encrypted tapes (was Re: Papers about "Algorithm hiding" ?)

Tue Jun 7 20:59:38 EDT 2005

On Tue, Jun 07, 2005 at 07:48:22PM -0400, Perry E. Metzger wrote:
> It happens because some idiot web designer thought it was a nice
> look, and their security people are too ignorant or too powerless to
> stop it, that's why.
> 
> It has nothing to do with cost. The largest non-bank card issuer in
> the world can pay for the fifteen minutes of time it would take to fix
> it by putting the login on a separate SSL protected page. It has
> nothing to do with "ease of use" or tools that default "safe". The
> problem is that they don't know there is anything to fix at a level
> of the firm that is capable of taking the decision to fix it.

It may well be that, rather than the fault of the web designer, an
explicit business requirement was presented to do this, because of
perceived "ease of use" for the customer...  and then the lack of
knowing any better to kill the idea before it takes hold.

At least, that's how it's happened in several places I've been
involved, and it took more than a little effort to make them
understand why it was a bad idea.  Thankfully, they were paying for my
time and advice, and *also* had the sense to listen to it when given -
the two don't always go together - but in this sense security did cost
them something.

The customer ease-of-use argument is quite easy to see - and also
quite easy to provide, if they want to, by putting the normal company
homepage that contains the form on SSL too.  I've had conversations
about the cost of doing that with knowledgable web designers (largely
centering on image caching concerns), and really, it isn't quite free,
even if the costs come from unreasonable and annoying places. Those
costs can have returns, even non-risk ones like being better able to
track users' browsing patterns and site navigation, too - but just by
virtue of having to have the conversation, its no longer free,
especially if people bring organisational politics to the table.

> Security these days is usually bad not because good security is
> expensive, or because it is particularly hard. 

These are the things that make the difference between middling-fair
and somewhat-decent security (let alone good security, which requires
many other things to be Done Right, more operational than technical).

The irony is that bad IT security (just like any other bad IT) is
expensive, often much more expensive - even without considering the
potential costs involved if the risks are realised.

> It is bad because even people at giant multinational corporations
> with enough budget to spare are too dumb to implement it.

Worse than that: people at the giant multinational corporations who
provide the outsourced IT services to those other corporations - and
who sell their services based on 'economies of scale' and 'industry
expertise' and 'best practice', and who are thus charged with the
responsibility of knowing better - are too dumb to implement it.

And then they're too dumb to implement it at other customer sites even
when that one rare customer comes along who knows better (or at least
knows to ask for independent outside help), and has fought hard to
convinve their outsource provider of the need and economic sense of
not being dumb on their behalf.  Most organisations just let them get
away with it, and think they're getting a good deal, while the very
basis on which that deal was sold is defeated.

If it weren't for all the other people that get hurt by the schrapnel,
it would be very hard to continue trying to help people who seem to
like walking around with bullet holes in their shoes.

--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050608/5ee9ea5e/attachment.pgp>