solving the wrong problem

Perry E. Metzger perry at piermont.com
Sat Aug 6 14:28:29 EDT 2005


Frequently, scientists who know nothing about security come up with
ingenious ways to solve non-existent problems. Take this, for example:

http://www.sciam.com/article.cfm?chanID=sa003&articleID=00049DB6-ED96-12E7-AD9683414B7F0000

Basically, some clever folks have found a way to "fingerprint" the
fiber pattern in a particular piece of paper so that they know they
have a particular piece of paper on hand. It is claimed that this
could help stop forged passports.

Unfortunately, the invention is wholely useless for the stated purpose.

If the information is put onto the passport itself, nothing would stop
someone from taking a new, forged passport and adding the fingerprint
information onto the passport. If the information was protected by a
public key, that could prevent such forgeries, except that if you
already have a public key, you can protect the information printed on
the passport with said public key already, bypassing any care about
whether the paper in the passport is "original". You could, of course,
put the fingerprint information on-line, but if you have an online
database good enough to verify that the passport is real, why have a
passport? Why not just store identifying information about the person
far away from the ability to tamper with it?

Anyway, I have a larger point.

I read about such stuff every day -- wacky new ways of building
"tamper proof tokens", "quantum cryptography", and other mechanisms
invented by smart people who don't understand threat models at all.

We already have the term "snake oil" for a very different type of bad
security idea, and the term has proven valuable for quashing such
things. We need a term for this sort of thing -- the steel tamper
resistant lock added to the tissue paper door on the wrong vault
entirely, at great expense, by a brilliant mind that does not
understand the underlying threat model at all.

Anyone have a good phrase in mind that has the right sort of flavor
for describing this sort of thing?

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list