[Cryptography] The Laws (was the principles) of secure information systems design
Peter Fairbrother
peter at m-o-o-t.org
Wed Jul 13 18:57:47 EDT 2016
On 13/07/16 09:45, Michael Kjörling wrote:
> On 12 Jul 2016 21:30 +0100, from peter at m-o-o-t.org (Peter Fairbrother):
>> The Laws of secure information systems design:
>
> Honestly, I think these are already too many. There is probably room
> for quite a bit of combining these into fewer points that cover the
> same ground. For example, #3 ("only those you trust can betray you")
> and #7 ("holes for good guys are holes for bad guys too"),
While I agree that there are too many, these are different in a
significant way - #3 is about trust, and betrayal and people (while
considered as parts of the system) doing things they are supposed not
to. The design works, the components fail.
#7 is about leaving openings for people within the system, openings
which can be used by attackers who are not parts of the system - not
just the FBI/NSA wanting backdoors, but maintenance codes, default
passwords and the like. The components of the system are working in
spec, the design fails.
> possibly along with #0 ("it's all about who is in control")
#0 is much more widely applicable. It's called #0 because it is
fundamental, more fundamental than the other laws.
So, who is in control? Parliaments, as law-making bodies?
with eg PGP, to some extent it is the user, but eg in the UK to some
extend it is the Police - they can demand passwords.
For the super-duper-personal-privacy-guaranteeing system - the user? To
some extent the designer?, iff he can keep user data from Gubbmint
and/or the Law?
Blackberry? For ordinary users, the Canadian gubbmint (and I imagine
most other gubbbmints). For enterprise users - the users? - the
enterprise? - the Canadian gubbmint? - not sure.
Your non-political business design? Well, can users see other user's
data? Can users see other user's shared data? Can administrators see
user's data? Can helpdesk weenies? Can the pointy-haired boss?
Can the NSA?
Control.
can probably be
> summed up in one point, perhaps "technology does not discriminate
> based on objective intent or subjective opinion". There's no need for
> points that cover essentially the same ground; that's what elaboration
> beyond the sound-bite is for.
> Also, one that I absolutely think is missing is that _security always
> favors the attacker_. (The defender has to defend against _every_
> threat; the attacker only has to find _one_ viable attack vector that
> is not adequately defended against. That attack vector might not even
> allow for a full breach; if it allows the attacker to get a toe-hold,
> it might be enough to compromise the security of the system. It also
> might not be in a place where you expect security problems at all.)
Yep, I'll consider that one for inclusion.
> Hence security in depth, your proposed #10, "design for future
> threats" (which I agree with), and observations like Schneier's Law.
>
> And of course, what happened to #14 in your list?
>
If I told you that I'd have to kill you, of course.. :)
-- Peter Fairbrother
More information about the cryptography
mailing list