[Cryptography] What is an attack, and what is not an attack?

ianG iang at iang.org
Mon Jan 13 04:51:05 EST 2014


On 8/01/14 18:18 PM, John Kelsey wrote:
> ...
>> 1.  Literature is theory.
>> 2.  Attacks in labs are experiments, not attacks.
>> 3.  Academic exploits and corporate embarrassments aren't real demonstrations of economic risk, they are more reputation-leaching from innocent corps to press-hungry security rock stars.
>> 4.  Absent any evidence, we cannot disamgiguate between myth, fear, marketing, fraud and self-deception (Dan Geer's observation).
>
> I think you're headed toward a lower bound estimate of what the real-world attacks look like, but we also need to consider likely and possible attacks.

Rather your comments address it point-wise, my way of thinking is like this:

1.  If you do compliance, do what they tell you and ignore the rest. 
This is best practices;  you're not actually in the game, you're insured 
by the herd.  Read no further.

2.  If you have history of attacks [0], then calculate the probability 
of attacks, the damages to you the victim of those attacks, and multiply 
it out to give you some sense of budget you should spend to.

3.  If you have no history and no compliance, then you have to estimate 
all these things.  But these are all judgement calls, made by you.  Your 
name goes on these calls.

4.a If you are responsible for managing the corporate budget (CFO), err 
on spending zero, especially for unproven stuff from (3) above.  Your 
name depends on spending the least and nothing going wrong.

4.b If you are responsible for spending the corporate budget (CSO), err 
on spending more, especially on unproven stuff in (3) above.  Your name 
depends on spending the most and nothing going wrong.



iang

ps; I did write a long point-wise reply, but it seemed voluminous and 
who's got the time?


> For example, we have years of results on all-electronic voting machines that show that they generally have Swiss cheese like security, but I am not aware of any documented election fraud in the US based on exploiting these weaknesses.  It would be imprudent as hell to assume that these machines haven't been attacked and won't be, based on the absence of evidence for these attacks do far.  We should at least assume that lab-demonstrated attacks that would work in the field are representative of what NSA and similar agencies in other countries are up to.
>
> Further, monetary damage isn't the only measure of interest.  What's the monetary value of millions of peoples' communications being vacuumed up for years?  I have no idea how to put a price on that, and absent whistleblowers we would not ever have noticed the scale and intrusiveness of that massive surveillance, but it's sure as hell an attack!
> ...
>> The only evidence that slices through is *damages*.  How much money was lost?  (Excluding reputation damage and re-work efforts.)  If there are events with damages, if we can measure losses and frequencies, then we can calculate likelihoods and expected losses, etc [0].
>
> Criminals are motivated mostly by money, so they can probably be modeled in terms of costs and benefits.  Governments and terrorists and ideologues are motivated by something different, and you probably don't get a great model of them by thinking in terms of dollars of damage.  How much monetary damage is done when a nascent protest is silently sniffed out by arresting three or four ringleaders on trumped-up charges?  How do we measure the unwillingness of potential sources to talk to journalists given the massive surveillance?  Not in dollars.
>
> ...
>> If not, then we have to use our judgement.  I use my judgement to say that DUAL_EC was a real attack, but I can't validate it because I cannot calculate the damages.  It goes on the list, because my judgement says so, but I don't *know it happened* as yet.
>
> This is always going to be a problem.  We know dual ec could have been backdoored, and that if it was, it could have been used to compromise a lit of communications.  We probably won't ever know how much was compromised, or whose, or even whether P and Q were generated to put a backdoor into the DRBG.
>
> We know that all kinds of appliance Internet devices were generating keys with frightfully low amounts of entropy.  We don't know if this was ever exploited, or if there was any kind of operation to get/keep lame entropy collection in those products.  (Though a smart attacker would have hashed the Ethernet address into the pool before generating the keys, to make the weakness harder to see from outside.
>
> And so on.  I don't know how many industrial accidents, crashed commercial websites, blackouts, etc., over the last decade have been the result of some subtle computer attack, but I'm sure the answer isn't 0.  Similarly, I don't know how many would-be protesters or opposition politicians have been shut down by these attacks over the world, but again, I can't imagine the answer is 0.  It isn't clear how your way of thinking about attacks captures any of that.
>
>> iang
>
> --John



More information about the cryptography mailing list