Technology risk without safeguards

Thu Nov 5 17:05:34 UTC 2020

On Thu, Nov 5, 2020 at 5:59 AM Tom Beecher <beecher at beecher.cc> wrote:
> Let's say roughly half of the science says the hypothesis is false, and half says it is true. It is absolutely fair in this case to state "We don't know enough."

Hi Tom,

Strictly speaking, if a hypothesis is disproven by even one repeatable
experiment then the hypothesis is disproven. It doesn't rule out that
a similar hypothesis could be true but that particular one is false.

Suresh's case can also be dismissed with Security 101: never spend
more protecting an asset than the value of the asset. Practically
speaking this means you assign a risk cost to a particular kind of
attack and then consider whether there are any protections from the
attack which cost less than the risk. That's Vulnerability * Threat *
Incident Cost.

The vulnerability to someone tunnelling under your data center to set
up an RF generator is not high. The logistics of such an effort are
very complicated and the inverse square law dictates that the power in
an RF signal deteriorates quickly with distance even in free air, let
alone with ground between you and the recipient. It is, in a nutshell,
impractical.

The threat for someone tunnelling under your data center to set up an
RF generator is basically zero. There are examples of tunnelling in
crime and war but both involve clandestinely overcoming a superior
force, such as breaking someone out of prison, evading detection by
authorities when smuggling or destroying a fortified military position
with explosives. There is no superior force guarding a data center.
Following staff home and picking them off with a rifle is so much
cheaper and carries a better probability of success.

Nearly zero times zero times some possibly high incident cost still
equals zero. The risk-cost from Suresh's scenario is zero. Hence the
security efforts it justifies are zero.

Regards,
Bill Herrin

-- 
Hire me! https://bill.herrin.us/resume/