Full Disclosure mailing list archives
Security & Obscurity: physical-world analogies
From: "Peter Swire" <peter () peterswire net>
Date: Thu, 2 Sep 2004 12:24:44 -0400
Here are arguments for why it is useful to think systematically about the relationship between computer- and physical-security issues. Yaakov Yehudi's comment is similar to other critiques:
A firewall is more akin to a specialized filter medium, but filter
mediums
aren't used as the entrance or exit to a military base. It is probably possible to find analogies between the information
security
world and physical - but only on a piecemeal basis, and that is simply irrelevant and pointless. Peter might be much better to concentrate on the realities and forget about straw-man analogies. What do you think?
I think there is a strong analytic similarity between a firewall and physical settings where guards are deciding whether to let people/trucks/etc. through a gate. In both cases, the outsiders might be attackers who want to gain control over the system (physical attackers infiltrating and computer attackers seeking root control). In both cases, the outsiders might be attackers who want to get information about the inside (physical attackers spying out the lay of the land and computer attackers downloading files or getting other information). In both cases, there is "filtering" by the defenders. Some entrants are excluded. Some get more intensive screening. The level of filtering varies with the perceived level of the threat. Three reasons why studying physical and computer security together is useful. First, at the level of analytic understanding, the paper tries to give a unified way to assess when openness is likely to help security (conditions closer to what the paper calls the Open Source paradigm) and when openness is likely to reveal vulnerabilities that create net problems (conditions closer to what the paper calls the Military paradigm). A unified theory is an academic/intellectual gain. Second, policymakers in the government and management in companies have to decide, every day, what should be secret and what should be open. Not everyone has time to read FD an hour a day to become expert in all these things!! The paper tries to give a useful way for decisionmakers to get an approximation of what sorts of things should be disclosed. A unified approach can help decisionmakers. Third, the paper argues that openness is far more likely to be the right choice in networked and computer settings than in traditional physical settings. The variables identified in the paper, such as number of attacks and communication among attackers, tilt heavily toward openness. A unified approach alerts readers that openness is likely to be the logical outcome today more often than it was in the less-networked and less-computerized past. Peter Paper at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Response to comments on Security and Obscurity Clairmont, Jan M (Sep 01)
- Re: Response to comments on Security and Obscurity Valdis . Kletnieks (Sep 02)
- <Possible follow-ups>
- RE: Response to comments on Security and Obscurity yaakov yehudi (Sep 02)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Security & Obscurity: physical-world analogies Peter Swire (Sep 02)
- Re: Security & Obscurity: physical-world analogies Dave Aitel (Sep 02)
- Re: Security & Obscurity: physical-world analogies Frank Knobbe (Sep 02)
- Re: Re: Security & Obscurity: physical-world analogies James Tucker (Sep 02)
- Re: Re: Security & Obscurity: physical-world analogies Frank Knobbe (Sep 02)
- Re: Re: Re: Security & Obscurity: physical-world analogies James Tucker (Sep 02)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: Security & Obscurity: physical-world analogies gadgeteer (Sep 03)
- Re: Re: Security & Obscurity: physical-world analogies Tig (Sep 03)
- Message not available
- Re: Re: Security & Obscurity: physical-world analogies gadgeteer (Sep 03)
- Re: Re: Security & Obscurity: physical-world analogies ASB (Sep 05)