solving the wrong problem

John Denker jsd at av8n.com
Sun Aug 7 22:30:35 EDT 2005 

Adam Shostack wrote:
> Here's a thought:
> 
> "Putting up a beware of dog sign, instead of getting a dog."

That's an interesting topic for discussion, but I don't think
it answers Perry's original question, because there are plenty
of situations where the semblence of protection is actually a
cost-effective form of security.  It's an example of statistical
deterrence.

Look at it from the attacker's point of view:  If a fraction X
of the beware-of-dog signs really are associated with fierce dogs,
while (1-X) are not, *and* the attacker cannot tell which are which,
and there are plenty of softer targets available, the attacker
won't risk messing with places that have signs, because the
downside is just too large.  The fraction X doesn't need to be
100%;  even a smallish percentage may be a sufficient deterrent.
OTOH of course if the sign-trick catches on to the point where
everybody has a sign, the sign loses all value.

We can agree that the dog-sign is not a particularly good
application of the idea of statistical enforcement, because
there are too many ways for the attacker to detect the
absence of a real dog.

A better example of statistical deterrence is traffic law
enforcement.  The cops don't need to catch every speeder every
day;  they just need to catch enough speeders often enough,
and impose sufficiently unpleasant penalties.  The enforcement
needs to be random enough that would-be violators cannot
reliably identify times and places where there will be no
enforcement.

Statistical enforcement (if done right) is *not* the same as
"security by obscurity".

This is relevant to cryptography in the following sense:  I doubt
cryptological techniques alone will ever fully solve the phishing
problem.  A more well-rounded approach IMHO would include "sting"
operations against the phishers.  Even a smallish percentage
chance that using phished information would lead to being arrested
would reduce the prevalence of the problem by orders of magnitude.

=====================

Let me propose another answer to Perry's question:
   "Wearing a millstone around your neck to ward off vampires."

This expresses both ends of a lose/lose proposition:
   -- a burdensome solution
   -- to a fantastically unimportant problem.

This is related to the anklets on the White Knight's horse,
"to guard against the bites of sharks" ... with added emphasis
on the burdensomeness of the solution.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list