False sense of security (re: Snake oil...)

Daniel J. Frasnelli (dfrasnel@csee.wvu.edu)
Wed, 7 Apr 1999 13:34:30 -0400 (EDT)

• Next message: Ben Laurie: "Re: Vernam Cipher"
• Previous message: Trei, Peter: "PalmPilot SecurID security."
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: David Honig: "Re: False sense of security (re: Snake oil...)"
• Reply: David Honig: "Re: False sense of security (re: Snake oil...)"

(sorry for the late reply, had to deal with an emergency this morning)

That web page provided ample amusement for the evening :)

I want to point something out that is often overlooked when reading
these "snake oil" ads. The general public and even many non-crypto/infosec
professionals are drawn into shams designed to throw a lot of
semi-recognizable buzzwords and statistics in one's face. Why?
Lack of solid public education on intelligence/crypto issues contributes
greatly to this ignorance. I do not think that this is due to some
massive conspiracy by a blackops government agency, but rather this:
The general public asks "Why should I take the time to learn about
 cryptography? It's not like I'm breaking the law.."

In the United States, clandestinity (new word, I guess) is linked
to the dark side of computing - thanks in great part to the popular
media and the Hollywood crowd. The public in general is very ignorant
of exactly what someone can do with even minute information details.

While doing some consultant work the other day, the client
asked me: "So if I start using PGP and SSH all the time, nobody
 can get at my data, right?". I replied "No, not unless you
 factor in things like pinhole video cameras over your keyboard and
 monitor."
This is how much of the computing world views cryptography and
security software - the be-all and end-all of safe computing.

Let me rephrase that.. this is how many security professionals
view crypto and security software. We have become so comfortable
with our algorithms, our protocols, and our technology that it
is difficult to think outside the realm of our little secure castles.
While perched atop the lookout tower, confident in our methodologies,
a subversive might be entering the castle in a way we would never
consider. And when the mode of entrance into our information vault
is discovered, we so easily pass off the blame with "Well who would
 have thought that little chink in the armor could be used that way..."

I strongly feel that security needs to be interdisciplinary,
integrated, and a team effort. Tunnel vision is the fatal
flaw of many security analysts, but it can be cured through
constant re-evaluation of policy, programs, and protocol
from different angles. It's not paranoia; it's called
thinking like a thief to stop the thieves.

If anyone has not done so already, please read the two essays by
Bruce at http://www.counterpane.com/whycrypto.html and
http://www.counterpane.com/pitfalls.html. I am working on two
reports along a similar theme, and will make them available to the
list when complete.

I offer these thoughts not as a self-professed expert, but as someone
who has learned from sorrows of discovering security lapses
right under his nose. Hope someone finds this useful ;)

Dan

• Next message: Ben Laurie: "Re: Vernam Cipher"
• Previous message: Trei, Peter: "PalmPilot SecurID security."
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: David Honig: "Re: False sense of security (re: Snake oil...)"
• Reply: David Honig: "Re: False sense of security (re: Snake oil...)"