[Cryptography] North Korea and Sony

ianG iang at iang.org
Fri Dec 12 07:58:36 EST 2014

On 10/12/2014 19:12 pm, Jerry Leichter wrote:
> [Same thing as plain text]
> On Dec 10, 2014, at 10:49 AM, John Ioannidis <ji at tla.org> wrote:
>> "Banks Dreading Computer Hacks Call for Cyber War Council"
>> Bloomberg, July 8, 2014
>> www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html
>> Are these people that clueless (which makes me even more worried about the vulnerability of our financial systems), or are they trying to accomplish something else?
> Mainly the former.

(snipping parts on ye olde familiar systemic risk :)

> Banks will want to emphasize the "cyberdefense" side rather than the "system capital" side because (a) it's cheaper - banks hate to have their capital requirements increased because that costs them money every day; (b) it's easier to fake, and since in their heart of hearts, they all know it's about faith, not about reality - why not go with a fake everyone believes in?  (Which would actually work - up to the moment someone mounts a real attack.  But, hey, the bank guys already invested their bonuses in things like real estate.)

I discuss this effect in market for silver bullets [0].  The interesting 
thing here is that the regulated / banking market has a dynamic that 
provides a strong stability to a best-practices set of behaviours that 
is disconnected from the primary goal.  In other words, it is better to 
do what everyone else is doing, than to do ones own security.  And what 
everyone else is doing is too strong a consensus to migrate with 
changing needs.  Indeed, it's strong enough to even withstand common 
knowledge that it is a fake.

Breaking out of this dynamic requires competition, by which I mean real 
competition on security models, not tight regulation.  It is the 
regulatory model which drives competition away and creates the flock of 
sheep known as 'best practices'.

In the alternate, if the best practices do rule, then there is obviously 
a pot of gold for the supplier who can deliver that.  But curiously, 
this by itself provides little or no evidence that the supplier provides 
security, only superior listening skills and incumbency.


[0] http://iang.org/papers/market_for_silver_bullets.html

More information about the cryptography mailing list