Gutmann Soundwave Therapy
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Mon Feb 4 06:25:14 EST 2008
On Jan 31, 2008, at 10:32 PM, Richard Salz wrote:
> Developers working in almost any field should know the history and
> best
> practices -- is PGP's original "bass o matic" any more important
> than the
> code in a defibrillator? -- but this is not the way our field works
> right
> now. Compare it to something like civil engineering or architecture.
I think this misses the point. Security is different.
In 2008, I can learn to build pretty good suspension bridges by
learning the state of the art of bridge-building. After that, as long
as I live, I run almost no risk of Newtonian mechanics being shown to
be wrong for any value of wrong that would make me go "well, wow, I no
longer understand how to build bridges".
In other words, people who build bridges these days can give you a
convincing presentation, based on solid physics and a highly-complete
threat model (soil erosion, material failure, etc) that their bridge
will do its job. They can say "this bridge will work because it
satisfies well-understood and reasonably immutable laws of nature".
People who attempt to build secure systems have no ultimately well-
understood (let alone immutable!) requirements to design against. A
good approximation is "a secure system is one that survives all
relevant attacks that people in our field have come up with thus far",
but it's clear that a system successfully meeting that goal can simply
cease to meet it any given day. Thus unlike with bridges, you
fundamentally can't evaluate the quality of a security system you
built if you're unfamiliar with the state of the art of _attacks_
against security systems, and you can't become familiar with those
unless you realize that these attacks have each brought down a system
previously considered impregnable. And if by the time you've gone
through dozens of broken systems and their corresponding attacks you
still think you're smart enough to write a new system by yourself,
you're either very brave or very daft.
Neither of those mean you're a bad person, but both mean you shouldn't
be designing security systems.
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list