Thursday, May 31, 2007

Security

Security is a myth. it simply does not exist in the sense most people want it to. People want to feel that even if someone wanted to hurt them, this hypothetical attacker would not be able to. yeah right.

this article(cio.com) describes how hackers can cover their tracks in such a way as to be pretty much invulnerable to prosecution, at least through electronic evidence. It's an interesting read, and the techniques described are interesting (to me at least), but it raises some higher-level question about what we should be trying to do when it comes to security anyway.
can you possibly hope to protect your credit card number? well, no. you can make good starts (never give it to a place that will save it is a good one), you can hope vendors are smart and dont store the thing (which you shouldn't do), or you can just deal with some fraudulent charges when they show up. credit card companies seem to be pretty on top of that these days, which is good, since they'd go out of business if they weren't.

But if you can't trust your file system to tell the truth, who can you trust? Security in any sense, informational, personal. national, is utter crap. its a complete chimera. it will not and can not exist. If some wants very very badly (and i mean more than you've wanted, anything or ever) to do X, whether X is break into your house, steel your "identity", slice you open with a power saw, or fly a plane into your building, they're going to find a way to do it. if, god forbid (ha, god) a group of people decided they wanted to do one of those things to you, its just a matter of when. As a nation we need to accept our vulnerability, give up our infantile obsession with security, and move on. you want to play the numbers game here. you want to stop most of the attacks, most of the time, for most of the people. You want to stop big attacks. If you're smart you can usually do that without giving up much if any freedom (or time, or cpu cycles, or whatever). If, better yet, you can remove the benefit of the attack all together, now you're really winning.; why break into someone's house if you can't sell the stuff you steal? Of course to do that you've got to convince some people to keep vigilant eyes on their bank accounts, and others that there may, in fact, be no afterlife, so they should stick to this one. In the meantime, computer forensics go out the window; it's kinda like trying to ask a suicide bomber where he got his bomb. he's, you know, dead.

ps: oh yeah, slashdotters annoy me some time. here we have an interesting article on security, and theres no debate on the real topic. nothing about the schools of thought behind the guys writing these antiforensic apps, nothing about.. well, anything. other than "zomg you need an app to mess with timestamps? n00b you can just use touch!". My guess is TimeStomper is a windows app, boys. and even so, completely not the point.... but everyone wants to show off their knowledge (hey me too).

No comments: