[Cryptography] North Korea and Sony
ianG
iang at iang.org
Fri Dec 12 07:58:36 EST 2014
On 10/12/2014 19:12 pm, Jerry Leichter wrote:
> [Same thing as plain text]
>
> On Dec 10, 2014, at 10:49 AM, John Ioannidis <ji at tla.org> wrote:
>> "Banks Dreading Computer Hacks Call for Cyber War Council"
>> Bloomberg, July 8, 2014
>>
>> www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html
>>
>>
>> Are these people that clueless (which makes me even more worried about the vulnerability of our financial systems), or are they trying to accomplish something else?
> Mainly the former.
(snipping parts on ye olde familiar systemic risk :)
> Banks will want to emphasize the "cyberdefense" side rather than the "system capital" side because (a) it's cheaper - banks hate to have their capital requirements increased because that costs them money every day; (b) it's easier to fake, and since in their heart of hearts, they all know it's about faith, not about reality - why not go with a fake everyone believes in? (Which would actually work - up to the moment someone mounts a real attack. But, hey, the bank guys already invested their bonuses in things like real estate.)
I discuss this effect in market for silver bullets [0]. The interesting
thing here is that the regulated / banking market has a dynamic that
provides a strong stability to a best-practices set of behaviours that
is disconnected from the primary goal. In other words, it is better to
do what everyone else is doing, than to do ones own security. And what
everyone else is doing is too strong a consensus to migrate with
changing needs. Indeed, it's strong enough to even withstand common
knowledge that it is a fake.
Breaking out of this dynamic requires competition, by which I mean real
competition on security models, not tight regulation. It is the
regulatory model which drives competition away and creates the flock of
sheep known as 'best practices'.
In the alternate, if the best practices do rule, then there is obviously
a pot of gold for the supplier who can deliver that. But curiously,
this by itself provides little or no evidence that the supplier provides
security, only superior listening skills and incumbency.
iang
[0] http://iang.org/papers/market_for_silver_bullets.html
More information about the cryptography
mailing list