double shot of snake oil, good conclusion

[Ed Gerck]

#1
In  http://www.extremetech.com/article2/0,3973,906344,00.asp,
this article on MS DRM states: "For example, it might be possible to
view a document but not to forward or print it."

This is, of course, blatantly false. Of course it can, by using a screenshot,
a camera, a cell phone with camera or, simply, human memory. With all
due respect, the claim is snake oil.

This is exactly what we in IT security must avoid. Insecure statements that
create a false sense of security -- not to mention a real sense of angst. This
statement, surely vetted by many people before it was printed, points out
how much we need to improve in terms of a real-world model for IT security.

And that is why, today, IT security failures are causing an estimated
loss of $60B/year (ASIS, PricewaterhouseCoopers, 2001).

#2
The second shot of snake oil came when some people, without realizing
the trap, started to get alarmed by the snake oil shot #1 and started
speculating on "the chilling effect that such measures could have on
corporate whistleblowers" while others speculated on "another potentially
devastating effect", that the DRM could, via a loophole in the  DoJ
consent decree, allow Microsoft to withhold information about file
formats and APIs from other companies which are attempting to create
compatible or competitive products -- compatible, that is, with the first
shot of snake oil.

The good conclusion from all of this seems to be that while humans are the
weakest link in a virtuous security system, they can also help break a
non-virtuous security system -- DRM snake oil claims notwithstanding.

Cheers,
Ed Gerck



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com