Re: New paper on Security and Obscurity

[gadgeteer () elegantinnovations org]

On Tue, Aug 31, 2004 at 11:10:01PM -0400, Peter Swire (peter () peterswire net) wrote:
[...]

(top of p. 6)
If the patch is not available and taking the system off-line or
disabling are not possible.  The owner, now knowing of the vulnurablity,
can monitor that function more closely.

(p. 6)
On first reading (B2) seemed to imply that military paradigm designers
are idiots that do not learn from their mistakes.  A second pass that an
attack/defense scenario is a one time affair.  The latter depends on how
one keeps score.  For those who die on the field of battle as a result,
any appeal to a god-like designer is no relief.  For them it is, in
fact, a one time event from which no lessons will be gleaned.

For those whose ambitions for power led them to manipuluate the social
calculus such that others went into harm's way, the lessons to be
learned are very different.  The history of weapon technology speaks
loudly of the lessons they are interested in.  Secrecy, suppression of
dissent, and propaganda are hallmarks and so deeply ingrained in modern
society that many do not even question what, or even if there are any
benefits to waging war.  Or who would so benefit.

So, to perpetuate the military paradigm, specialists who do not question
the underlying assumptions must be found and employed.  Those who think
outside the box would find other solutions that would depose those who
would seek such power over others.

The Great Cold War of the last century was not won through military
means.  It was not won by US political leaders.  It was won by Levi
jeans and bottles of Coke.  That is to say, it was won by a highly
distributed, non-zero sum, marketplace.  A bazaar of ideas that a
monopolistic structure can not compete against in the long run.

Ah, now I am veering off from my original criticism of the assumptions
that support the very concept of a military paradigm.

The framing of (B3) in a WWII analogy of the Navy being the defender is
a staying-inside-the-lines strawman.  The real historical lesson to be
taken from WWII is how to stop rogue politician(s) from acting
unilaterally.  I will give you a hint.  The solution will not be found
in secrecy.

(p. 8)
In the analysis of (C1).  The first thing to realize is that there are
over 6 billion people on this planet.  Dispite what minority politicians
(nearly all politicians are minority politicians (especially those in
D.C.)) would have us believe people are not particularily different from
one another.  As good as humans are a facial recognition even folks who
don't get out much will run into people who "look just like my best
friend in grade school".  The problem is false postitives.

A hypothetical terrorist organization should view such "watch lists" as
retirement lists.  Another thing is why try and get a copy of such a
list?  Want to know if you are on a list?  Get on an airplane.  If you
get "special treatment" odds are good the name you go by is on a list.
So what?  Due to false positives not much is going to happen.  The "not
much is going to happen" occurs hundreds, thousands of times every day.
The result of "defender fatigue".  So, billions of dollars, untold
hours of inconvenience, and non-calculable stress on the very fabric of
society to catch how many "terrorists"?  Maybe I slept in and did not
read the story that day when that caught one using such a list.
As Bruce Schneier has been fond of saying lately, "Security is a trade
off."  And Brother, this one sucks.

Just as the FBI renamed Carnivore.  Just as DoD renamed TIA.  Now the
TSA is renaming CAPPS II.  Why?  This type of measure does not work.
Anyone with clue knows this.  So, why?  What are the benefits?  Who
accrues those benefits?  In a society as complex as ours, a better
framing would be "what are the different benenfits" and "who are the
various entities they accrue to?"

Well, I only made it as far as page 8.  There is a place for secrecy in
security.  I am not going to tell you my password.  However, the premise
laid out up to this point are sand.
-- 
Chief Gadgeteer
Elegant Innovations

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html