On Thursday 08 May 2008, Von Fugal wrote: > I dissagree, it's always a spectrum, you simply choose to treat a > certain portion of the spectrum as one lump, but that doesn't change the > fact that there is still a spectrum there. You say DVD CSS is "insecure, > period". Well, I bet it stops some percentage of people from copying > dvds onto their computers, and that percentage is proportional to the > work, finding the software in this case.
I realize that this is semantics, but I'd like to understand better how we should phrase these things. So, how would you distinguish these items?: a) an open doorway b) a door without a lock c) a door with a broken lock d) a door with a lock, but the key is 'hidden' under the mat, which fact is common knowledge e) a door with a lock, and the key is 'hidden' under the mat, which fact is not common knowledge f) a door with a lock If there's merely a doorway, I think we would agree that there is no security at all--just walk right through it. Maybe there's a sign that says 'do not enter', but I think we'd still agree that that doesn't constitute any actual security. If there's a door without a lock--do you still consider it secure at all? Just because some people might be too lazy to open it to go in--and that amount of effort is thus a 'deterrent'--I still don't consider it secure. Anyone with a minimum of motivation can just open it and walk right through. Similar can be said for a door with a broken lock--which is what dvd css is at this point--they just have to open the door. You could argue that dvd css is more like (d)--the lock still works but the key is hidden in plain sight, and everybody knows it. Fine, but it's hardly any more effort considering that anyone that has the minimum of motivation will know that the key is hidden right there for anyone to use. IMO, the only item on the list that qualifies for having any 'degrees' of security is the last one. The security is rated by the strength of the door, the jam, the strike plate, and the bolt, by the design of the mechanism, and whether it has a window nearby, etc. The mechanism is in place, in tact, in use, and the means to bypass it do not lie insecurely outside. The security of the penultimate item could be argued at length. It requires a bit of motivation to search for the key, since it isn't common knowledge that it's available, but given the motivation, the effort isn't necessarily all that high to use the door--and the means to do so are *outside* of the secured area, and unprotected. For a person that has insufficient motivation, its security could be rated the same as of the last item--it's just as strong of a 'deterrent'. But, for a person motivated to finding the means, it holds no strength, thus is 'not secure'. The others, because anyone can readily bypass, I consider 'not secure', regardless of whether some people might still be deterred by what little effort may still be required. I think the line is hard to quantify, but I still think it's there. To get through a door with a lock requires picking the lock, circumventing the entire doorway (a different way in), or somehow breaking the door or the mechanism. This is quite a bit different and more involved than the work required to bypass the other items. I think the penultimate item really shows where there is room to discuss. In it's case the security rating is dependent on the person--whether they are motivated enough or not. I see three factors: - the deterrent strength of the actual item (door, mechanism)--how difficult is it to pass without the actual intended means to do so - the availability of the means to pass it--can the key be obtained easily, is the lock broken, or is it not even locked... - the type of person--motivated to get past it or not. So how then, do we define how 'secure' something is? - Is it the strength of the actual physical deterrent? - Is it the likelyhood of obtaining the means to bypass it/how much effort is required to do so? - Is it the percentage of people motivated enough to perform the effort to get past it? Or, is it some combination, and if so, in what proportion? I would think that security is irrelevant in regards to the people that have no desire/insufficient motivation to trespass. It was mentioned earlier that some people that would otherwise just walk right in could be deterred by just a door--it's too much effort. I would say that they are not malicious in the first place--otherwise they would have the motivation to try harder. For them, even a sign might be enough. So, just because a large number of people might otherwise wander in to copying a dvd to their pc, where css prevents them and they go no further, I do not see that as an argument for css providing any degree of security. A deterrent, yes, but not security. I think there's a difference between deterring and securing. For me: Deterring means that there is greater than 0 effort involved in obtaining access--but does nothing to segregate who 'can' put forth the effort. Securing means that some actual 'means' that only authorized people should possess or be capable of is ordinarily required for access. Securing thus provides a means of deterring all but a specific set of authorized people, whereas deterring alone doesn't segregate who 'should' get access--only who 'can', and only does so by their own motivations--not by any mechanism. Perhaps I'm not describing what's in my mind very well, but this analogy will have to do. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
