How much cyber security is really there?
in [Cryptography]
|
From: Richard Outerbridge on 30 Mar 2010 10:39 In article <yuWdnbxHIPezlC_WnZ2dnUVZ_hSdnZ2d(a)giganews.com>, "Datesfat Chicks" <datesfat.chicks(a)gmail.com> wrote: > This is a "competing constraint" in that human memory is in conflict with > having every password distinct. Agreed: password constraint is a fundamental unsolved problem. outer
From: bmearns on 30 Mar 2010 11:51 On Mar 30, 10:13 am, Richard Outerbridge <ou...(a)interlog.com> wrote: > In article > <3fbc3277-ac9b-4e5c-beed-bb9dccfd3...(a)33g2000yqj.googlegroups.com>, > > bmearns <mearn...(a)gmail.com> wrote: > > If there's blame to be assigned, (and I'm not entirely convinced that > > there is) I think a significant portion should belong to the companies > > who have marketed computers and the Internet as an appliance. That's > > simply not the case; you can't just buy a computer, plug it in, and > > expect everything to work correctly and safely. There's a non-trivial > > amount of uncommon knowledge necessary to really appreciate the > > implications of what you're doing and what others are having you do. > > Ah, but that's the end-use case we're dealing with: why is my computer > any different than my microwave? Or maybe we need to require computer > operator licenses, like driver's licenses and (in Canada) gun licenses? > > outer Why is a computer different than a microwave? Why is a raven different than a writing desk? They're just different things and this whole cultural expectation that they be the same is just wishful thinking. Worse, it puts people in the wrong frame of mind when dealing with them, and leads people to assume that it is safe by default and one would have to go out of one's way to use it dangerously, rather than the other way around. I'm really not trying to suggest that anybody has any particular obligation to make it otherwise, I'm just making an observation about why so many people suffer from bad security. A complex technology has been developed and, through the strange and subtle events of history, has made its way into everyday society. Its an odd and somewhat unfortunate anomaly in our civilization, but I really don't think anyone is to blame for it, nor should anybody be held responsible for it. I do think the computer companies exacerbate the problem somewhat with their appliance-driven marketing, but I didn't mean to suggest that they're especially guilty of any wrong doing. -Brian
From: Richard Outerbridge on 30 Mar 2010 12:09 In article <087e6dbe-f673-4084-b86f-a7a8da0dae93(a)z11g2000yqz.googlegroups.com>, bmearns <mearns.b(a)gmail.com> wrote: > > Ah, but that's the end-use case we're dealing with: why is my computer > > any different than my microwave? �Or maybe we need to require computer > > operator licenses, like driver's licenses and (in Canada) gun licenses? > > Why is a computer different than a microwave? Why is a raven different > than a writing desk? I gather then that you've seen Alice :-)? > They're just different things and this whole > cultural expectation that they be the same is just wishful thinking. > Worse, it puts people in the wrong frame of mind when dealing with > them, and leads people to assume that it is safe by default and one > would have to go out of one's way to use it dangerously, rather than > the other way around. > > I'm really not trying to suggest that anybody has any particular > obligation to make it otherwise, I humbly suggest that any security professional does, and must. > I'm just making an observation about > why so many people suffer from bad security. A complex technology has > been developed and, through the strange and subtle events of history, > has made its way into everyday society. Rather like steam boilers, automobiles, and rifles, eh? Let alone microwaves. outer
From: bmearns on 30 Mar 2010 13:33 On Mar 30, 12:09 pm, Richard Outerbridge <ou...(a)interlog.com> wrote: > In article > <087e6dbe-f673-4084-b86f-a7a8da0da...(a)z11g2000yqz.googlegroups.com>, > > bmearns <mearn...(a)gmail.com> wrote: > > > Ah, but that's the end-use case we're dealing with: why is my computer > > > any different than my microwave? Or maybe we need to require computer > > > operator licenses, like driver's licenses and (in Canada) gun licenses? > > > Why is a computer different than a microwave? Why is a raven different > > than a writing desk? > > I gather then that you've seen Alice :-)? > > > They're just different things and this whole > > cultural expectation that they be the same is just wishful thinking. > > Worse, it puts people in the wrong frame of mind when dealing with > > them, and leads people to assume that it is safe by default and one > > would have to go out of one's way to use it dangerously, rather than > > the other way around. > > > I'm really not trying to suggest that anybody has any particular > > obligation to make it otherwise, > > I humbly suggest that any security professional does, and must. Security professionals have an obligation to make the systems they work on safe, and to educate their users. I don't think it falls on their shoulders to educate the entire population of web users. > > > I'm just making an observation about > > why so many people suffer from bad security. A complex technology has > > been developed and, through the strange and subtle events of history, > > has made its way into everyday society. > > Rather like steam boilers, automobiles, and rifles, eh? > > Let alone microwaves. > > outer From an operational perspective, all of those things are significantly less complex than a computer. I'm not talking about the underlying mechanisms, I'm referring to the complexity of actually using it. You pull a trigger, push some buttons, etc., and they pretty much do what you expect them to, though I'll grant you that modern autos can be operationally pretty complex as well. But that isolation between the underlying mechanisms and the operational behavior is not as distinct on computers, and in particular with network application. One way of describing it might be to say that a rifle, a steam boiler, and a microwave are essentially black boxes, where as a computer is more like a white/transparent box. When you pull the trigger, you know what's going to happen: the bullets going to fire. You may not know exactly what's going on "behind the scenes", but you really don't care because it's pretty much entirely encapsulated. When you submit a password to log in to a website, you know what's going to happen, too: you're going to be granted access to the web service. But in this case, the "behind the scenes" is not remotely encapsulated, and an ignorance of what happens back there is a serious security risk. -Brian
From: Richard Outerbridge on 30 Mar 2010 20:42
In article <1b1c5b7f-6f6b-48e5-adcc-d30b9c59b2a9(a)b30g2000yqd.googlegroups.com>, bmearns <mearns.b(a)gmail.com> wrote: > > Rather like steam boilers, automobiles, and rifles, eh? > From an operational perspective, all of those things are significantly > less complex than a computer. I'm not talking about the underlying > mechanisms, I'm referring to the complexity of actually using it. You > pull a trigger, push some buttons, etc., and they pretty much do what > you expect them to, though I'll grant you that modern autos can be > operationally pretty complex as well. But that isolation between the > underlying mechanisms and the operational behavior is not as distinct > on computers, and in particular with network application. > > One way of describing it might be to say that a rifle, a steam boiler, > and a microwave are essentially black boxes, where as a computer is > more like a white/transparent box. When you pull the trigger, you know > what's going to happen: the bullets going to fire. You may not know > exactly what's going on "behind the scenes", but you really don't care > because it's pretty much entirely encapsulated. When you submit a > password to log in to a website, you know what's going to happen, too: > you're going to be granted access to the web service. But in this > case, the "behind the scenes" is not remotely encapsulated, and an > ignorance of what happens back there is a serious security risk. Recently I inherited an obsolete rifle that was subject to a safety recall 30 years ago. Who would have thought that if you pulled the trigger while the safety was on, and the gun had a chambered round, when you released the safety the gun might go off? Who knows what might have happened had I instead inherited a Toyota? My point is that steam boilers, automobiles and rifles are black boxes because they have evolved into technology that can be handled by idiots. Your point is, if I may speak for you, that computers aren't there yet. So why do we continue to sell computers to idiots if they are becoming as dangerous as unlicensed steam boilers, automobiles and rifles have proven to be in the hands of idiots, without any of the idiot-proofing? outer |