[Cryptography] The Laws (was the principles) of secure information systems design

Jerry Leichter leichter at lrw.com
Thu Jul 21 07:08:08 EDT 2016


>> Law 1: Someone else is after your data
> 
> Well, Robert Morris Sr. had a fantastic principle that security boils down to a 2x2 matrix of how much someone else wants your data, and how much you care if it's known. If you don't care about something and they don't care, then we have something close to a no-op. If you don't care and they do, then they're going to get it and you don't care. If you care and they don't, you're wasting effort -- and this is itself interesting. It's only in the quadrant where they care and you don't want them to get it that things get *really* interesting. Part of good security is learning to divert effort from protecting things you care about from things they don't care about to things they do.
I'm not sure of the continuing validity of Morris's analysis.  Big data, sophisticated analysis of metadata, all kinds of correlation analyses, have made it very difficult to know exactly what data I can safely "not care if its known".  I would have thought that no one would care if Netflix made anonymized records of movie preferences known, because without identifying information, hey, it isn't even "my data".  And yet that data was de-anonymized.

Granted, in that case, for most people, their viewing preferences were *also* something "they didn't care about".  But that's just a very early and telling example.

Note recent discussions about whether Wikipedia should use HTTPS.  All the information there is public.  What's the point of encrypting it?  And yet....

Personal story:  When drugs, poisons, explosive chemicals, whatever get mentioned in TV shows or books, I have a habit of looking them up on Wikipedia. Often there's little connection between what the substance actually does and what it's claimed to do in fiction, but I happen to like to read about the chemistry and pharmacology and such of these substances.  Just last night, I got around to reading The Martian - which lead to an interesting tour through the chemistry of hydrazine, and then of sodium azide - formerly used in air bag inflators so perhaps readily available in millions of junked cars, and a poison with a potency similar to cyanide.  Who knew?

But I do worry sometimes about what a prosecutor might make of my Wikipedia reading habits....
                                                        -- Jerry



More information about the cryptography mailing list