Ask Tog has an amusing anecdotal letter on bad security practices and preaches the same thing about security is a process and must be all encompassing and not just focus on one small part.
But it is an interesting read just to review why you need to not think of just encryption or only part of the equation but the whole enchilda when trying to design a secure system. Here’s an excerpt:
They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!
So works the mind of a D’ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.
But this is not just endemic to security. This is endemic to introducing a new system or tool. If you make the tool extremely difficult to use you’re guaranteed it will fail unless you try to cater to a small and specific audience that has enough background to take advantage of whatever features you throw on top of it. I’m always amazed at how people just don’t think about this aspect at all. If you want to make something widespread it has to be easily adopted by people the UI must be very simple to understand. Compare the earliest sets of VCRs or telephones to today’s button laden monsters. If the VCR folk decided to add all the features that you find standard on a $50 dollar one I’m pretty definite that adoption would have happened really slowly to non-existent. However, they made the right decision by making it very simple so people could pick up the technology and work with it for many years before adding more features than most people know what to do with.
Kudos to the Cincom SmallTalk Blog for this story
