Comments: the most magical question of all -- why are so many bright people fooling themselves about the science in information security?

Nice idea forgoing the valid certificate for HTTPS. Are you using it as another way to make your point?

Posted by Marcus at January 28, 2010 04:22 PM

probably not wanting to pay the "Certificate Authority" cartel primarily operated by CIA,NSA-contractor spinoff Verisign/SIAC type companies that almost surely have the ability to do man-in-the-middle viewing of "encrypted" traffic via the backbone providers which are now well documented to allow nearly unlimited tapping requests?

Posted by coh at January 28, 2010 04:47 PM

A ha ha it's not like the page needs to use https. It's a blog for godsake.

Posted by kbp at January 28, 2010 06:09 PM

As far as the security community is concerned, it is simple denial. Consumers want to use the computer to perform tasks, not become part of daily maintenance rituals.

Since the security community doesn't know how to fix a failed security model, they rationalize point solutions in order to milk the cash cow. Better to promote bad science than no science for that noble cause.

Why denial? The real science is more likely found in the writings of Roger Schell and the paper linked below.

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

Posted by Rob Lewis at January 29, 2010 10:45 AM

Add to your list things that everyone thinks works but hasn't been validated ...

1) fingerprints - see Simon A Cole for details.
2) sniffer dogs for drugs/explosive (court case in London, pending)

Posted by gyges at January 29, 2010 11:47 AM


Are we a science? I would suggest that if you follow Kuhn, we fit the definition of a proto-science very, very well.

Posted by Alex at January 30, 2010 03:50 PM


As normal I'm late to the party on this one...

As you point out we have a bit of an issue with "security" in it's various guises.

And that is problem #1, security means different things to different people.

First of in English we have two words "security and safety" in French they have but one "Securite" this fundemental language difference effects the way people think about the issue. And ignoring it leads to deep seated and fundemental problems.

With regards to "Information Security" we don't even know what "information" is (try explaining why it differs from data without using the self recursive "meta" words).

Oh and when you've done that ask yourself why both data and information are not knowledge.

This is problem #2 what is information and what are it's properties.

I would actually argue that the "tangable" physical world we know and love to touch, is infact a subset of the "intangable" information world.

Thus not only do we not know what it is, we cannot see much of it from the subset of it we exist in.

If you think I've been hitting the "wacky backy" no I haven't. Science moves forward a number of ways but essentialy it is the process of gathering organising and verification of information in a form that we call knowledge.

You get the old line of "Newton discovered gravity", well no he did not, gravity appears to be an integral charecteristic of our physical world.

What Newton did was observe, theorise, test and accept/reject each proto-theory untill he had a mathmatical model that appeared to fit with his observations and those of others.

We now know it is not accurate but suffices to get us around the solar system. It is why there is the truisum about physics being "a series of more accurate lies, each closer to God's dice than the last".

Which brings me around to the point Alex refers to about "we fit the definition of a proto-science very, very well".

We are currently in Aristotl's version of science not Newton's the reason for this is simple,

Which is Problem #3, what are informations measurands.

The answer is outside of the nebulous "Information Entropy" not much apart from the axiom of a bit.

Oh and a researcher at IBM worked out the minimum energy required to store or move a bit of information in our "tangable" physical world. But people forget that it is not intangable information, just the physical image of a part of it, like a shadow ghost photograph or written description of a smell.

Thus we have no reliable metrics, we just mooch around in "best practice" and throw a few effectivly meaningles statistics around.

Oh and the joke of them all is the question "What is a random number". We use expresions such as "non determanistic" or words such as "probablistic", or quips about "living in a state of sin".

One little talked about asspect of science is "borrowing", that is an advance in one area of science gives rise to a new perspective in that area. "Your better class of thinker" (obligitory Douglas Adams refrence ;) realises that the "new light" can be used to illuminate other "dark corners" and thus further enlightment in other fields of endevor.

Well the nearest field of endevor we have to information is Quantum Physics...

Which might account for some of the seamingly odd view points of the likes of Seth Lloyd (Universe is a computer), Roger Penrose and others (Quantum conciousness), who are starting to belive that our ability to think may be quantum in nature...

And we do know from the likes of photosynthesis (google bacteriochlorophyl or BChl) and sight / smell that the biological part of our physical world has been happily using Quantum effects for... well longer than we can remember ;)

But getting back to the "security game" a number of the things you refere to are examples of the classic con.

