On dancing pigs and ACLs
Earlier today, I saw this tweet go by, and it resonated loudly:
I replied with the following:
Throughout the day, it’s gnawed at me a little bit, pondering if there is a law that would encompass this. Everything from Fitt’s Law to Hick’s Law, and then my mind wandered to Felten and Schneier’s quotes about the dancing pigs.
I circled back to my earlier tweet, where I noted that this phenomenon perfectly reflects a desire path, applied to computer security.
Over the years, I’ve had this conversation with countless people, about countless scenarios, all circling around this same topic:
- I have a task I need to complete, using a piece of software
- The software I need to complete the task is not functioning correctly, due to permissions
- I do not have the time, patience, or skill to solve this in the ideal manner
- A blunt hammer is applied to the problem, until the software will let me complete the task
- I never go back to undo the “damage” my blunt hammer did, because the task is complete and the software is functioning.
This is, in essence, a desire path. It would be better if the user followed the walkway that has been built for them. But since they usually have this time-bound problem, they cannot deploy the correct fix, and instead must deploy the fastest one/one with the least friction. Every system has this same story. SQL Server and “SA”, “SA”, Unix and chmod 777, local admin on Windows or domain admin in Active Directory… it goes on and on.
In short, “A user will always apply the fastest approach to solve a security problem, and never repair the damage caused by doing so.“