Some people look down on libraries. They think they’re obsolete institutions from a previous age – from that inconceivably ancient age before there were computers. But the fact is, libraries do a far better job of protecting their assets – books – than the vast majority of computer systems do protecting their assets – their data and files. Perhaps the oh-so-mighty gods in charge of their Olympian computer systems could pay a visit to the land of mortals, where people use libraries, and learn a thing or two about keeping your assets secure. Given the abysmal track record large corporations and governments have protecting these assets, with no end in sight, it may be worth a brief visit to the primitive places that out-perform them by miles in terms of security.
Computer Security Problems
Does anyone doubt that computer security problems are wide-spread, deep and continuing? Does anyone (except the management in charge, of course) have any reason to believe that the problems are recognized and fixed?
Libraries
Libraries are great places. I’ve spent many happy hours in them. But they’re annoying. They won’t let you pick out the books you want and walk out with them!! They insist, absolutely insist, that you check them out. Not just in general, either – they want you to check out each and every doggone book! First, you need to surrender your personal, private information and get a library card. You have to turn the card over to the librarian with your books. Then, submit to the indignity of having the card scanned and each book scanned. Finally, with all your private information recorded, they physically stamp each book with the date it must be returned by, insultingly making the assumption that you may not return it without such a reminder. Then, and only then, can you leave with your books.
Have you ever tried walking out of a library with a stack of books, without first having checked them out? If you’ve never tried it, you may still harbor the illusion that librarians are mostly quiet, pleasant, mild-mannered people, mostly ladies, who need to be protected from the tough things in life. Anyone who’s tried to STEAL BOOKS from a library harbors no such illusion. The swift, fierce movements, commanding voice and iron resolve of the person who magically appears in front of you, blocking your way, demanding to know exactly what you think you’re doing, will quickly cure you.
Let's hope you've never had overdue books. The librarians know what books you have, when you left with them, when you should have returned them, and exactly how much you owe:
By contrast, the computer "librarian" has no idea what files you've even looked at, which ones you left with, and has no sense of returning or overdue. I guess we care more about those obsolete paper books than we do about files that contain confidential customer information.
Century-old Book Seller security methods
Librarians and booksellers have been concerned about security for a long time. Here's a publication that appeared for many years, this particular issue in 1905:
The Publishers' Circular and Booksellers' Record of British and ..., Volume 82
There is lots of wonderful content in this issue, but here's an article that raises the pressing issue of book theft:
Stealing books is serious business. The thieves go to jail, as well they should! Here is a method that booksellers use to protect their goods:
No one "takes" a file from a computer without help. You ask a program to do it for you. File systems have been part of computers for decades; a file system is the software that keeps track of what file is where, and handles the actual reading and writing of the file (like a book). Moreover, "logging" file systems have been around for a long time -- a logging file system is one that records each and every access to a file -- every read, every write, every update.
It's not hard how to imagine turning a file system into an automated version of the librarian's "spy hole" described more than 100 years ago. A security program reads each request for file access and compares each request against a log of who's done how much of what, and when. If someone whose work normally involves reading a customer record every few minutes suddenly requests dozens of files at a time, this is suspicious! Doesn't it make sense to immediately block their actions until someone makes sure nothing bad is going on? After all, it would be the equivalent of someone trying to walk out a library door with a wheelbarrow piled high with books that had not been checked out -- and if you tried to check them out, you can imagine the grilling you'd get from the librarian before you would be allowed to walk out the door.
Believe it or not, systems like this have been implemented. They're not hard to build. No new programming magic is required. In fact, all that's required is a sincere desire to solve the problem! A desire which appears to be lacking. Sad.
Conclusion
Think of the image of the librarian (old, dowdy, obsolete) and the computer expert (young, cool, with-it). It turns out that the contrasting images are exactly backwards when it comes to security. In spite of all the acronyms and nerdy stuff, computer security experts are simply incapable of protecting their "stuff," while librarians are way ahead of the game -- more than a hundred years ahead, for what it's worth!
Comments