Skip to main content

• About
• Shostack + Associates
• Adam Shostack
• Training
• Overview
• Our Approach
• Courses
• Resources
• Overview
• Threat Modeling
• Books
• Games
• Videos
• Whitepapers
• Blog
• Contact

Shostack + Friends Blog Archive

Unrecoverable Damage?

I’m reading through NIST SP-800-70 (pdf), the NIST guide to producing security configuration guides. Let me get more coffee before I continue. Thanks for waiting.

“If home users and other users without deep security expertise attempt to apply High Security checklists to their systems, they would typically experience unwanted limitations on system functionality and possibly unrecoverable system damage.”

Can someone explain to me how you can break a system that badly? I mean, sure, it can be hard to get a new boot block, or a new kernel in place, but once you do, you can recover things.
I’m very down on a system message that implies that modifying your computer can cause unrecoverable damage. It inherently inhibits tinkering, perhaps even more than laws do. After all, we see how effective laws against sharing music or drugs are. But scaring someone into not touching that config file with the threatened loss of all their data? There’s a security measure for you!

Originally published by adam on 30 Aug 2004
Last modified on 30 Aug 2004
Categories:   Uncategorized   Usability   

2 comments on "Unrecoverable Damage?" 

• Bryan L. Fordham says:
  30 Aug 2004 at 4:03 pm
  I think part of the issue is, if you break the system you’ll likely call tech support. And companies have to pay someone to answer the phone. So if you modify your system you may cost them money.
  If you don’t modify your system it may be less secure, but they don’t have to pay someone if your system is secure.
  (Yes, I know that is flawed. But I can see it as their reasoning)
  Another option is that you’re correct in the “let’s stop them from tinkering” mentality. The computer is meant to feed you content you must pay for, not allow you to do new things.
  
  
• Scott Blake says:
  30 Aug 2004 at 4:24 pm
  I suppose it depends what one means by “unrecoverable system damage.” I can easily envision my mother, say, locking herself out of a machine such that she’d have (essentially) no choice but to reinstall the OS. I’d call that unrecoverable. Even if error is required to produce the condition, I’m very comfortable with NIST recommending that the clueless not screw up their systems.
  Your argument about the chilling effect is specious, as well. Clueless people tinkering is not a productive activity unless it is geared towards obtaining a clue. And, yes, to obtain clue one must often try things that might result in damage. Heck, fixing the damage (or starting over) is one of the best ways to learn how the system works. Those desiring to tinker, understanding that they may screw something up, will not be dissuaded by NIST.
  
  

Comments are closed. 

Popular Content

• Threat modeling posts
• The Security Principles of Saltzer and Schroeder, illustrated with Star Wars
• Other Star Wars posts
• About this blog
• Modeling Attackers and Their Motives 
• Doing science with near misses

Subscribe (RSS/Mail)

RSS: If you'd like to subscribe, you can get the ATOM feed here.

Email: If you'd like every blog post by email, a service like this might help. If you'd like a lower volume set of updates on what Adam is doing, Adam's New Thing gets only a few messages a year, guaranteed.

Our site works best with Javascript enabled, however we have done our best to minimize any negative impacts to your experience without it.

• © 2021 Shostack + Associates  |  Privacy Policy