Check out a free preview of the full The Good Parts of JavaScript and the Web course

The "The History of Security" Lesson is part of the full, The Good Parts of JavaScript and the Web course featured in this preview video. Here's what you'd learn in this lesson:

Doug’s first principle of JavaScript security is that deterrence is not effective. You are not able to punish an invisible attacker. Doug illustrates this with a brief story and some historical language context.


Transcript from the "The History of Security" Lesson

>> [MUSIC]

>> Douglas Crockford: So those last two exercises are the introduction to the subject of security. And security is a really, really important topic, and unfortunately it's not well understood at any level in our industry. So, some people think of security as a war between people in invisible colored hats. They're the white hat guys and the black hat guys, and the white hat guys are probably good guys and black hat guys are probably bad guys, except there are famous white hats that used to be black hats, and black hats who used to be white hats and grey hats who seem to be playing both sides.

And it turns out you cannot easily identify somebody by their invisible hat. That this is a model of security that just doesn't work. Security is not about hats. The thing that's even worse about that model is that it says that security belongs to the specialists, and that model doesn't work.

So in the specialist model it means you've got security experts who are responsible for all the security and nobody else is responsible for security. And in fact everybody else is working against the guys who are helping to deal with security and that model is not effective at all.

One consequence of, or one source of insecurity is that things change. It might be that within a limited scope or a limited context you could do things and there's no security vulnerability in doing that. But then, things change, the scope increases, or whatever. And now suddenly that turns into a big security problem.

It is not unusual for the purpose or use or scope of software to change over its life. Rarely are the security properties of software systems reexamined in the context of new or evolving missions. This leads to insecure systems. You know who wrote this? I did, I wrote that, that's me.

>> Douglas Crockford: So I'm going to be giving you a set of principles. And most of them are pretty simple and pretty obvious and once you've got it, you're able to reason about security on your own. The world of security is incredibly complicated, and is always changing, and it's impossible for any human to keep on top of it, particularly a human who has a day job, there's just no way.

But the set of principles is actually very small and if you can understand the principles, you can work out most of the rest of it on your own. Security is not obtained by tricks or hacks, if you ever encounter someone who says, we can secure our system by doing this trick, that person is either misinformed or lying.

Because it turns out tricks don't work, it's only adherence to principles that works.
>> Douglas Crockford: So one of the first principles for online security of computer systems is that deterrence is not effective, and that's because you can't punish an invisible attacker. Now in the real world, deterrence is very effective.

That's why we have not blown ourselves up yet. But online an attacker doesn't need to be awake while he's attacking you so there's no threat you can make to someone you can't see or touch to prevent them from doing things. So the only thing that works is prevention, prevention is the only effective mechanism.

So I'm gonna stop here and tell you a story about Johann Martin Schleyer. Schleyer was a priest living in Bavaria and one night God came to him in a dream and told him to do something. Now in order to understand that story I need to tell you an earlier story.

Long, long ago on the plain of Shinar, the world's best architects, builders, engineers, material specialists, and workers got together to build a tower that would reach to heaven. It was the biggest construction project in the history of the world at that point. It was amazing project and God was not happy about it.

We don't know what his complaint about the project was but he did not want it succeeding, so he decided to cause the project to fail. And he had a lot of options available as to how he was going to fail the project. He could have caused earthquakes, he could have flooded the plane, he could have thrown thunderbolts down on them.

Instead he decided to go down and confuse their speech. And after he did that they could no longer understand each other when they spoke, and being unable to communicate the project collapsed, and they all wandered off and started their own countries. Basically he created the i18n problem.
>> Douglas Crockford: So thousands of years later he comes to Schleyer while he's sleeping and says, I've changed my mind about that, and what I want you to do now is to create a language that everybody in the world can understand.

So Schleyer wakes up and he begins working on his language, which he calls Volapuk. Volapuk being the word in Volapuk, meaning world speak. He based his vocabulary on English, but he transformed it so much that it is no help to English speakers at all. It's hard to see the words world and speech in there, but that's where the roots came from.

And he was told that English speakers did not have a problem with umlauts. But I can tell you this English speaker has a lot of trouble with umlauts. But he published his language anyway. He worked for about a year and then and published a book in German about Volapuk in 1880.

Now people had been designing artificial languages for many years before Schleyer. There was John Wilkins and Paul Garneau in England were doing similar sorts of things, and there been lots of artificial languages after but Schleyer was doing this at just the right time. Europe had been in a fairly constant state of war for centuries and people were getting really tired of it.

And they observed what had just happened in the U.S with their civil war, where new technologies were coming onto the battlefield for the first time and the terrible devastation that happened there. And they were very concerned that this was going to get really, really bad and there was a lot of interest in trying to solve the world peace problem.

And a lot of them saw Volapuk as a method for doing that. That Volapuk would allow us to experience de-babelization, where we would break down the language barriers between countries and maybe if we can communicate more effectively, maybe the coming war could be avoided. And so the Volapuk movement took off all over the world, not just Europe but everywhere.

In cities all over the world Volapuk societies were being created. Books were being published about and in Volapuk. New journals were being written in Volapuk, coming online every month, and it was reaching all classes of society. It wasn't just the intellectual elites learning this stuff. Everybody was interested in Volapuk and it was really taking off.

And a lot of the success of the language was due to this guy. This is Auguste Kerckhoffs. He was a Dutch linguist, and he wrote extensively about Volapuk and traveled all over the world teaching the language. And he was so successful at doing that but at the Second Volapuk Conference, he was elected to be director of the Volapuk Institute, and given the job of popularizing Volapuk throughout the world.

The next year at the Third Congress, at that Congress they did all of the business in the Congress in Volapuk, even the waiters serving the meals were speaking Volapuk, and Kerckhoffs at that meeting proposed a change to the language. There were some moods in the language which were rarely used, that were very complicated and difficult to teach and learn and Kerckhoffs was proposing that they be removed from the language in order to make it more accessible to everybody.

Basically Volapuk, the good parts. I love this guy. He was great. Schleyer was extremely upset about this. Schleyer insisted that the language belonged to him and he demanded a veto over anything that the Congress might propose. At that point the movement forked. About half of the attendees were in the German delegation and they went with Schleyer, everybody else went with Kerckhoffs, and then suddenly chaos.

They're all these cunning linguists who said well as long as we're proposing changes I got some ideas, and they started throwing new features out for what could go into Volapuk. And other people saying well, Esperanto's a better language, we should go with that one. And the thing collapsed.

Almost overnight Volapuk was dead. So we don't know what would have happened had Volapuk succeeded, but we do know what happened after Volapuk failed, that the world had its bloodiest century in history. So they ended up with re-babelization. After it collapsed they had more languages than when they started.

And people continue to design languages, it's similar to the compulsion that causes some people to design programming languages. The guy who designed the Saint, you remember that TV show and the movie? He designed a language called Paleo Neo. The guy who designed the board game, Careers, designed a language called Interlingua.

Maybe the most famous of all language designers was JRR Tolkien, who designed languages for epic races like elves and dwarves, and wrote epic poetry in those languages and then wrote histories to explain the context of those epics. And then used all of that as the back story to the Lord Of The Rings.

He once gave a talk about his compulsion. He called it a secret vice. Anybody happen to know what the most popular invented language in the world is today?
>> Speaker 2: Klingon.
>> Douglas Crockford: Very good, it is Klingon.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now