Which is Problem #4, the security industry is currently a con game.

That is you find a mark with resources you want and work out how to dress up nonsense in a way they want to believe (ie selling the finest of invisable cloths).

Through to inflating a need to create a market for a product you have (FUD Marketing).

This works simply due to having no reliable metrics to test claims.

But also as in some areas of security alows the "operator" not the "system" to be blaimed when a system fails.

That is you can claim the operator did not have suficient faith in the system...

Which is great for very dubious systems (dowsing for bombs). You can also through in fringe reasearch papers to lend credability to your otherwise bogus claims.

However there is another issue when it comes to "borrowing" that is it is not of necessity bi-directional.

Which is Problem #5 although lessons in intangable security can be applied to tangable security the opposit is not true.

The reason for this is "non locality" and "no cost force multipliers" due to "no cost duplication" for criminals and other naredowells.

In the tangable world you have very real financial costs to duplicate an object so uniquness has some "value" meaning.

Likewise tangable force multipliers (tools) are constrained by duplication costs and usage costs (power).

Finally to make illicit use a tangable object you or a force multipler have to be local to it (physicaly present) which adds other constraints.

None of these constraints apply in the intangable information world to the naredowell. From the other side of the world they send information and the target machines duplicate it and process it and send the results back. The naredowell only pays for their Internet cost to launch their attack (say 1USD if that).

Which is one of the reasons why the usual actuarial processess (from the insurance industry) that we use for risk analysis just does not work in the information world...

Which is problem #6 rather than seek out the properties of information that can be used for reliable and repeatable metrics we chose to borrow models from the discredited world of economics.

We have to actually ask ourselves are economic models based on a tangable world with tangable goods and tangable constraints that only work in a very limited way actualy valid in an intangable world with intangable goods not subject to the tangable constraints?

For instance examination of the Dot Com boom/bust of the Internet and before it the telephone, telegraph and railways shows us that "free market" economics do not apply.

Further we know that the tangable world cost/distance metric does not apply to the Internet, thus there are not realy physicaly seperate markets which allow for competative growth.

As an example Google's problems in China. China is due to a number of issues effectivly a seperate market (for those inside). Google chose to be hamstrung as the price of being able to play in that market.

Google is now upset that it is loosing out to a competitor inside that market that is not hamstrung...

Thus the simple "free market" rules do not apply which is to Googles cost.

We have to ask ourselves the question,

Are we going to get sufficient insight from using inappropriate models borrowed from economics and insurance to turn intangable world security from a proto-science to a science?

Or are we going to be better served using models that do not have underlying hidden assumptions from the tangable world?

I suggest the latter is going to be best in the long run.

The bottom line is information is intangable, we know little or nothing about even the tiny subset we experiance in our tangable world. This lack of understanding of it's properties means we have no usable metrics. We cannot borrow from most other fields of endevor because they all have low level implicit tangable assumptions and constraints. And for naredowells the lack of metrics and tangable constraints is significantly to their advantage.

As was once said about (non American) football "It's a funny old game", and for those of us playing we most certainly are living the curse of "interesting times".

Posted by Clive Robinson at January 31, 2010 11:14 AM

Google is the vanguard of a failed capitalist state now that their friends are interested in hoisting the China threat as a means of diverting the people away from the economic failures. The next step will be a war with Iran over some idiotic idea that we can tell them what to do with their destiny. If China wants to hack Google let them have at it, if Google doesn't appreciate the Chinese regime then get out of the market place. Real people don't care about the evil empire of Google, Microdick, the United States Government, or the Chinese Government in fact the vast majority of time is spent getting around these fools or ignoring them. If Islamic terror is a real threat then boycotting Saudi and Nigeria oil might be highly suggested, if Hugo and his Bolivarian desires bugs you then don't buy their products boycott them and ignore them. The threats we face as simple people have not been reflected in any of the political events, because if that where to happen protest about the cost of good beer and vodka would be the headlines. Anti-government entities in China would not select Google for anything so perhaps as the cost of entry into the Chinese market Google agreed like Microdick to surrender their source code and then backed out that sound more plausible.

Posted by jimbo at February 7, 2010 03:45 PM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x56021d1e4818) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.