[Cryptography] best practices considered bad term

ianG iang at iang.org
Mon Feb 2 09:06:35 EST 2015 

On 2/02/2015 05:22 am, Jerry Leichter wrote:
> On Feb 1, 2015, at 10:56 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>>> So it's certainly a rain dance, but I wouldn't say it's for avoiding security,
>>> it's for avoiding liability, a la "no-one ever got fired for buying IBM".
>> This statement encapsulates the real value of "best practices". If you follow them, you won't get fired.
> Is there some truth to this assertion?  Sure.  But consider the same discussion about the National Electrical Code.  It's a bunch of rules - no justifications or arguments, mind you, just rules.  If you follow the rules, you won't have trouble getting your town's electrical inspector to approve your work.  Or ... you can do it your own way and get into infinite arguments.
>
> If you're an electrician, and you follow the rules, you also are much less likely to be sued, or to lose a suit, it something goes wrong and the house burns down.
>
> Is following the rules in the Code a way of avoiding fights with the town and lawsuits?  Sure.  But is it *just* that?  Hardly.  The Code is, to a large degree, the distillation of many decades of experience with electrical wiring and how it fails.  Is it overkill?  Does it sometimes retain old requirements that no longer make much sense?  Sure.  But if I'm buying a house, I like knowing that it's "up to code".  It may be boring and over-engineered, but it probably won't start a fire while I'm asleep.


Right.  A 'best practices' wants to be a code.  But it ain't, and 
talking it up as a code won't make it so.

Clearly we would all be better off it was a code, or regulation, or law. 
  So what's the difference, what's the leap here that the 'best 
practices' fails to make it to good-reg-ship?

For my money it is this:  We don't know how to do it / write it.

Opinions differ, and that is for good reasons.  Recall threat modelling, 
anyone?

In a dynamic OODA security world, is it even reasonable to think that we 
can so clearly build a security fence that does the job for all the 
people all the time?  For enough of the people enough of the time? 
Maybe, some portion of it, says Gunnar:

http://1raindrop.typepad.com/1_raindrop/2009/03/information-security-debt-clock.html

Electrons don't fight back, so we can build a code over a century of 
learning to keep them corralled in their proper cables.  No such luck in 
the security game, I suspect.  Attackers don't lie down and die, 
suddenly turn into sheep and bleat just because we put CODE On our 
security model.

Maybe the answer is that attackers won't let us 'know' how to write a 
'best practices' guide?



iang



ps; apologies in advance to those who believe the security industry 
knows how to deliver security...

More information about the cryptography mailing list