Shostack + Friends Blog Archive


Unrecoverable Damage?

I’m reading through NIST SP-800-70 (pdf), the NIST guide to producing security configuration guides. Let me get more coffee before I continue. Thanks for waiting.

“If home users and other users without deep security expertise attempt to apply High Security checklists to their systems, they would typically experience unwanted limitations on system functionality and possibly unrecoverable system damage.”

Can someone explain to me how you can break a system that badly? I mean, sure, it can be hard to get a new boot block, or a new kernel in place, but once you do, you can recover things.
I’m very down on a system message that implies that modifying your computer can cause unrecoverable damage. It inherently inhibits tinkering, perhaps even more than laws do. After all, we see how effective laws against sharing music or drugs are. But scaring someone into not touching that config file with the threatened loss of all their data? There’s a security measure for you!

2 comments on "Unrecoverable Damage?"

  • I think part of the issue is, if you break the system you’ll likely call tech support. And companies have to pay someone to answer the phone. So if you modify your system you may cost them money.
    If you don’t modify your system it may be less secure, but they don’t have to pay someone if your system is secure.
    (Yes, I know that is flawed. But I can see it as their reasoning)
    Another option is that you’re correct in the “let’s stop them from tinkering” mentality. The computer is meant to feed you content you must pay for, not allow you to do new things.

  • Scott Blake says:

    I suppose it depends what one means by “unrecoverable system damage.” I can easily envision my mother, say, locking herself out of a machine such that she’d have (essentially) no choice but to reinstall the OS. I’d call that unrecoverable. Even if error is required to produce the condition, I’m very comfortable with NIST recommending that the clueless not screw up their systems.
    Your argument about the chilling effect is specious, as well. Clueless people tinkering is not a productive activity unless it is geared towards obtaining a clue. And, yes, to obtain clue one must often try things that might result in damage. Heck, fixing the damage (or starting over) is one of the best ways to learn how the system works. Those desiring to tinker, understanding that they may screw something up, will not be dissuaded by NIST.

Comments are closed.