POPSEC: Security Lessons Learned from Harry Potter

Please consider supporting my writing on Patreon.

There are a lot of security lessons we can learn by examining popular media, analyzing mistakes which are made, and striving not to repeat them. The Harry Potter series is rich with such lessons, and while the following contains all kinds of spoilers (for every one of the books/movies), it’s also full of important life lessons we can take away by scrutinizing the mishaps which take place in the Wizarding World.

Lesson 1: Don’t be Hagrid.

Hagrid is a lovable, gentle soul. This is all well and good, but if we’ve learned anything from the Harry Potter series, be it the books or the movies, it’s that Hagrid is a drunk, a braggart, and overly trusting. Each and every one of these traits leads to Hagrid divulging information that should really be kept private. Over and over again Hagrid slips up, from spilling secrets to hooded strangers in pubs who are actually the most evil wizard ever to live, to showing Madame Maxine his dragons. If loose lips sink ships, Hagrid is probably responsible for capsizing an entire fleet. Furthermore, as Jim MacLeod (@shewfig) points out, Hagrid also has a bad habit of sharing PARTIAL information, which has the result of endangering people who listen, as demonstrated when he tells Harry to “follow the spiders,” and almost gets Harry and Ron eaten by Aragog’s offspring when they take Hagrid’s advice.

Lesson 1A: Don’t tell Hagrid your secrets.

We all have a friend like Hagrid. We all love that friend. That friend is fiercely loyal, loving, and always knows how to lift our spirits when we’re down. We all NEED friends like Hagrid. But we also all know that our friend/Hagrid is terrible at keeping secrets, and so we should maybe protect ourselves (and keep our friend from being put in a position to unwittingly betray us) by finding other ways to demonstrate our trust in our friend. Because Hagrid is a ride-or-die kind of friend, and accidentally spilling the beans hurts him almost as much as it hurts us. Cheer up, Hagrid: you’re still great!

Lesson 2: Security through Obscurity doesn’t work as a standalone measure.

It’s tempting to think that keeping vulnerabilities secret is a fail-proof way to ensure that they’re never exploited. Unfortunately, Security through Obscurity is great as an aspect of Defense in Depth, as a standalone measure it leaves one vulnerable to social engineering attacks, as in the case of Fluffy. Who could possibly know that a vicious three-headed dog is a sucker for harp music? Well, literally anyone who had ever come into contact with Hagrid. It is true, too, that given sufficient time and determination, someone could have figured out Fluffy’s weakness all on their own — and that keeping such things secret does make them harder to circumvent — but a combination of unpatched vulnerabilities and Hagrid’s inability to keep his mouth shut in the pub very nearly led to Lord Voldemort seizing the means to immortality.

Lesson 3: If you don’t know how it works, don’t trust it.

Remember that diary Ginny Weasley found that spoke to her? Remember how she confided her deepest, darkest secrets to it? REMEMBER HOW IT TURNED OUT TO BE AN ACTUAL MANIFESTATION OF HE WHO SHALL NOT BE NAMED? Arthur Weasley advised, “Never trust anything that can think for itself if you can’t see where it keeps its brain.” When talking about magic, this is perfectly sound advice. When talking about security in the real world, it’s probably wise to say you should never trust anything with your data if you don’t know how it intends to use it, and how it will store it. This also means you probably shouldn’t rely on tools if you don’t have at least a working understanding of how they function: you don’t need to know the particulars of how something is encrypted, but you should have a good idea of what a tool does and doesn’t do (and protect) before relying on it.

Lesson 4: Know your threats.

In order to protect yourself, you need to first correctly identify your threats. False negatives can leave you open to attack, while false positives can cause you to implement the wrong defenses, as well as cost you valuable resources and potential allies. Harry, Ron, and Hermione (and everyone else) spent an unreasonable amount of time trying to defend against Sirius Black, when it turned out that the man responsible for the deaths of Harry’s parents had been sleeping in Harry’s dorm room for years. The takeaway here is that fixating on a single threat can (and often will) distract you from where the real danger lies.

Lesson 5: Whitelisting > Blacklisting

Remember how the Goblet of Fire was bewitched to reject all entries not submitted by someone over a certain age? Remember how that didn’t matter, because an adult submitted Harry Potter’s name to the Goblet? Remember how that adult used a fake school that doesn’t even exist to ensure that Harry Potter’s name was chosen? Had the Goblet of Fire been enchanted to instead ONLY accept the names of actually eligible students, Cedric Diggory would probably still be alive today.

