[Cryptography] The Laws (was the principles) of secure information systems design

Peter Fairbrother peter at m-o-o-t.org
Wed Jul 13 18:57:47 EDT 2016 

On 13/07/16 09:45, Michael Kjörling wrote:
> On 12 Jul 2016 21:30 +0100, from peter at m-o-o-t.org (Peter Fairbrother):
>> The Laws of secure information systems design:
>
> Honestly, I think these are already too many. There is probably room
> for quite a bit of combining these into fewer points that cover the
> same ground. For example, #3 ("only those you trust can betray you")
> and #7 ("holes for good guys are holes for bad guys too"),

While I agree that there are too many, these are different in a 
significant way - #3 is about trust, and betrayal and people (while 
considered as parts of the system) doing things they are supposed not 
to. The design works, the components fail.

#7 is about leaving openings for people within the system, openings 
which can be used by attackers who are not parts of the system - not 
just the FBI/NSA wanting backdoors, but maintenance codes, default 
passwords and the like. The components of the system are working in 
spec, the design fails.

> possibly along with #0 ("it's all about who is in control")

#0 is much more widely applicable. It's called #0 because it is 
fundamental, more fundamental than the other laws.

So, who is in control? Parliaments, as law-making bodies?

with eg PGP, to some extent it is the user, but eg in the UK to some 
extend it is the Police - they can demand passwords.


For the super-duper-personal-privacy-guaranteeing system - the user? To 
some extent the designer?, iff he can keep user data from Gubbmint 
and/or the Law?


Blackberry? For ordinary users, the Canadian gubbmint (and I imagine 
most other gubbbmints). For enterprise users - the users? - the 
enterprise? - the Canadian gubbmint? - not sure.


Your non-political business design? Well, can users see other user's 
data?  Can users see other user's shared data? Can administrators see 
user's data? Can helpdesk weenies? Can the pointy-haired boss?

Can the NSA?

Control.


can probably be
> summed up in one point, perhaps "technology does not discriminate
> based on objective intent or subjective opinion". There's no need for
> points that cover essentially the same ground; that's what elaboration
> beyond the sound-bite is for.


> Also, one that I absolutely think is missing is that _security always
> favors the attacker_. (The defender has to defend against _every_
> threat; the attacker only has to find _one_ viable attack vector that
> is not adequately defended against. That attack vector might not even
> allow for a full breach; if it allows the attacker to get a toe-hold,
> it might be enough to compromise the security of the system. It also
> might not be in a place where you expect security problems at all.)

Yep, I'll consider that one for inclusion.


> Hence security in depth, your proposed #10, "design for future
> threats" (which I agree with), and observations like Schneier's Law.
>
> And of course, what happened to #14 in your list?
>


If I told you that I'd have to kill you, of course.. :)

-- Peter Fairbrother

More information about the cryptography mailing list