The way I see it, the family of root causes underlying most security problems is pretty darn small. One of its most evil members is Unanticipated Use Cases. If you’re not sure what that means, just picture someone using this gadget…

…to blow dry their hair. Oops.

Not far behind on the Darwin Awards list are the unimaginative ways we use technologies for things never intended. (Some would argue that it takes imagination to do this, but I would counter-argue that it takes more imagination to come up with good ideas than it does ideas. For example, I would not call the new Bookendz Macbook docking station I just bought, which sports the unadvertised requirement to power down my Macbook each time I dock or undock, imaginative.)

But my absolute favorite example is email. Near as I can tell, the first email message was transmitted from one computer to another around 1974. Bit-wise, very little has changed since then, mainly message formats, encodings and protocols. Use-wise, however, it has long since gone off the deep end. I’ve seen mission-critical distributed applications that use email as store-and-forward messaging subsystems. (Truthfully - I myself built one back when Internet” and “security” were almost never mentioned in the same sentence.)

Somewhere around 1993, the Internet contracted the gastrointestinal bacteria which precursed (pun intended) spam and phishing. They’re both the product of a multi-generation compounding of unanticipated use cases. That precise lineage is left as an exercise for the reader. Here’s the general case I’ve identified:

I’ll cover more details another time. The salient point for now is that around 1993, somebody enhanced their email client — indisputably infrastructure — to render HTML, anchors and all. This unanticipated use case has evolved into what is by far the costliest security blunder to date.

One small HREF for fun; one identity theft crisis for humankind. Oops.

Related posts:

1. Does it really matter that the VT killer used the Internet?
2. Phishing John Malkovich
3. Macbook wireless device driver insecurities allow remote compromise
4. Imagination: Security’s Missing Link
5. Phishing: Silver Hooks, Not Silver Bullets

Posted by Larry J. Hughes, Jr. on Friday, May 4th, 2007, at 7:53 pm, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.