Computer Security Isnt

ComputerSecurityIsnt concerned with matters related to security problems of existing systems.

Analyzing how far an existing system deviates from a set of implicit and unstated security requirements is not part of security. Plugging holes in the crippled software systems which hacks have cobbled together has absolutely nothing to do with the subject of security. The better term for the practice of shysters peddling antivirus software and Unix patches is insecurity.

Security addresses certain human elements, especially those tied to expressiveness of security policies. Security does not deal with all forms of SocialEngineering. If a legitimate authority knowingly, explicitly, consciously and deliberately grants access to a specific resource to a malicious party, it is illegitimate to expect any system to fail to function for that malicious party. Certain things are simply beyond security design and any attempt to deal with them at that level will be a sham that needlessly hurts legitimate users.

I think activities related to the implementation of countermeasures to "computer security lapses" fall within the scope of computer security. If you disagree, can you do more clarifications for me pls -- dl

Let's take a specific example. Activities related to the implementation of countermeasures to Unix security lapses do not fall within the scope of computer security. They fall within the purview of computer insecurity. Unix was never designed as a secure system. It still doesn't have a set of self-consistent security requirements, let alone a secure design. Nothing to do with patching it has anything to do with security.

The problem here is that we have two radically different concepts. Security engineering and counter-cracking. The latter is in relation to the former as hacking is to systems design. -- rk

Richard I have a problem there. Most people who work in the computers field are in the business of delivery of end user solutions. Few of us work in research or academic areas. For most of us the bigger problem is responding (sometimes even proactive) to security challenges that may pop up on "legacy environments". If we go Google searching for "Computer security" we expect (and do find) lots of information related to prevention and cures. Do you agree the majority of us have an understanding of computer security different from yours? If so, I hope you are not asking the majority to change the terminology? Do you have a widely used phrase for activities related to the prevention and rectification of security situations related to topics such as WebServices? -- dl

A good term to use for any reactionary legacy work may be insecurity optimization. I don't think it's tolerable to accept, use and encourage the use of Orwellian language. Defining computer insecurity as computer security is Orwellian on a theoretical level. And on a practical level, the computer insecurity industry does more to peddle fear and insecurity than to solve any genuine security problems. And finally, the importance of computer insecurity and the amount of effort and energy invested into it, are all way out of proportion to what it deserves. -- RK

I think "insecurity mitigation" is both more accurate and generates less cognitive dissonance. (Whether generating cognitive dissonance is appropriate to the topic is left as an exercise for the WikiHiveMind?.) The crux of the current problem is that the platforms that are out there in the world today (excepting a few deployments of specialty platforms) use an ancient threat model that doesn't consider scenarios like "the user unwittingly runs something malicious" or "application goes rogue due to bug exploitation". Anti-malware and network sniffer tools are just a means of damage control.

Bombarding the user with permission popups isn't an improvement, it's capitulation in the case of "the user unwittingly runs something malicious", and blatant BlameAvoidance on the part of the software vendor. InternetExplorer and WindowsVista are prime examples of this sort of gaffe, as BruceSchneier argues at http://www.schneier.com/blog/archives/2006/04/microsoft_vista.html. The OneLaptopPerChild project takes a more comprehensive approach to security with BitFrost? (see http://dev.laptop.org/git.do?p=security;a=blob;hb=HEAD;f=bitfrost.txt), including treating programs as potential bad actors in their own right, requiring them to declare at installation time what resources they need access to (and disallowing some combinations altogether as too dangerous). -- jh

Donn B. Parker says that computer security involves 6 independent areas:

Availability
Utility
Integrity
Authenticity
Confidentiality
Possession or Control

I suspect RK is reacting to the fact that people talking about "security" seem to over-emphasize "control" and "secrecy", making incremental improvements in those areas at the cost of huge losses in the other areas.

Sometimes people, in the name of "security", make systems worse in availability, utility, or in other ways. Often, those people claim those things are "outside the bounds of computer security" (ComputerSecurityTheory ), so therefore ThatsNotMyProblem.

For example, some systems lock out a username after 3 failed guesses at a password, then you must physically visit the password lady and ask for another password. This makes it trivial for some malicious person to mount a denial-of-service attack by typing in your username, then deliberately making wrong guesses at the password until he gets the "too many wrong guesses" error message. So we get a gain in authenticity, at a huge loss in availability.

Password change policy set to reject password changes within some time, e.g. three days. This makes it impossible to change a password a second time if someone looked over your shoulder while you changed it. (The rationale behind is of course that people change their passwords twice when they have to change it regularly - to a new one, and then back to the old one again.) Solution: use a passwd program that keeps a history of changes and prevents re-use.

"Availability" also means backups (for data, programs and even hardware), something a lot of IT security departments do not take into account.

Occasionally, someone will come up with a brilliant idea that makes the overall system better (more "secure", according to Parker's definition), even when it gives up some control and secrecy. Rather than locking out people who are likely to mess things up ("attackers"), and allowing people who are less likely to mess things up to do *anything* ("friends"), often it's better to provide a safety net so that when things do get messed up (whether maliciously or accidentally), things can be put right before any real damage is done.

I'd rather have everyone in the world - including my worst enemy - know exactly what I'm allergic to, rather than run the risk that the emergency techs on the ambulance *don't* know what I'm allergic to. (When it comes to my allergies, I am *not* willing to give up availability/utility in order to increase confidentiality or control.) -- DavidCary

CategorySecurity