On Sunday, June 16, 2024 3:59:40 PM EDT Russ Allbery wrote: > Scott Kitterman <deb...@kitterman.com> writes: > > Yes. I think that's the core of the disagreement. In my view, when I > > type the passphrase for my key, I'm asserting responsibility for the > > contents of what I'm signing. It doesn't mean it is correct or > > uncompromised, but I am taking responsibility for it. > > Right. And I come from a culture that emphasized blameless postmortems > and systems design and a way of thinking about security review from a > similar perspective, which is that assigning responsibility is not in and > of itself a useful thing to do. Just because someone is responsible > doesn't mean that we're more secure. It may mean that you have someone > you can punish afterwards, but it's very questionable how much that helps > with security, really. > > Assigning responsibility is, in that model, only important to the degree > to which it will change people's actual behavior towards behavior that is > more secure, either before or after the fact. If one assigns > responsibility for something that isn't realistically under their control, > or in a way that doesn't cause their behavior to change, the argument is > that nothing is truly accomplished from a security standpoint. It's an > illusion of security without actual security. > > One of my goals in doing security design is to try to reduce the degree to > which humans are performing repetitive validation tasks because humans are > not good at maintaining constant vigilance. We know this from a bunch of > empircal studies on, for example, airport screening. If a human does a > repetitive task with a very low rate of true positives, their attention > will fade and there will be a lot of false negatives. Asking humans to do > this is a recipe for failure, and making the humans responsible for doing > this correctly and threatening them with consequences for not doing it > correctly only slightly decreases the risk of failure. > > This is exactly why reproducible builds are so important: that involves > finding a way for computers to do the sorts of repetitive validation tasks > that computers are good at and that humans are very bad at.
I don't equate responsibility and blame. If I'm responsible for something and it blows up, then that means I'm responsible to help clean up the mess, regardless of if the thing that went wrong is my fault or not. Not security related, but a couple of times I have (as a member of the FTP Team) removed packages that shouldn't have been removed. Even though it wasn't particularly my fault (in the cases I'm remembering, the rm bugs had been filled out unclearly or incorrectly, I was still responsible to straighten it out and I did. I don't think that we are that different in our views of what's important, but we do describe it a bit differently. Scott K
signature.asc
Description: This is a digitally signed message part.
