Full Disclosure mailing list archives
Re: Security & Obscurity: physical-world analogies
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 02 Sep 2004 17:37:20 -0500
On Thu, 2004-09-02 at 11:24, Peter Swire wrote:
I think there is a strong analytic similarity between a firewall
and physical settings where guards are deciding whether to let
people/trucks/etc. through a gate.
[...]
In both cases, there is "filtering" by the defenders. Some
entrants are excluded. Some get more intensive screening. The level of
filtering varies with the perceived level of the threat.
I was trying to stay out of this discussion, but I do have to throw in some comments. I do not believe that we can make accurate and meaningful analogies between the physical realm and the information technology realm or cyber space or whatever you want to call it. The analogies we to make "appear" to serve our purpose for making it easier to understand the difficult issues surrounding IT based scenarios, but in fact are presented solely for one situation. Any modification of the situation, and reaction scenarios, break down quickly because they can not be performed in both worlds with the same results and same action-reaction behavior. Case in point: You say firewalls are like entrances. People (on lieu of packets) are inspected and gain entrance or not. For a single person/packet, this works. While in the physical the person can not circumvent the entrance, in the information world this is quite easily achieved. In cyber space, the person-packet would just clone or copy itself a million times, overwhelming the inspectors and slip passed the checkpoint. To really illustrate the point, let me make a more colorful example. People-packets in the real world can be stopped by a moat around the castle. The people-packet runs towards the castle and falls into the moat. People-packet has ceased to exist. In cyber space, the people-packet will again clone itself and run "purposefully" into the moat, piling up the "dead" people-packets until the moat is full. The remaining people-packets can then enter the castle. Feel free to play through the same scenario with a wall where "dead" people-packets get purposefully deployed in front of the wall until the last people-packet can climb the packet mountain and pass over the wall. There are some that say certain aspects don't work in the real world... these people think in terms of the real world. There are other people that say other aspects don't work that way in cyber space. That's because they think through the scenario with information technology as the background. There will be people in each camp that see certain aspects as useful, but each will again view it from their own perspective. Analogies between the "worlds" work when we want them to work. The same analogies can be shot down if we don't like them. These analogies do no allow us to represent one world when trying to make a point in another. The copy conundrum: You have a chair. Dave wants to steal your chair. If he does, you know your chair has been stolen. In cyber space, Dave can steal your chair by making a copy. You still have your chair and you do not know if it was stolen or not. Dave does have your chair now, but you don't know. Leftovers: Let's say you burned said chair. Let's say Dave told you that he came to your house, made a copy of your chair, drove home and put the copy into his living room. In the real world you might go to Dave's house and remove/destroy your chair. In the IT world you will find that said chair is not only present in Dave's living room, but there is an inadvertent copy left in his car. Oh, and also on his hands, or any other place that the chair passed through. Physical objects can not be compared to information. Try to imaging a computer programs in the real world. It doesn't work. Information and ideas, communication and packets, security vulnerabilities, attacks and security countermeasures can not be quickly substituted with real world physical objects. Henceforth any attempt to place analogies of scenarios from one world into the other is flawed. Regards, Frank PS: When I flew over your paper, I read a lot about security and secrecy of information. What I did miss was the distribution of misinformation. And no, it does not easily compare to obscurity. While obscurity does not improve security, it does add value along with security. .... in the physical as well as information technology world.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Response to comments on Security and Obscurity Clairmont, Jan M (Sep 01)
- Re: Response to comments on Security and Obscurity Valdis . Kletnieks (Sep 02)
- <Possible follow-ups>
- RE: Response to comments on Security and Obscurity yaakov yehudi (Sep 02)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Security & Obscurity: physical-world analogies Peter Swire (Sep 02)
- Re: Security & Obscurity: physical-world analogies Dave Aitel (Sep 02)
- Re: Security & Obscurity: physical-world analogies Frank Knobbe (Sep 02)
- Re: Re: Security & Obscurity: physical-world analogies James Tucker (Sep 02)
- Re: Re: Security & Obscurity: physical-world analogies Frank Knobbe (Sep 02)
- Re: Re: Re: Security & Obscurity: physical-world analogies James Tucker (Sep 02)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: Security & Obscurity: physical-world analogies gadgeteer (Sep 03)
- Re: Re: Security & Obscurity: physical-world analogies Tig (Sep 03)
- Message not available
- Re: Re: Security & Obscurity: physical-world analogies gadgeteer (Sep 03)
- Re: Re: Security & Obscurity: physical-world analogies ASB (Sep 05)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)