[Cryptography] protecting information ... was: we need to protect our dox

John Denker jsd at av8n.com
Wed Nov 9 16:41:54 EST 2016 

On 11/07/2016 07:18 PM, Benjamin Kreuter wrote:

[640 words snipped]

>> In my (humble) experience one of the biggest UX
>> failures of PGP is that there is no easy way for people to sit down at
>> some random computer and read their mail.  That is how people use
>> email; a hardware token is one of the only good ways to align email
>> encryption with that usage pattern.
>> 
>> Maybe people would find that annoying, but I doubt it -- 2FA has been
>> pretty successful

Anybody who "sits down at some random computer" to do confidential
work is doomed.  2FA will not help.  492FA will not help.

Here "work" includes email and everything else.

Perhaps the intended scenario was something like this:
  Moving from machine to machine within some secure environment.

Relevant proverb:
  If you don't have physical security, you don't have security.

As part of asking
  What's Your Threat Model (WYTM)?
we need to ask
  What's Your Security Perimeter (WYSP)?

This is why security is hard, and will always be hard:  The
defender has to secure every door, every window, and every
keyboard ... while the attacker only needs to break one.


It would be a mistake to formulate the goal in terms of protecting
the «nodes» or the «wires» or even the «dox».  Such things are
merely oversimplified corollaries of the larger goal, which is
to protect the /information/.

As mentioned back on 09/09/2016 10:47 AM, I recommend:
  Laura J. Heath,
  "An Analysis of the Systemic Security Weaknesses of
   the U.S. Navy Fleet Broadcasting System, 1967-1974,
   as Exploited by CWO John Walker"
  Master's Thesis, U.S. Army Command and General Staff College (2005)

Here's the nut graf:

> A larger issue is the question of what is being audited. The FBS audit system
> checked the chain of custody on the key cards, on the implicit assumption that the key
> cards were what needed to be guarded. It attempted to exhaustively document who
> handled them, from their creation to their ultimate destruction, on the assumption, once
> again, that if only cleared personnel got access to the key cards, then they would be safe
> from compromise. Using the modern concepts of data confidentiality and availability,
> however, it is clear that the /data/ was what needed to be protected. Control of the paper
> key cards was important, but only because of the data punched onto them--which means,
> for example, that having two-man control over the destruction of key cards is irrelevant if
> there are no controls at all on the photocopier.

Emphasis in the original:  /data/.

Protecting secret /data/ aka /information/ is a lot harder than protecting
wires, nodes, or documents.

More information about the cryptography mailing list