lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: peter at peterswire.net (Peter Swire)
Subject: Security & Obscurity: physical-world analogies

	Here are arguments for why it is useful to think systematically
about the relationship between computer- and physical-security issues.

Yaakov Yehudi's comment is similar to other critiques:
  
> A firewall is more akin to a specialized filter medium, but filter
mediums
> aren't used as the entrance or exit to a military base.
> 
> It is probably possible to find analogies between the information
security
> world and physical - but only on a piecemeal basis, and that is simply
> irrelevant and pointless.
> 
> Peter might be much better to concentrate on the realities and forget
> about straw-man analogies.  What do you think?

	I think there is a strong analytic similarity between a firewall
and physical settings where guards are deciding whether to let
people/trucks/etc. through a gate.

	In both cases, the outsiders might be attackers who want to gain
control over the system (physical attackers infiltrating and computer
attackers seeking root control).

	In both cases, the outsiders might be attackers who want to get
information about the inside (physical attackers spying out the lay of
the land and computer attackers downloading files or getting other
information).

	In both cases, there is "filtering" by the defenders.  Some
entrants are excluded.  Some get more intensive screening.  The level of
filtering varies with the perceived level of the threat.

	Three reasons why studying physical and computer security
together is useful.  First, at the level of analytic understanding, the
paper tries to give a unified way to assess when openness is likely to
help security (conditions closer to what the paper calls the Open Source
paradigm) and when openness is likely to reveal vulnerabilities that
create net problems (conditions closer to what the paper calls the
Military paradigm).  A unified theory is an academic/intellectual gain.

	Second, policymakers in the government and management in
companies have to decide, every day, what should be secret and what
should be open.  Not everyone has time to read FD an hour a day to
become expert in all these things!!  The paper tries to give a useful
way for decisionmakers to get an approximation of what sorts of things
should be disclosed.  A unified approach can help decisionmakers.

	Third, the paper argues that openness is far more likely to be
the right choice in networked and computer settings than in traditional
physical settings.  The variables identified in the paper, such as
number of attacks and communication among attackers, tilt heavily toward
openness.  A unified approach alerts readers that openness is likely to
be the logical outcome today more often than it was in the
less-networked and less-computerized past.

	Peter

Paper at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