Adam’s Law of Perversity in Computer Security
Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed:
I think the key is that it’s hard for the average person to read tapes
if they found/stole them, but for a moderately-large
organization/attacker, it’s possible.
I think this is a great example of what I call perversity in computer security. When a fellow with the best of intentions is trying to do something, it’s hard, and when the bad guy tries it, it’s easy. It’s like when you want your computer to keep data, it loses it. But when you’re trying to delete it, it’s awfully hard. Similarly, your computer often behaves in seemingly random ways. But when you’re trying to get what cryptographers call good randomness, it’s perversely hard.
There’s another place this routinely shows up, and that’s around the question of “are IP addresses personal information?” If you want to use IP addresses for security purposes, they’re notoriously poor. But if you want to use them to invade privacy, they’re often good enough. As Eric Rescorla writes in “Uh, yeah IP addresses are identifying” [link to http://www.educatedguesswork.org/movabletype/archives/2008/01/uh_yeah_ip_addr.html no longer works]:
It’s certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they’re dynamic, but that doesn’t mean that you don’t regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they’re semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it’s still possible to cross-correlate activities at multiple sites at the same time.
This is up there with my other law: “All Non-Trivial Privacy Fears Come True.”
I love your examples of the perversity of computer security. It basically sums up the entire challenge that IT security professionals face. And then, of course, you toss in the risk factor of getting people involved in the security process, and it just gets worse.
Then you’ve got the clowns who set everything insecure with no change control competing with the people wanting to clean it up who get dragged into weeks of bureaucracy over every detail.
Doing IT Security under these conditions is the biggest waste of time since the invention of television. In fact it may be the biggest waste of time since the invention of time.