[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Jimmy Hess mysidia at gmail.com
Sun Sep 8 15:04:36 UTC 2013

On Sun, Sep 8, 2013 at 9:07 AM, Eugen Leitl <eugen at leitl.org> wrote:

>  1.  [...] In general the consuming public cannot tell the
>      difference between “good stuff” and snake oil. So when presented
>      with a $100 “good” solution or a $10 bunch of snake oil, guess
>      what gets bought.

Or there might be 2 good solutions for certain security functions around
$100.   And 10 different flavors of $90 snake oil,and plenty of $50, $100,
and $120 snake oil flavors. The world is full of salespeople and marketers;
 and the snakeoil  salespersons are just as great as the "good stuff"
salespeople  ----  also,  with more resources to devote to sales, than
engineering;  the snakeoil salespersons have more time and resources
available to look at their competitors' merchandising, and make the
snakeoil bottles on the store shelves are the ones that look the most
appealing to the potential buyers.

A wary buyer should not believe the salesperson, but demand a thorough
long-term critical review  (a 30 day demo of some product is not sufficient
duration to discover that it's totally bunk).

 2.  Security is *hard*, it is a negative deliverable. You do not know
>      when you have it, you only know when you have lost it (via
>      compromise). It is therefore hard to show return on investment
>      with security. It is hard to assign a value to something not
>      happening.

This is because it doesn't make sense to say that security itself has a ROI
in the first place.
IT security is risk management --- therefore, in isolation security means
security is a way of mitigating fundamental risks  that are improbable
events that are
nevertheless certain to happen eventually (given enough time) that have an
average negative

There is a fundamental tradeoff between risk and return:  If you spend NO
money on security,
lawyers, to help structure the business to avoid liabilities,  and other
protections such as insurance
then you INCREASE return;  in the short term, you will most  likely have
much greater profit,
if you don't bother with any insurance, lawyers, or security.

It all works fine, until there is a disaster,  someone files a lawsuit,  or
you have a breakin.

For example:  by not purchasing insurance on your business assets;  you
avoid spending
insurance premium dollars.    This  increases how much money you make (your
as long as nothing bad happens.

However, not buying insurance, or not paying the costs of security greatly
increase the risk
that the business incurs a loss because something bad happens.

Furthermore,  spending a lot of money on security reduces return,  BUT also
reduces the risk.
Security does not have a ROI,  but it does have a tradeoff.

That tradeoff should be understood using the language of risk management,
not profit/loss.    And there is no reason people can't understand that....
after all;  they do understand,  what happens if you don't pay lawyers to
help your enterprises comply with the law, or draft successfully binding

You should expect to spend amounts on security per year, commensurate with
the costs of insuring
those data assets against the liability that would be incurred if they were
tampered with or leaked to the public;
granted,   plenty of orgs are much more likely to have an  internet-based
security breach than a fire or a flood,
therefore,  the risk you take on by not spending on security is possibly a
larger risk.

 2a. Most people don’t really care until they have been personally
>      bitten. A lot of people only purchase a burglar alarm after they
>      have been burglarized.

Most people purchase homeowners' insurance.

Vehicle insurance is mandated by the state in many cases.
I wonder if someday; a similar per-PC mandatory purchase will someday be
required for computer security.

>  3.  As engineers we have totally and completely failed to deliver
>      products that people can use. I point out e-mail encryption as a
>      key example. With today’s solutions you need to understand PK and
>      PKI at some level in order to use it. That is likely requiring a
>      driver to understand the internal combustion engine before they
>      can drive their car. The real world doesn’t work that way.

Yes.   This is a total nightmare.

Before  Joe consumer can send an encrypted mail; he has to either go to
some command line and gpg --gen-key
or go to  Xyz CA  corporation,  buy a personal SSL certificate for some
expensive per-year  premium    $10 or more...

and then go through a lot of trouble to figure out how to import that into
the browser, and manually repeat this process every 1 to 3 years  that his
certificate expires;  the process Joe  has to go through  to  S/MIME enable
every copy of his mail client on all his different computers,  and  his
webmail provider, is even more complicated.

Before anyone can send Joe an encrypted message;  Joe somehow has to  get
all his correspondents to manually import a copy of his certificate.

This is clearly miles outside the realm of possibility for the average
Windows user.

>                         -Jeff


More information about the NANOG mailing list