Gutmann Soundwave Therapy

Ivan Krstić krstic at solarsail.hcs.harvard.edu
Mon Feb 4 06:25:14 EST 2008 

On Jan 31, 2008, at 10:32 PM, Richard Salz wrote:
> Developers working in almost any field should know the history and  
> best
> practices -- is PGP's original "bass o matic" any more important  
> than the
> code in a defibrillator? -- but this is not the way our field works  
> right
> now.  Compare it to something like civil engineering or architecture.


I think this misses the point. Security is different.

In 2008, I can learn to build pretty good suspension bridges by  
learning the state of the art of bridge-building. After that, as long  
as I live, I run almost no risk of Newtonian mechanics being shown to  
be wrong for any value of wrong that would make me go "well, wow, I no  
longer understand how to build bridges".

In other words, people who build bridges these days can give you a  
convincing presentation, based on solid physics and a highly-complete  
threat model (soil erosion, material failure, etc) that their bridge  
will do its job. They can say "this bridge will work because it  
satisfies well-understood and reasonably immutable laws of nature".

People who attempt to build secure systems have no ultimately well- 
understood (let alone immutable!) requirements to design against. A  
good approximation is "a secure system is one that survives all  
relevant attacks that people in our field have come up with thus far",  
but it's clear that a system successfully meeting that goal can simply  
cease to meet it any given day. Thus unlike with bridges, you  
fundamentally can't evaluate the quality of a security system you  
built if you're unfamiliar with the state of the art of _attacks_  
against security systems, and you can't become familiar with those  
unless you realize that these attacks have each brought down a system  
previously considered impregnable. And if by the time you've gone  
through dozens of broken systems and their corresponding attacks you  
still think you're smart enough to write a new system by yourself,  
you're either very brave or very daft.

Neither of those mean you're a bad person, but both mean you shouldn't  
be designing security systems.

--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list