Lesson 6: Getting owned once doesn’t have to be the end of the line.

Things look pretty bad for Harry when Voldemort transports him to a graveyard, has him surrounded by Death Eaters, and strips away Harry’s most powerful protection against his adversary… but it’s not the end of the line for Harry, and getting bested once by your adversary doesn’t need to be the end for you, either. If your security is, in fact, compromised, take a deep breath, and start doing damage control. In most cases, getting beaten isn’t a sign you’ve failed, so much as an indication that you need to try something different. Get creative, and keep plugging away.

Lesson 7: Your security doesn’t need to be perfect, it needs to be good enough.

When Harry and his friends are attacked by Death Eaters in the Department of Mysteries, it looks like it’s lights out for the temerarious teens. They’re outnumbered and clearly outclassed by their adult adversaries, and the only tools at their disposal are perfectly puerile compared to the malicious magical mastery of the Death Eaters. Yet, against all odds, Harry and his cohorts are able to fend off their fearsome foes and stay alive long enough for reinforcements to arrive. Expelliarmus and Reducto may not seem like much, but they’re sufficient to keep Harry and his friends in the game. It’s easy to fall into the habit of thinking that if your security isn’t perfect, it’s useless, but the fact is that your security only needs to be good enough to narrowly beat your adversaries… and in some cases, only for a little while. Worrying that your security isn’t perfect can cause you to fall prey to security nihilism… and falling prey to security nihilism can make it hard to recognize that some (if not all) of your practices are sufficient at least in the interim, and can also make it hard to identify what can reasonably be improved upon to harden your security a bit more.

Lesson 8: Know your sources.

Even though Harry should have learned his lesson about putting trust in the contents of sketchy books after the incident with Tom Riddle’s Diary, he makes a similar mistake in putting his trust in the notes left in the margins of his borrowed textbook by a person known only as the “Half Blood Prince.” This leads to a newfound success at potions making, but also leads Harry to try a rather heinous (if not altogether Unforgivable) curse on Draco Malfoy. Harry’s faith in this unverified source essentially results in a lot of bloodshed… and that’s an important lesson for us to learn. If we don’t know where our information is coming from, we can’t verify it… and if we trust in unverified information, the results may be dire. Whether uncritically reading state-sponsored propaganda (I’m looking at you, everyone who shares links to RT content), or trusting un-vetted privacy resources (remember Firechat? How about Telegram?) can leave people dangerously misinformed, and devastatingly vulnerable. To keep from falling prey to this classic blunder, make sure you know where your information (and your tools) are coming from, and verify it before you rely on it.

Lesson 9: Don’t fall victim to tunnel vision.

Remember how Harry and Dumbledore go to retrieve a horcrux together? And remember how much energy they put into retrieving that horcrux? And remember how in order to actually get it, Dumbledore has to drink A LITERAL VAT OF POISON? And remember how it turns out it’s not even a real horcrux? This is a classic example of falling prey to tunnel vision. The duo is so focused on retrieving this objective, they don’t stop to think that maybe they should focus their energy on tracking down the OTHER horcruxes as well before taking action. Now Dumbledore’s dead, there are still six horcruxes out there, and Harry has no idea how or where to find them.

Lesson 10: Know a person’s circumstances before you trust them.

Xenofilius Lovegood is a decent person. Sure, he rats out Harry, Ron, and Hermione to the Death Eaters, but that’s because the Death Eaters have kidnapped his daughter, are holding her hostage, and have threatened to kill her. Xenofilius doesn’t do anything any reasonable person in his situation wouldn’t do, and that’s why it’s important to know our allies’ situations before we rely on them. The lesson here is never trust someone if you don’t understand what they have to lose from supporting you, and what they stand to gain by betraying you. Does this mean you should never trust anyone with anything? Of course not. It just means you should never willingly put your life (or freedom) in anyone’s hands if you aren’t certain they’ll protect it as if it were their own.

Lesson 11: Never underestimate your adversary.

Neville Longbottom is kind of a hapless foil for Harry’s cavalier, clumsy heroism. Neither is terribly graceful, but Neville is nervous where Harry is bold, and Neville is risk-averse, while Harry repeatedly throws himself into dangerous situations without a second thought. Because we spend the entire series watching Neville fail pretty miserably at most things, it’s easy to see why Voldemort and the Death Eaters may not have taken Neville seriously as a threat… RIGHT UP UNTIL NEVILLE SLICES OFF NAGINI’S HEAD. Now, of course, nobody could have seen that coming. There is no way Voldemort could have predicted that Neville-effing-Longbottom would be responsible for the loss of one of his last surviving horcruxes… but his loss is our gain, because we can take away from this that with enough determination, even the clumsiest of our adversaries can cause us to have a very, very bad day.

Lesson 12: Don’t get lax when you think you’ve neutralized a threat.

Voldemort killed Harry in the Forbidden Forest. We all saw it happen. He used Avada Kedavra, the killing curse. There was a bright flash of green light, and Harry’s lifeless body sprawled out on the detritus of the forest floor. We even see Harry speaking with the absolutely-definitely-verifiably-dead Dumbledore in a sparklingly-clean train station in the sky… so where did Voldemort go wrong? There are actually a few different mistakes he made here. The first was not verifying *HIMSELF* that the threat-known-as-Harry had been truly neutralized. Instead, Voldemort asks Narcissa Malfoy to check that Harry is dead (violating Lesson 10 in the process… see? That one is important!) Naturally, Narcissa lies, because she cares way more about her own kid than she does about some creepy old bald guy with no nose and a weird obsession with teenage boys. Voldemort also makes the mistake of violating Lesson 11. He assumes that because Harry has been taken out of the picture, everyone else will just sort of flop over and let him conduct his evil reign of terror completely unchecked. Now, had Voldemort checked to ensure that Harry was dead himself (and maybe taken the extra step of rifling through his pockets), he’d have realized that Harry was very much alive, and in possession of the Resurrection Stone, and he probably would have behaved accordingly, rather than marching on as though he were frigging invincible. So what can we take from this? A) never assume that you’ve succeeded in neutralizing a threat. If you think you’ve eliminated a threat, verify it yourself, and B) just because you’ve taken out an adversary doesn’t mean there aren’t many others out there just waiting for you to show a little weakness so they can take you out in turn.

Now, I realize that, had the characters in the Harry Potter series not made all these mistakes, the stories would have been much less interesting, and might have had an entirely different outcome… That said, we can take a lot away from fictional blunders by imaginary people, and we can (and should!) always be on the lookout for ways that the characters in our favorite books and movies could have done things differently. (And yes, there will be future installments of POPsec, so stay tuned!)

Eternal gratitude to @deviantollam for his eyes and his notes on this piece.

Everyday Activism

Please consider supporting my writing on Patreon.

Let’s say you, like so many others, care about social justice. Let’s say you want to build a better world by helping erase oppression, and facilitate resistance against the power structures which prop up the disenfranchisement of marginalized groups. Let’s say you, for literally any reason, have decided that marching in the streets and taking part in large protests just isn’t the right role for you.

It turns out, there are a wide range of options available to you to further the causes you care about, even if you are unable to participate in direct action, or other demonstrations. Not sure where to start? Here are some suggestions:

  • Find out who does legal support work in your area, and ask how you can help: between helping conduct Know Your Rights workshops, answering phones for the legal hotline, tracking down arrested people, communicating with worried family members, doing administrative work for attorneys doing pro bono defense work, and everything else that needs doing in the activist legal field, there is almost always a need for more help in this area.
  • Support people at their court dates: find out when people who have been arrested have to appear in court. Check in to see whether they’d like support, if you can. If this isn’t possible, show up, be well behaved, and make sure they know they don’t have to endure the dehumanizing process of being shuffled through the court system alone.
  • Write to prisoners: whether it’s someone whose case is ongoing, but cannot afford bail, or someone who was unable to beat their case and is now serving time, writing to incarcerated people is a wonderful way to remind them that they still matter to people, and that they are supported in their struggles. All prisoners are political prisoners, and all prisoners deserve reminders that they are cared for.
  • Support campaigns for incarcerated people: people who are imprisoned are both in dire need of income, and also largely cut off from sources of income. Fundraising for prisoners may look like raising funds for their commissary, funds to help support their children, money for their families so that they can afford the exorbitant prices for accepting phone calls from their incarcerated loved one, bail funds, and legal defense/appeal funds. Other support for prisoners may look like campaigns to send them books and/or magazine subscriptions, organizing visits from comrades, facilitating visits from family, providing childcare, and generally helping a prisoner’s family survive while their loved one is incarcerated.
  • Providing emotional and/or material support to those who DO engage in demonstrations and/or direct action: this may look like holding space for friends while they unpack trauma caused by police repression, cooking a meal, helping with some chores, being willing to talk about anything BUT what they’ve just experienced, offering to cover shifts for them at work if they are arrested (or simply too tired/traumatized to go into work), offering to feed their animals if they are incarcerated, offering to babysit while they go to a demonstration, offering rides to people who need to get out quickly, being an emergency contact for someone attending a protest, and more.
  • Doing actual educational labor around social justice issues: this means you actually check in and engage, one-on-one with people when they say something crappy, rather than standing on a soapbox and talking about how you are superior to them. This may mean recommending resources for further reading, linking to studies which demonstrate how they are wrong, and patiently rephrasing your point until you land on phrasing that actually sticks. This means speaking to people as equals, and generally means assuming that they have good intentions and bad information, rather than the inverse. This means engaging rather than blocking, and it usually means a *private* discussion, because a public discussion is often too embarrassing to be productive. This may also mean being a trustworthy resource for people who are working on their shit, so that they know they can come to you without receiving judgement or ridicule, and without having their confidence broken, to ask questions about doing better.
  • Checking in with people doing support work: support work, especially in the cases of medics, legal workers, and anti-repression work, can be an emotionally taxing and highly traumatic experience. The secondary trauma which comes from diving into repression-filled environments in an effort to pull others out is a heavy burden to carry, and having community members check in and shoulder some of that burden means that those doing the immediate support work can continue to do so for a much longer period of time. If you’re not sure how to support people doing this work, simply ask how they’re doing. If that doesn’t feel like enough, it’s okay to tell them you’re here for them, and that they can lean on you if they need to. Even if they don’t take you up on your offer, I promise, the offer is worth a lot, and it DOES help.
  • Stop laughing at racist, sexist, ableist, transphobic, queerphobic, classist, ageist, otherwise oppressive “jokes”: even if you’re not in a place where you’ve eradicated oppressive language from your speech, you know this shit isn’t funny. Speak up about it. Straight up say, “I don’t think it’s funny to make fun of _________ people.” Don’t repeat the joke later, don’t turn around and tell others how awesome you are for not laughing, just put this nonsense in check whenever and wherever it pops up, because making fun of people for being part of an oppressed class is never, ever funny. And because not laughing at this shit doesn’t make you some sort of social justice superhero, it’s actually the bare minimum for human decency.
  • Work with kids: in any way, and for any length of time. Teach kids to be decent to one another without erasing the differences between them. Teach them that while our differences shape our life experiences, they also give us amazing opportunity to learn from one another. Teach what kindness and decency look like. Teach them to know the difference between right and wrong, for real.
  • Don’t drag down other people’s efforts: there is room for people with differing political ideologies to work on the same issues without belittling one another’s work. There is nearly infinite space for addressing the harm caused by oppressive power structures, and what works for some people may not work for others. Rather than focusing energy tearing down other efforts for not being perfect, we can all strive to do our best, and leave others to do their best. We are not all operating with the same tools, so the solutions we build are all going to be different. Since we’re still a long way away from an egalitarian society, THIS IS OKAY. We don’t have to be in agreement on what an ideal society looks like, because we’re still generations away from it. We just need to agree on some of the things that are wrong, and all work in our own ways to address it. More tactics being employed by more people means a greater chance of finding some solution that works, even if it only works a little bit, for a little while. By all means, if someone’s tactics are actually hurting you (or someone else), that should be addressed… but none of us are perfect, we are all still learning, and we all need constructive feedback from time to time. Meet people where they’re at, if you can, and if you can’t, maybe just leave them alone and work on your own project instead.
  • Accept feedback gracefully: even when it doesn’t come in a tone you appreciate, try to divorce the feedback from the tone, and make something of it. Consider carefully others’ critique of your work, even if it isn’t given kindly. It’s okay to reject critique if you’ve considered it and found it invalid, but it should be considered nevertheless. This goes double when the critique comes from someone marginalized upon different axes than your own, and triple when you’re doing “ally” or “accomplice” work, and the critique comes from someone you’re attempting to be an “ally” or “accomplice” to. Criticism is a learning opportunity, and we should all do due diligence to make sure we’re not missing important facets of the issues we are collectively struggling to fix.

A lot of this work is a lot less “sexy” than rioting, or chaining oneself to a police station door to shut down their operations, but every bit of it is extremely important. If you can’t, or don’t want to be in the streets, that doesn’t at all mean that you and your work don’t matter. The struggle for a better world is reliant upon all of our best efforts, and there are ways for each and every one of us to contribute according to our abilities.