[Cryptography] best practices considered bad term
iang at iang.org
Sat Jan 31 06:27:43 EST 2015
On 30/01/2015 20:49 pm, Kent Borg wrote:
> On 01/30/2015 10:33 AM, U.Mutlu wrote:
>> What 'best practices' for filesystem encryption are there?
> Again, that horrible term! Says who? Measured how? Accomplishing what?
The term 'best practices' is deceptive. Best practices emerges in a
sector for some topic that nobody cares enough about to compete on, but
all are agreed that something is needed.
The process of creating a 'best practices' is mostly a lowest common
denominator one -- what can the majority agree on and therefore force
consensus on the minority?
Once 'best practices' is in place, it takes a whole lot to change the
stability. A new practice has to be demonstrably better to all, in ROI
terms, otherwise those who don't see the benefit will be incentivised to
spend up to the cost of the new practice to avoid it being added.
That's a whole lotta pushback against change.
Consequently, this cost makes 'best practices' an unchanging, always
behind--the-curve beast. It therefore only works in the absence of an
aggressive attacker, or one so benign it can be built into loss rates.
It's a sucker for compliance / liability dumping. It's certainly not
'security' in the sense of securing the interests of the customer.
It's a term best seen as lazy practices, or "the least we can get away
without being outed as negligent by a sleeping public."
For this reason, where people want good practices, some of us have been
pushing the term 'better' as in the BetterCrypto.org project in Vienna.
As a wider philosophical question, is it even appropriate to promote or
accept 'best practices' in the security world? It's presence is almost
a complete proof that we're not doing security, we're instead
participating in a rain dance or voodoo for purposes of avoiding security.
More information about the cryptography