Re: double shot of snake oil, good conclusion
On Thu, Mar 06, 2003 at 09:38:25AM -0800, Ed Gerck wrote: Tal Garfinkel wrote: The value of these type of controls that they help users you basically trust who might be careless, stupid, lazy or confused to do the right thing (however the right thing is defined, according to your company security policy). It beats me that users you basically trust might also be careless, stupid, lazy or confused ;-) That's security in the real world. You screen employee's based on their character and competence at the task you hired them to do, you typically don't rigorously drill them on security procedures, and even if you do most folks get lazy, careless or confused at some point. Example: If an executive is told by the security bozo down the hall that they should not print out sensitive documents, they might take it seriously, but then again they can make excuses for their laziness, he's just being paranoid, I want to read this report in bed, it won't hurt this one time, etc. On the other hand, if they have to do something like break out the digital camera, it should be pretty obvious to them that what they are doing is in pretty severe violation of company policy, will likely get them severely reprimanded if caught, and will likely obviate any convenience benefits they might have hoped to gain by having a hard copy of that document. I think experience with password security is a perfect example of a the principle at work here, if you make it convenient to do the wrong thing, people almost certainly will. Your point might be better expressed as the company security policy would be followed even if you do NOT trust the users to do the right thing. But, as we know, this only works if the users are not malicious, if social engineering cannot be used, if there are no disgruntled employees, and other equally improbable factors. Ok, so there are only two issues here. One is problems with intention (are they mallicous or not, this includes disgruntled employee's etc.) and the other is problems with competence (can they be relied upon to always follow procedure). In the former case, document control will probably only serve as a mild deterrent, but raising the bar doesn't hurts. At least you might have the chance to catch some employee trying to photo many pages of your sensitive data off their screen. In the latter case, document control can help quite a bit, and can serve as a deterrent against things like social engineering. Also, it seems you are assuming that all internal attackers have equal access to information, this is not the case. If employee's can make print outs and accidentally leave them lying around, throw them away, etc. it lowers the bar for an unprivileged internal attacker. At least if everything stays in electronic form a mallicous employee may have to attempt to tackle you computer systems access controls head on instead of simply rooting around in your desk. Clearly, document controls are not a silver bullet, but if used properly I believe they do provide a practical means of helping to restrict the propagation of sensitive information. --Tal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
DRM can't really control what humans do and there is no commercial value in saying that a document that I see cannot be printed or forwarded -- because it can. I believe you are overlooking the assumed threat model, and thus the value of document control systems like the one that Microsoft is proposing. The benefit of systems like this is to aid in managing the huge amounts of confidential internal documents that enterprises generate and would like to keep out of paper form, thus out of the hands of dumpster divers and not left around on desktops, to prevent accidental propagation of internal documents, etc. Imposing access controls that rely on users not being explicitly mallicous are not snake oil and are not a new idea, nor is the recognition of their limitations. In systems that impose mandatory access controls of the more traditional type (ala Bell LaPadula), the user can always violate the *-property (i.e. no write down) by simply typing information from a high level document into a lower level document. Clearly, you could do the same thing with the system Microsoft is proposing, but preventing this type of attack is not the objective. The value of these type of controls that they help users you basically trust who might be careless, stupid, lazy or confused to do the right thing (however the right thing is defined, according to your company security policy). --Tal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Palladium -- trivially weak in hw but secure in software?? (Re: palladium presentation - anyone going?)
Software-based attacks are redistributable. Once I write a program that hacks a computer, I can give that program to anyone to use. I can even give it to everyone, and then anyone could use it. The expertise necessary can be abstracted away into a program even my mother could use. Hardware-based attacks cannot be redistributed. If I figure out how to hack my system, I can post instructions on the web but it still requires technical competence on your end if you want to hack your system too. While this doesn't help a whole lot for a DRM goal (once you get the non-DRM version of the media data, you can redistribute it all you want). I think this assumption may be incorrect. In order for content providers to win the DRM fight it seems like they need to address two issues. First, put up a big enough barrier for most users that circumventing access controls is infeasible, or simply not worth it. Second, put up a big enough barrier for most users that gaining access to copies of media with the access controls removed is either infeasible, or simply not worth it. I believe tamper resistant hardware solves the first problem, even if, as Adam conjectures, all that is required to access media protected by Palladium is a $50 kit (which remember, you can't obtain legally) and some hardware hacking. This seems to rule out well over %99 of the media consuming public. The problem of obstructing the distribution of media is really a different topic. I think that solving this problem is easier than most folks think. Again, you don't have to totally stop it P2P, or that kid in the shopping mall selling copied CD's. All you have to do is put up big enough technical and legal barriers that the general public would rather just pay for the media. While it may be the case that Palladium is not a serious barrier to the average CS graduate student, Cypherpunk, or even the home user who has a modicum of hardware clue, I don't think this will kill it as an effective technology for supporting DRM, assuming that the software cannot be broken. --Tal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]