[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-UserSecurity

[Jonathan S. Shapiro]

"Mark S. Miller" wrote:
> 
> At 06:52 AM Thursday 4/5/01, Jonathan S. Shapiro wrote:
> >Nothing's ever perfect.
> 
> Very bad slogan, especially in this context.  It lends support to the most
> dangerous common misunderstanding about computer security: that it's always
> necessarily vulnerable to the next yet cleverer hacker....

You are absolutely right. What I should have written was:

	In the real world, nothing's ever perfect, but
	some things are more perfect than others.

The issue at hand is not the feasibility of mathematical perfection in a
quantum universe. The issue at hand is that every real system is
designed under assumptions about the environment in which it operates.
These assumptions are (hopefully) predicated on a cost/benefit analysis
for the attacker and a risk analysis for the defender. These assumptions
are fallible.

The problem lies in the fact that a perfect application of perfect
defensive measures is infinitely expensive. Therefore, there are
*always* tradeoffs in security measures and consequent opportunities for
exploitation.

The importance of techniques like confinement or cryptography is that
they provide a broadly applicable tool that results in across the board
cost reduction. This makes better systems feasible at a given price
point.

So in the limit, I think that security pretty much *is* always
vulnerable to the next yet cleverer hacker. Not because of failures in
the techniques, but because of errors in the judgement of the people who
prioritize, deploy, and apply them.


Jonathan