Monday, March 28, 2011

Peter Gutmann on Computer Security Mentality

Well-known security researcher Peter Gutmann has a draft of his book on Engineering Security available on his web page. He has a lot of good commentary about challenges that the security community is facing. So far, my favorite passage challenges the common mentality that security has to be 100% or it's just not worth having.

Engineering an effective security solution in the presence of security geeks is an extremely difficult problem... Consider as an example of this a world where no-one ever locks their front door when they leave the house, and someone suggests that fitting locks and actually using them might help in dealing with the spate of burglaries that have occurred recently. This would be totally unworkable. If you lost your key you’d be unable to get into your own house. Conversely, anyone who found it or stole it could now get in. For a house with multiple occupants you’d need to get a new key cut for everyone in the house, including any temporary guests who were staying for a few days. If a neighbour dropped by to return an item that they’d borrowed they wouldn’t be able to get in. If there was a fire then emergency services wouldn’t be able to get into the house to look for people who might be trapped there. Door locks are obviously completely unworkable, and therefore not even worth trying. Better to leave the
burglars a free hand than to even attempt a flawed security mechanism of this type.


Janne said...

I agree with the sentiment, it's hard to cope with security geeks... meaning security laymen. :-)

Although, admittedly, even security professionals seem to sometimes forget that there's the A even in the old CIA triad. However, anybody even with rudimentary education in information security should have heard about availability.

I was just joking last week when a friend of mine posted on Facebook that in a mall the only open WiFi network was called "WHO CARES ABOUT SECURITY". I was saying to him that, well, it is a "secure" network, just has much more emphasis on A than on C or I.

skip hire online said...

It's really Great.This is great book and really helpful. i would like to read it.It would be helpful for future.

Optimun said...
This comment has been removed by a blog administrator.