« Book Review: "I’m on Facebook – Now What???" | Main | The IT Career Builder's Toolkit »

Security and the Myth of the Superuser Mon 28 Jan 08

Lock_amagill_2 Bruce Schneier runs a great blog, Schneier on Security and I stumbled across a post of his from last May entitled The Myth of the Superuser.  In a very understated way Schneier refers to what he describes as  a "very interesting law journal paper".  It certainly is.  The paper in question is The Myth of the Superuser: Fear, Risk, and Harm Online by Paul Ohm, Associate Professor of Law and Telecommunications at the University of Colorado Law School.

The abstract states:

"Fear of the powerful computer user, "the Superuser," dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, ambiguous laws intended to ensnare the Superuser, but which are used instead against inculpable, ordinary users. This response is unwarranted because the Superuser is often a marginal figure whose power has been greatly exaggerated.

The exaggerated attention to the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely-held fear of the Internet. Building on the social science fear literature, this Article challenges the conventional wisdom and standard assumptions about the role of experts. Unlike dispassionate experts in other fields, computer experts are as susceptible as lay-people to exaggerate the power of the Superuser, in part because they have misapplied Larry Lessig's ideas about code.

The experts in computer security and Internet law have failed to deliver us from fear, resulting in overbroad prohibitions, harms to civil liberties, wasted law enforcement resources, and misallocated economic investment. This Article urges policymakers and partisans to stop using tropes of fear; calls for better empirical work on the probability of online harm; and proposes an anti-Precautionary Principle, a presumption against new laws designed to stop the Superuser. "

Don't let the "law journal" label scare you away.  This really is a very interesting and thought-provoking read.  Although phrases like "exaggerated attention to the Superuser"  and "overbroad prohibitions"  mind lead you to think that Ohm is downplaying the risk of lax computer security but upon careful reading I don't think he is.  Rather what he is suggesting is a more balanced and reasoned approach to security.

Specifically Ohm states:

"The answer lies somewhere in between. Assessing an online risk requires computer science, psychology and sociology; short-sighted analyses that focus only on some of these disciplines often result in misanalysis."

As Ohm states computer security is suffering from fear and hyperbole.  To illustrate, "For example, Richard Clarke, former Cybersecurity Czar under the Clinton and second Bush administrations, was fond of saying that “digital Pearl Harbors are happening every day.”"  While there are certainly security issues this is clearly overstating the situation.  As most of us have actually seen in our own corporate environments most (but admittedly not all) security breaches result more from the 'social engineering' aspects such as, people unwittingly giving out their passwords or improperly disposing of confidential or sensitive documents.  As I stated in January, 2007 post "People and IT Security"  I believe employee awareness is the number one factor in good security.  As John Colley states in The information security professional is more than 'a necessary evil'

"We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets."

So although Ohm's article is directed more at the formulation of law and public policy it can serve as a wake-up call to each of us in the IT corporate world to take a more balanced approach to security and to focus on all the aspects of security, not just the technological aspects.

What do you think?

"Lock" photo by AMagill

If this topic was of interest, you might also like these:

            Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed


TrackBack URL for this entry:

Listed below are links to weblogs that reference Security and the Myth of the Superuser:



tell_a_friend Tell a Friend About Mike's Blog

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

My photos on
Mike Schaffner's items Go to Mike Schaffner's photostream

Free Subscriptions
  Free RSS Subscription

Free RSS Subscription

For An Email Of New Articles
Enter your email address:

Read On Your Mobile Device


Join the Conversation
Subscribe to Comments
  Free RSS Subscription

For New Comments Email
Enter your email address:

This is the personal blog of Michael W. Schaffner. The opinions expressed in this blog are soley mine and those of commenters. You should not infer that these opinions are the opinion of or have been endorsed by any current or former employer.

Please review the Privacy Policy.   I do love comments and trackbacks but I do reserve the right to remove any that don't comply with the Comments and Trackback Policy.  Rather than clutter up the front page with badges and statistics that are of little interest to anyone other than me I thought it would be best to establish a separate page for statistics and rankings.

Copyright © 2006, 2007, 2008, 2009 Michael W. Schaffner       You may copy or quote sections of this blog if you provide an attribution consisting of a reference to the Michael Schaffner and ''Beyond Blinking Lights and Acronyms" along with a hyperlink (if a web reference) to the blog posting.     

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.