Woobius Turns Security on its Head, and Makes it Right

Woobius is an innovative company that produces communication software for architects and engineers.

I think a lot about their approach to security, which could be called real-world security:
The reality is that if you have a file, either one that you’ve produced or one that someone has sent to you, you can do whatever you want with that file.

If the system doesn’t allow you to do that, you will simply circumvent the system and get the file across.
This is exactly the opposite of every security system I know.

Ordinary security software builds its own network of trust, separate from the real network of trust among the participants. And then it creates a fake sense of security by doing as if there were no out-of-band channels between participants (f.e. taking a photo of a laptop screen).

We have to accept that people will forward information in their network of trust, whether our software believes that's OK or not. Woobius shows that embracing the real network of trust leads to an intuitive and useful security system.

Instead of playing silly games with ACLs, where we try to restrict the circle of participants that can view/edit/... an item, we need to give participants the tools to expand that circle to include their network of trust, transitively.

No comments: