Please consider supporting my writing on Patreon.
There are a lot of security lessons we can learn by examining popular media, analyzing mistakes which are made, and striving not to repeat them. The Harry Potter series is rich with such lessons, and while the following contains all kinds of spoilers (for every one of the books/movies), it’s also full of important life lessons we can take away by scrutinizing the mishaps which take place in the Wizarding World.
Lesson 1: Don’t be Hagrid.
Hagrid is a lovable, gentle soul. This is all well and good, but if we’ve learned anything from the Harry Potter series, be it the books or the movies, it’s that Hagrid is a drunk, a braggart, and overly trusting. Each and every one of these traits leads to Hagrid divulging information that should really be kept private. Over and over again Hagrid slips up, from spilling secrets to hooded strangers in pubs who are actually the most evil wizard ever to live, to showing Madame Maxine his dragons. If loose lips sink ships, Hagrid is probably responsible for capsizing an entire fleet. Furthermore, as Jim MacLeod (@shewfig) points out, Hagrid also has a bad habit of sharing PARTIAL information, which has the result of endangering people who listen, as demonstrated when he tells Harry to “follow the spiders,” and almost gets Harry and Ron eaten by Aragog’s offspring when they take Hagrid’s advice.
Lesson 1A: Don’t tell Hagrid your secrets.
We all have a friend like Hagrid. We all love that friend. That friend is fiercely loyal, loving, and always knows how to lift our spirits when we’re down. We all NEED friends like Hagrid. But we also all know that our friend/Hagrid is terrible at keeping secrets, and so we should maybe protect ourselves (and keep our friend from being put in a position to unwittingly betray us) by finding other ways to demonstrate our trust in our friend. Because Hagrid is a ride-or-die kind of friend, and accidentally spilling the beans hurts him almost as much as it hurts us. Cheer up, Hagrid: you’re still great!
Lesson 2: Security through Obscurity doesn’t work as a standalone measure.
It’s tempting to think that keeping vulnerabilities secret is a fail-proof way to ensure that they’re never exploited. Unfortunately, Security through Obscurity is great as an aspect of Defense in Depth, as a standalone measure it leaves one vulnerable to social engineering attacks, as in the case of Fluffy. Who could possibly know that a vicious three-headed dog is a sucker for harp music? Well, literally anyone who had ever come into contact with Hagrid. It is true, too, that given sufficient time and determination, someone could have figured out Fluffy’s weakness all on their own — and that keeping such things secret does make them harder to circumvent — but a combination of unpatched vulnerabilities and Hagrid’s inability to keep his mouth shut in the pub very nearly led to Lord Voldemort seizing the means to immortality.
Lesson 3: If you don’t know how it works, don’t trust it.
Remember that diary Ginny Weasley found that spoke to her? Remember how she confided her deepest, darkest secrets to it? REMEMBER HOW IT TURNED OUT TO BE AN ACTUAL MANIFESTATION OF HE WHO SHALL NOT BE NAMED? Arthur Weasley advised, “Never trust anything that can think for itself if you can’t see where it keeps its brain.” When talking about magic, this is perfectly sound advice. When talking about security in the real world, it’s probably wise to say you should never trust anything with your data if you don’t know how it intends to use it, and how it will store it. This also means you probably shouldn’t rely on tools if you don’t have at least a working understanding of how they function: you don’t need to know the particulars of how something is encrypted, but you should have a good idea of what a tool does and doesn’t do (and protect) before relying on it.
Lesson 4: Know your threats.
In order to protect yourself, you need to first correctly identify your threats. False negatives can leave you open to attack, while false positives can cause you to implement the wrong defenses, as well as cost you valuable resources and potential allies. Harry, Ron, and Hermione (and everyone else) spent an unreasonable amount of time trying to defend against Sirius Black, when it turned out that the man responsible for the deaths of Harry’s parents had been sleeping in Harry’s dorm room for years. The takeaway here is that fixating on a single threat can (and often will) distract you from where the real danger lies.
Lesson 5: Whitelisting > Blacklisting
Remember how the Goblet of Fire was bewitched to reject all entries not submitted by someone over a certain age? Remember how that didn’t matter, because an adult submitted Harry Potter’s name to the Goblet? Remember how that adult used a fake school that doesn’t even exist to ensure that Harry Potter’s name was chosen? Had the Goblet of Fire been enchanted to instead ONLY accept the names of actually eligible students, Cedric Diggory would probably still be alive today.
Lesson 6: Getting owned once doesn’t have to be the end of the line.
Things look pretty bad for Harry when Voldemort transports him to a graveyard, has him surrounded by Death Eaters, and strips away Harry’s most powerful protection against his adversary… but it’s not the end of the line for Harry, and getting bested once by your adversary doesn’t need to be the end for you, either. If your security is, in fact, compromised, take a deep breath, and start doing damage control. In most cases, getting beaten isn’t a sign you’ve failed, so much as an indication that you need to try something different. Get creative, and keep plugging away.
Lesson 7: Your security doesn’t need to be perfect, it needs to be good enough.
When Harry and his friends are attacked by Death Eaters in the Department of Mysteries, it looks like it’s lights out for the temerarious teens. They’re outnumbered and clearly outclassed by their adult adversaries, and the only tools at their disposal are perfectly puerile compared to the malicious magical mastery of the Death Eaters. Yet, against all odds, Harry and his cohorts are able to fend off their fearsome foes and stay alive long enough for reinforcements to arrive. Expelliarmus and Reducto may not seem like much, but they’re sufficient to keep Harry and his friends in the game. It’s easy to fall into the habit of thinking that if your security isn’t perfect, it’s useless, but the fact is that your security only needs to be good enough to narrowly beat your adversaries… and in some cases, only for a little while. Worrying that your security isn’t perfect can cause you to fall prey to security nihilism… and falling prey to security nihilism can make it hard to recognize that some (if not all) of your practices are sufficient at least in the interim, and can also make it hard to identify what can reasonably be improved upon to harden your security a bit more.
Lesson 8: Know your sources.
Even though Harry should have learned his lesson about putting trust in the contents of sketchy books after the incident with Tom Riddle’s Diary, he makes a similar mistake in putting his trust in the notes left in the margins of his borrowed textbook by a person known only as the “Half Blood Prince.” This leads to a newfound success at potions making, but also leads Harry to try a rather heinous (if not altogether Unforgivable) curse on Draco Malfoy. Harry’s faith in this unverified source essentially results in a lot of bloodshed… and that’s an important lesson for us to learn. If we don’t know where our information is coming from, we can’t verify it… and if we trust in unverified information, the results may be dire. Whether uncritically reading state-sponsored propaganda (I’m looking at you, everyone who shares links to RT content), or trusting un-vetted privacy resources (remember Firechat? How about Telegram?) can leave people dangerously misinformed, and devastatingly vulnerable. To keep from falling prey to this classic blunder, make sure you know where your information (and your tools) are coming from, and verify it before you rely on it.
Lesson 9: Don’t fall victim to tunnel vision.
Remember how Harry and Dumbledore go to retrieve a horcrux together? And remember how much energy they put into retrieving that horcrux? And remember how in order to actually get it, Dumbledore has to drink A LITERAL VAT OF POISON? And remember how it turns out it’s not even a real horcrux? This is a classic example of falling prey to tunnel vision. The duo is so focused on retrieving this objective, they don’t stop to think that maybe they should focus their energy on tracking down the OTHER horcruxes as well before taking action. Now Dumbledore’s dead, there are still six horcruxes out there, and Harry has no idea how or where to find them.
Lesson 10: Know a person’s circumstances before you trust them.
Xenofilius Lovegood is a decent person. Sure, he rats out Harry, Ron, and Hermione to the Death Eaters, but that’s because the Death Eaters have kidnapped his daughter, are holding her hostage, and have threatened to kill her. Xenofilius doesn’t do anything any reasonable person in his situation wouldn’t do, and that’s why it’s important to know our allies’ situations before we rely on them. The lesson here is never trust someone if you don’t understand what they have to lose from supporting you, and what they stand to gain by betraying you. Does this mean you should never trust anyone with anything? Of course not. It just means you should never willingly put your life (or freedom) in anyone’s hands if you aren’t certain they’ll protect it as if it were their own.
Lesson 11: Never underestimate your adversary.
Neville Longbottom is kind of a hapless foil for Harry’s cavalier, clumsy heroism. Neither is terribly graceful, but Neville is nervous where Harry is bold, and Neville is risk-averse, while Harry repeatedly throws himself into dangerous situations without a second thought. Because we spend the entire series watching Neville fail pretty miserably at most things, it’s easy to see why Voldemort and the Death Eaters may not have taken Neville seriously as a threat… RIGHT UP UNTIL NEVILLE SLICES OFF NAGINI’S HEAD. Now, of course, nobody could have seen that coming. There is no way Voldemort could have predicted that Neville-effing-Longbottom would be responsible for the loss of one of his last surviving horcruxes… but his loss is our gain, because we can take away from this that with enough determination, even the clumsiest of our adversaries can cause us to have a very, very bad day.
Lesson 12: Don’t get lax when you think you’ve neutralized a threat.
Voldemort killed Harry in the Forbidden Forest. We all saw it happen. He used Avada Kedavra, the killing curse. There was a bright flash of green light, and Harry’s lifeless body sprawled out on the detritus of the forest floor. We even see Harry speaking with the absolutely-definitely-verifiably-dead Dumbledore in a sparklingly-clean train station in the sky… so where did Voldemort go wrong? There are actually a few different mistakes he made here. The first was not verifying *HIMSELF* that the threat-known-as-Harry had been truly neutralized. Instead, Voldemort asks Narcissa Malfoy to check that Harry is dead (violating Lesson 10 in the process… see? That one is important!) Naturally, Narcissa lies, because she cares way more about her own kid than she does about some creepy old bald guy with no nose and a weird obsession with teenage boys. Voldemort also makes the mistake of violating Lesson 11. He assumes that because Harry has been taken out of the picture, everyone else will just sort of flop over and let him conduct his evil reign of terror completely unchecked. Now, had Voldemort checked to ensure that Harry was dead himself (and maybe taken the extra step of rifling through his pockets), he’d have realized that Harry was very much alive, and in possession of the Resurrection Stone, and he probably would have behaved accordingly, rather than marching on as though he were frigging invincible. So what can we take from this? A) never assume that you’ve succeeded in neutralizing a threat. If you think you’ve eliminated a threat, verify it yourself, and B) just because you’ve taken out an adversary doesn’t mean there aren’t many others out there just waiting for you to show a little weakness so they can take you out in turn.
Now, I realize that, had the characters in the Harry Potter series not made all these mistakes, the stories would have been much less interesting, and might have had an entirely different outcome… That said, we can take a lot away from fictional blunders by imaginary people, and we can (and should!) always be on the lookout for ways that the characters in our favorite books and movies could have done things differently. (And yes, there will be future installments of POPsec, so stay tuned!)
Eternal gratitude to @deviantollam for his eyes and his notes on this piece.