[Cryptography] best practices considered bad term

Arnold Reinhold agr at me.com
Mon Feb 2 19:05:50 EST 2015 

On Sun, 1 Feb 2015 23:22 Jerry Leichter wrote:

> On Feb 1, 2015, at 10:56 PM, Bill Frantz <frantz at pwpconsult.com <mailto:frantz at pwpconsult.com>> wrote:
>>> So it's certainly a rain dance, but I wouldn't say it's for avoiding security,
>>> it's for avoiding liability, a la "no-one ever got fired for buying IBM".
>> This statement encapsulates the real value of "best practices". If you follow them, you won't get fired.
> Is there some truth to this assertion?  Sure.  But consider the same discussion about the National Electrical Code. It's a bunch of rules - no justifications or arguments, mind you, just rules.  If you follow the rules, you won't have trouble getting your town's electrical inspector to approve your work.  Or ... you can do it your own way and get into infinite arguments.
> 
> If you're an electrician, and you follow the rules, you also are much less likely to be sued, or to lose a suit, it something goes wrong and the house burns down.
> 
> Is following the rules in the Code a way of avoiding fights with the town and lawsuits?  Sure.  But is it *just* that? Hardly.  The Code is, to a large degree, the distillation of many decades of experience with electrical wiring and how it fails.  Is it overkill?  Does it sometimes retain old requirements that no longer make much sense?  Sure. But if I'm buying a house, I like knowing that it's "up to code".  It may be boring and over-engineered, but it probably won't start a fire while I'm asleep.
>                                                      

Decades of enforcement of the National Electrical Code, along with other building codes, and UL certification for appliances, has led to a dramatic reduction in fires and fatalities therefrom in the US (http://www.usfa.fema.gov/data/statistics/ <http://www.usfa.fema.gov/data/statistics/>), to the extent that many local fire departments are trying to find other functions, such as EMT and Hazmat services to justify their budgets.

Yes, the NEC analogy is not perfect: fire isn’t an intelligent enemy, finding cleverer ways to start and spread. But what is the alternative to best practice recommendations for cybersecurity? Telling every business to hire a consultant? Leaving the field to marketing departments with breathless claims of 5000-bit security or trade magazine articles written by writer who know little about the subject? 

There is a lot of knowledge and experience in this group, but it is poorly disseminated. Developing a knowledge base of basic things to do or avoid, with a clear statement that following it is not a guarantee of security, would advance practical security enormously, even if it were followed by people who only want to cover their backside. There are plenty of areas where I think consensus is possible, many mentioned in this thread. Maybe call it “Minimum Best Practices” to avoid the implication that nothing more then following them needs to be done, or some other name, but lets do it.

Arnold Reinhold




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150202/80233871/attachment.html>

More information about the cryptography mailing list