mspencer at tallships.ca
Tue Jan 20 00:16:09 AST 2009
Stephen Gregory <nslug at kernelpanic.ca> wrote:
> Encryption often looks easy but it is actually a hard problem. Using
> the algorithms is trivial. Using the algorithms correctly and
> securely is considerably harder.
I believe this. I've read Applied Cryptography and browsed some
RFCs. And I don't really grok it in its fullness. How can I know that
"certs" are handled properly by my software or theirs? That issuers
are actually on the side of righteousness? I have fair confidence
(but only fair) that the coders will do their best and pursue bugs
with due vigor. But how do I know that the system admins -- a very
heterogeneous bunch -- will install and configure things as securely
as the coders and intend? That they will actually implement the
advice from consultants such as Bruce Schneier if numerous layers of
management have to approve the possibly onerous cost of doing so? And
that's overlooking overt malice altogether.
I've been reading comp.risks for years. I recall a case reported
there in which an ATM had failed in some way. The temporary fix was a
nice little US Robotics modem sitting on top, lights blinking and
unattended wires dangling. What I take from comp.risks is that the
heart-warming reassurances about information security proffered by
banks and other on-line commercial entities are rather like the
cheerful, chirpy video full of cute animation and dignified voice-over
that your dentist may show you about a root canal treatment before he
excavates your central nervous system with a power tool. It is not,
under optimal assumptions, factually wrong. But it's intended to
persuade rather than inform.
I actually understand tooth anatomy and physiology fairly well and can
just ho-hum past those vacuous videos. Not so with digital data
Did I mention that, in addition to running iptables, I normally have
an xterm peeking out from behind whatever I'm doing on line that's
running tcpdump of all but certain commonplace packets? And that I
have a script always running in the background that plays loud barred
owl calls any time certain important system files change? Amateur and
hackerish, perhaps but I think I understand it. Most of the online
security reassurances appear to me like a black box, slathered with
stickers bearing comforting slogans. Posts to comp.risks and the
increasingly frequent reports of major data loss/theft/disappearance
do nothing to alter that impression.
BTW, Stephen, you indicated a footnote with "" but then omitted to
append the footnote itself.
Michael Spencer Nova Scotia, Canada .~.
mspencer at tallships.ca /( )\
More information about the nSLUG