Mythic Monday – Cupid, Psyche and Detection
So I was relaxing last night reading a bit of Lucius Apuleius, and got to the story of Cupid and Psyche. Like many myths that have grown over the ages, this one is terribly long and complex, but I think we only have to look at the first part to learn the important lesson.
Leaving out all the important mythological bits about Venus being jealous and controlling love and Cupid’s arrows having a similar, but subtly different power, let’s get right to the point where Cupid and Psyche are living together. Cupid and Psyche love one another (mostly due to certain arrow errors early in their acquaintance), but Cupid doesn’t want Psyche to know who he is, or it’ll upset his mom (Venus). Therefore, the rule is “Cupid gets to sleep with Psyche every night, but she’s not allowed to know who he is”. The second rule is “Cupid gets to abandon Psyche during daytime.” Though I may not personally agree with the rule, the point is that a security rule was in place.
Of course, this being a mythological tale, I’m sure that it shall surprise no one to learn that Psyche decides to spy on Cupid as he sleeps. She wanted to know that he wasn’t a snake (hey, who wouldn’t?), and lights a lamp (or candle, variations differ). Then, as would be expected, a drop of oil (or wax) falls on Cupid who wakes up and flies off, leaving her bereft. The reason being that “love cannot exist with suspicion”.
So, what we have here is a story where a rule was in place, the rule was violated and consequences occurred. By now, we as an industry are pretty good at making security rules. We’re harden systems, put up firewalls and write policy. We have all sorts of rules. Examples:
- No personal email at work
- Only administrators may access production systems
- No wireless connections allowed, this includes 802.11*, cellular devices and FM radio
- All passwords must be a 48 characters long, contain a mix of upper case and lower case characters, numbers, punctuation and ǝpoɔıun
But, how good are we at checking that the rules are being followed? How often do you check firewall logs? Do you regularly review which users have which permissions? Do you scan for rogue wireless access points? Do you run regular password audits?
Despite how stupid we may think Cupid’s rule may have been, he had a detection system in place, and was alerted to the spying. Thus, he was able to take action. Though I personally would have used a light-triggered system instead of waiting for my flesh to be burned, his system worked for him and he was able to enforce policy.