Raul Miller writes:
> My mental model of computer security often approximates putting a bank
> vault door on a picket fence (and maybe setting up a sniper to stop
> people from climbing over the door).

But in layers. One of them will work right? It's defense^Wobscurity
in depth.

> Doesn't mean that the exercises weren't worthwhile, but in my opinion
> we put far too little effort into making people comprehend what's
> going on.
> </useless-rant>(Not entirely true, and raspberry pi/arduino

I think it's very true. Case in point is ssl/pkc. For a while I
refused to believe that I understood public key cryptography because
it was so incredibly simple and yet all the documentation I'd seen
up to that point had been impenetrable, contradictory, incomplete
or some mixture of the three. I can count on one hand the number
of people I've worked with who understood it rather than relying
on copy pasta. Hence LetsEncrypt now exists.

The lack of understanding is tangible and worrying.

> but I sometimes worry about the lack of
> focus on physical and electronic abstraction layers.)

Already lost. There's nothing real about an abstraction layer. We
can't reconcile with them in the real world. Instead we ascribe
human-like attributes to automota which can only mock the appearance
without any of the substance. "Smart" devices are smart like a
parrot that's learned how the crackers come and just as vindictive
yet they have in less than half a generation become embedded into
our lives and societies as though they are godlike in their prescience.
They now drive our death machines around. We have machines with the
intelligence of a parrot and the attention span of a toddler driving
multi-tonne killing machines at upwards of 70mph. That's insane.

Abstraction layers are all very well when developing algorithms but
when the rubber hits the road the CPU's gonna do what the CPU's
gonna do and if you don't know what it can, will and does do then
no abstraction layer is going to help you.

We need to trust the machines like the badly-treated rottweiler
who's muzzle we can't remove and who's looking at our children
hungrily, not like the adorable harmless puppies the devices try
to act as and who's place they currently occupy.

That is the fundamental flaw in our collective security model. I
handle it by understanding the technology so I can work around the
holes. Those who can't or won't need a better model than "aww! cute!"

Anyway I didn't mean for this to turn into a rant so I'm done.

Well I did because I started it as one but it was meant to be a
rant about administrators and developers who don't understand what
they're doing but do it anyway and not the sorry state of IT security
around the world and how it's turning society into the worst possible
bastard child of George Orwell and Aldous Huxley. That would require
far more space than this mailing list allows to do it justice.

> recovering backups (I've seen backup systems which never worked where

A pile of data may look like a backup but without a proven recovery
strategy it's just a pile of data.

Matthew

Reply via email to