Privacy and security
answering the Wrong
Questions Is no answer
Asking the wrong questions when building and deploying systems results in systems
that cannot be sufficiently protected against the threats they face.
For ovEr 50
trying to build computing
systems that are trustworthy.
The efforts are most notable
by the lack of enduring suc-
years we have been
cess—and by the oftentimes spectacular security and privacy failures along
the way. With each passing year (and
each new threat and breach) we seem
to be further away from our goals.
Consider what is present in too
many organizations. Operating systems with weak controls and flaws
have been widely adopted because of
cost and convenience. Thus, firewalls
have been deployed to put up another
layer of defense against the most obvious problems. Firewalls are often configured laxly, so complex intrusion and
anomaly detection tools are deployed
to discover when the firewalls are penetrated. These are also imperfect, especially when insider threats are considered, so we deploy data loss detection
and prevention tools. We also employ
virtual machine environments intended to erect barriers against buggy implementations. These are all combined
with malware detection and patch
management, yet still attacks succeed.
Each time we apply a new layer, new attacks appear to defeat it.
I conjecture that one reason for
these repeated failures is that we may
be trying to answer the wrong questions. Asking how to make system
“XYZ” secure against all threats is,
at its core, a nonsensical question.
Almost every environment and its
threats are different. A system controlling a communications satellite
is different from one in a bank, which
in turn is different from one in an el-
asking how to
make system “Xyz”
secure against all
threats is, at its
core, a nonsensical
ementary school computer lab, which
is different from one used to control
military weapons. There are some issues in common, certainly, but the
overall design and deployment should
reflect the differences.
The availability and familiarity of
a few common artifacts has led us to
deploy them (or variants) everywhere,
even to unsuitable environments. By
analogy, what if everything in society
was constructed of bricks because
they are cheap, common, and easy to
use? Imagine not only homes built of
bricks, but everything else from the
space shuttle to submarines to medical equipment. Thankfully, other fields
have better sense and choose appropriate tools for important tasks.
A time-honored way of reinforcing
a point is by means of a story told as a
parable, a fairy tale, or as a joke. One
classic example I tell my students:
Two buddies leaving a tavern find
a distressed and somewhat inebriated
man on his hands and knees in the parking lot, apparently searching for something. They ask him what he has lost,
and he replies that he has dropped his