend, update or add new information about themselves.

But what if you do not like the idea of this kind of information being available at all?

"The caveat today is be careful what you post" - Alan Chapell

Quite, but I'm really nervous of this type of thing. Not because I have anything to hide, I wouldn't blog if I did, but because of how all of this is being 'grown'. WebAppSec isn't something I have a great deal to do with, there are far better men than I in this area. Jeremiah Grossman is the king of these pages, for good reason. To be clearer why I don't like the idea of this, it's nothing to do with my personal data. I'll happily tell you who I am, my NI number (Social Security equivalent), email address, birthday, credit card details, convictions, etc. They're all available online anyway (I expect). I've had my identity stolen before, and although unpleasant, it's simple to recover from.

No, the reason I am upset about it is the same reason Jeremiah would be upset, and I explained it to Mrs. Newby with the following analogy:
Imagine someone has built a house, which they are happy with, and use a lot, and I realise that I could get some use out of his house by building something on top of it. I don't know what his house is made of, where the supporting beams are, any of the internal dimensions, I just see that his wife is happy and I want a piece of that. So I decide to build an extension on his house, so that I can get some of his homely goodness. I build my extension out of bricks, knock a hole in his house to allow me access, and make big enough for me to allow 100 visitors a day in through MY new entrance.

Now, if his house is made of bricks, the wall I've chosen is not supporting the house, he has a hallway big enough to accommodate 100 people at any one time, and doesn't mind me being there, great, we're all fine and dandy. There might be a few holes to patch up between my building and his, but we'll call the consultants in to fix these.

If his house is made of sticks (unusual I know, but this is an analogy, bear with me), I've just knocked through his reinforced bamboo joist, into his main living area which is only big enough for him and his wife, then we're in trouble. So is he. The house will collapse, my extension will at the very least be useless. His wife certainly won't be happy.
So, you see how I cleverly turned that into a "keeping the wife happy" story, just to keep my wife happy? That's the secret of analogy my friends. It also explains why I'm nervous about Web2.0, absolutely positive that Mark Curphey is right about the long tail of security - it's where we're going to have to fill the gaps, or make sure the "houses" are stable enough in the first place. Maybe I'll have to learn a bit of WebAppSec after all...

One last point my wife just mentioned. Why is invitation only? "It's not like it's a school disco or something. They SO want everyone to join." - Mrs. N.

Yes my darling, I expect they do. I can't imagine a reason why they wouldn't at least. What good can it possibly do them to only invite a select few million people? Well, you can apply to be one of those people, so I don't really think it's that exclusive. I imagine this is also a publicity stunt. It also helps when people ask them how many users they have if they have a capped limit. I don't think this site is really going to work, but it's helped to illustrate a point.

No comments: