[Cryptography] How to De-Bollocks Cryptography?

Kent Borg kentborg at borg.org
Tue Aug 6 12:35:52 EDT 2024 

On 8/5/24 04:53, Ralf Senderek wrote:
> I firmly believe that Peter's conclusion [1] is correct:
>
>    "COMPLEXITY IS THE ENEMY OF SECURITY"
>
> So we must find practical ways to solve the complexity
> problem or at least to tackle it.

It seems to me, if I may, that Peter's pdf kind of echos a party pooping 
post I think I made here a while back.

Cryptography is kind of over. What has been developed is really 
complicated, and deploying it is kinda complicated, but if deployed 
carefully, it works really well! The "deployed carefully" part *is* 
important: get the cypher mode correct, don't mess up the initialization 
vector, don't use default/zero keys, salt your password hashes, etc.

Yes, tricky, but it can be done. Hire some someones who know something, 
give them enough time to do careful work, be worried enough, but then 
move on to the hard parts:

1. Know what machines and software you are even running.

2. Don't leave sensitive unencrypted data just sitting on the internets 
in a public S3 store. (In the news regularly.)

3. Don't leave databases of sensitive data just sitting on the internets 
without a password. (In the news regularly.)

4. Don't allow attackers to append to your URLs a ";" followed by an 
internal path, and get free access. (In the news a few days ago.)

5. Etc.


But those things should be *easy*, right?

No, not if the system is so complex that we can't even do #1. There are 
multiple cybersecurity companies out there that seem to be doing good 
business just selling services that try to tackle aspects of #1.

Oh, and once you hire a few (!) companies to help with #1, and plumb 
them into your systems…? You have made your too-complex system, even 
more complex!

Do companies even know what all other companies they have hired and 
given internal access to? Maybe time to start an ESIaaS (External 
Service Identification as a Service) company.


I'm imagining the bold old days of Willie Sutton knocking over banks and 
someone needed to explain to banks that it is important to have a 
complete roof, walls ALL the way around the building, doors in all the 
openings, locks on the doors, and pins in the hinges. But the banks 
didn't listen because they already have "best practices" and they are 
"idiomatic" in how they follow "design patterns". Grrrr.


-kb, the Kent who does his best to be a party pooper.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240806/7cb06c21/attachment.htm>

More information about the cryptography mailing list