[Cryptography] best practices considered bad term

[ianG]

On 30/01/2015 20:49 pm, Kent Borg wrote:
> On 01/30/2015 10:33 AM, U.Mutlu wrote:
>> What 'best practices' for filesystem encryption are there?
>
> Again, that horrible term! Says who? Measured how? Accomplishing what?


That term!

The term 'best practices' is deceptive.  Best practices emerges in a 
sector for some topic that nobody cares enough about to compete on, but 
all are agreed that something is needed.

The process of creating a 'best practices' is mostly a lowest common 
denominator one -- what can the majority agree on and therefore force 
consensus on the minority?

Once 'best practices' is in place, it takes a whole lot to change the 
stability.  A new practice has to be demonstrably better to all, in ROI 
terms, otherwise those who don't see the benefit will be incentivised to 
spend up to the cost of the new practice to avoid it being added. 
That's a whole lotta pushback against change.

Consequently, this cost makes 'best practices' an unchanging, always 
behind--the-curve beast.  It therefore only works in the absence of an 
aggressive attacker, or one so benign it can be built into loss rates. 
It's a sucker for compliance / liability dumping.  It's certainly not 
'security' in the sense of securing the interests of the customer.

It's a term best seen as lazy practices, or "the least we can get away 
without being outed as negligent by a sleeping public."



For this reason, where people want good practices, some of us have been 
pushing the term 'better' as in the BetterCrypto.org project in Vienna.

As a wider philosophical question, is it even appropriate to promote or 
accept 'best practices' in the security world?  It's presence is almost 
a complete proof that we're not doing security, we're instead 
participating in a rain dance or voodoo for purposes of avoiding security.



iang