[Cryptography] What do we mean by Secure?

Arnold Reinhold agr at me.com
Mon Feb 9 08:02:50 EST 2015


> On Feb 9, 2015, at 2:57 AM, Rob Meijer <pibara at gmail.com> wrote:
> 
> 
> 
> 2015-02-08 12:44 GMT+01:00 ianG <iang at iang.org <mailto:iang at iang.org>>:
> On 8/02/2015 00:05 am, Bill Frantz wrote:
> On 2/6/15 at 3:10 PM, kentborg at borg.org <mailto:kentborg at borg.org> (Kent Borg) wrote:
> 
> Ah, but then one would have to stop and figure out what one is trying
> to do...damn! Can't I just ask for Wholesome Apple Pie and be done?
> 
> The more I hear people talk about making thing secure, the more I hope
> they will explain what they mean by secure. What I mean, in the broadest
> sense, is "Bad Things Won't Happen". Now this is a bit over nebulous. :-)
> 
> 
> Well, they often do, as we see.  The issue isn't so much that the result is nebulous, but that security is *individual*.
> 
> In the old days, we used to say, WYTM or what's your threat model?  The problem with this was it captured the above fallacy perfectly -- we were all searching for the one threat model to rule all others.
> 
> ​The more useful questions is: What are the most important security attributes of your resources and what are your most important resources.
> 
> The fallacy of the treat model is best illustrated by the second/third lock analogy. Ask a cop and a fireman the same question: "Should I use the second and third lock on my door?" 
> 
> ​For the cop the thread model would be intruders and thus the answer would be a definite yes. ​
> ​For the fireman the thread model would be ​fire and smoke and thus the answer would be a definite no. When you look at the most valuable resource (you and your family) and the most important security attributes (survival), than you can start to look at the local crime and fire statistics to try and calculate the most appropriate use of your locks. Maybe if you live in an urban area on the US south you should use the locks but if you live in the north of Europe not using the locks would maximize the chances of survival. Maybe you should choose to use your additional locks during the holiday season when  there are more house brake ins. Maybe you should stop using these locks during the dry season. The base idea is, it doesn't really matter how you die, dying is the least acceptable outcome and thus the policy should be geared at minimizing the 'all cause' probability of dying.

There is a company called Knox Box that sells small safes (~$200) that you can bolt to the outside of your house to store a key for the Fire Department. Only your local FD has keys to the safes (not all FDs participate), so you can make your door as secure as you want. You can buy the safes with a tamper switch that you wire to your alarm system. Yes, this introduce a failure mode where a firefighter loses or sells his key, but the risk is lower than weakly secured doors that any skilled thief can open. The analogy to computer security is that there are engineering solutions that can solve most security conundrums, once they are clearly stated. 

There has been a lot of defeatism expressed on this list recently that I think is overblown. I suggest that most security breaches do not occur because “Security Is Sooooooo Hard” but because knowledge that is common in the cryptographic community is not well disseminated. Here is a quote from the Slashdot "How To Hack a BMW” thread:

   "If there were a single best book to read on cyber security, then perhaps we'd have fewer problems like what BMW had. But in reality, to get good at it, you have to have a vast familiarity with the literature and tools. You do that much reading, you might as well get a PhD. And my friends with PhDs focusing on security are in academia, not industry, so we get more security papers but not more secure devices."

Indeed, BMW had all the security components it needed in its remote car unlock system, it just didn’t put them together properly. Sneer all you want at “best practices” documents but they are a proven tool to help change happen in large organizations. 

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150209/e07cf208/attachment.html>


More information about the cryptography mailing list