RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: Andrew Plato (aplato@private)
Date: Wed Sep 04 2002 - 14:26:17 PDT

  • Next message: Dorning, Kevin E - DI-3: "RE: CRIME Issues"

    > > I should note that I was very much an anti-biometric guy 
    > like you and 
    > > Crispin
    > > until I started playing with this mouse. I won't claim its perfect, 
    > > but its certainly
    > > one of the best I've ever seen.
    > 
    > I believe that playing with the product would convince Andrew of the 
    > device's usability, but I don't see how this would convince anyone of 
    > its security. You cannot test for security, you can only test for 
    > *insecurity*.
    
    I disagree. That argument, which is very prevalent in the security industry, is indicative of a sort of tunnel vision. The mere process of attempting to break something does not, necessarily, prove its insecurity.
    
    How...read on.
    
    > What was it about your experience that convinced you that the threat 
    > presented by Tsutomu Matsumoto 
    > <http://www.counterpane.com/crypto-gram-0205.html#5> is somehow not 
    > applicable?
    
    What is the probability that a employee or user is going to go to the trouble of building a fake thumb, steal a thumbprint from a coke can, and then use it to get into a computer? Just because something is possible, does mean it is probable. Moreover, if a person was to undertake such measures to break into a computer, what is the likelihood that those ancillary actions (squirreling away coke cans) wouldn't also arise suspicion. 
    
    That said, consider the reality of performing one of the intrusions mentioned in the counterpane article is low. You must remember that the person who wrote the original report had the time, resources, and motivation to perform a specific act - break biometrics. And he did, quite successfully. But just because he was able to prove that such a thing was possible, does not mean that such activities are probable. 
    
    Furthermore, assuming 2-factor authentication was used with biometrics, our gummy thumb-maker would still need to know a password to get on to the system. So even after all his trouble to build a fake thumb, he is still straddled with ripping off a password.
    
    Hence my complaint with how security (or lack of security) is tested. People obsessively bang away on systems night and day looking for vulnerabilities. Cool. Then they report them. And security folks then uses these bugs as proof that XYZ technology is insecure. But merely finding a hole does not make something insecure. Security is not an absolute measure. Its a concept with an infinite amount of degrees from nothing to everything. 
    
    Therefore, the intense focus on security holes is very misleading. It places an extraordinary emphasis on locating holes, but virtually zero emphasis on the PROBABILITY of those holes ever being exploited. 
    
    Fort Knox has the world's most sophisticated security system. But were somebody to drop a nuclear bomb on Fort Knox, it likely wouldn't survive such an attack. So why doesn't Fort Knox have a anti-nuclear bomb system? Because the probability of somebody dropping a nuclear bomb on Fort Knox is extremely small. Thus it does not justify the expense. 
    
    Just because I CAN perform a certain kind of hack, doesn't mean the Internet will be flooded with those hacks. 
    
    Remember that guy Steve Gibson. He got famous back in 2000 screaming that the Internet was going to come to a halt when Microsoft released WinXP because it used "raw sockets." This would cause the hacker community to unleash hacks hereto unheard of and wipe out life as we know it. He was on every news show and web site there for a while. 
    
    None of it came true. Why? Gibson was about 25% correct. Yes, some of the hacks he cited as an example were very possible with "raw sockets." But who the hell was going to do them? And who the hell has time to code an army of worms to exploit them? And those worms that did do it were relatively quickly snuffed out by virus scanners. 
    
    Gibson, like many other security folks, fell victim to "purist thinking." He saw that something was possible and then immediately assumed it was inevitable. The possible became the absolute in his mind. He failed to consider even a few of the numerous mitigating factors that rapidly rendered the possible to the virtually impossible. 
    
    When it comes to implementing security, getting caught up in obsessing over the "possibilities." The mere existence or potential existence of a security threat does not make a technology useless. Were this true - all technologies, ever made would be useless. Moreover, just because something "seems easy" to us (technically skilled nerdy types) doesn't mean its easy to everybody else. The world is mostly made up of morons who neither have the time, energy, or resources to carry out many of the attacks that have been discovered. 
    
    ------------------------------------
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    (503) 644-5656 office
    (503) 201-0821 cell
    http://www.anitian.com
    ------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 15:26:15 PDT