Re: solving the wrong problem
John Denker [EMAIL PROTECTED] wrote: So, unless/until somebody comes up with a better metaphor, I'd vote for one-picket fence. Nonsense fence maybe less metaphoric but more clear. -- - Ilya O Levin http://www.literatecode.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Ilya Levin wrote: John Denker [EMAIL PROTECTED] wrote: So, unless/until somebody comes up with a better metaphor, I'd vote for one-picket fence. Nonsense fence maybe less metaphoric but more clear. I disagree - one picket fence gives a clear impression of a protective device that is hardened at but one point - leaving the rest insecure. nonsense fence doesn't give any real image. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Here's a thought: Putting up a beware of dog sign, instead of getting a dog. On Sun, Aug 07, 2005 at 09:10:51PM +0100, Dave Howe wrote: | Ilya Levin wrote: | John Denker [EMAIL PROTECTED] wrote: | | So, unless/until somebody comes up with a better metaphor, | I'd vote for one-picket fence. | | | Nonsense fence maybe less metaphoric but more clear. | I disagree - one picket fence gives a clear impression of a protective | device that is hardened at but one point - leaving the rest insecure. | nonsense fence doesn't give any real image. | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Perry E. Metzger wrote: Frequently, scientists who know nothing about security come up with ingenious ways to solve non-existent problems. Take this, for example: http://www.sciam.com/article.cfm?chanID=sa003articleID=00049DB6-ED96-12E7-AD9 683414B7F Basically, some clever folks have found a way to fingerprint the fiber pattern in a particular piece of paper so that they know they have a particular piece of paper on hand. Didn't the people who did US/USSR nuclear arms verification do something very similar, except the characterised surface was sparkles in plastic painted on the missile rather than paper? -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Adam Shostack wrote: Here's a thought: Putting up a beware of dog sign, instead of getting a dog. That's an interesting topic for discussion, but I don't think it answers Perry's original question, because there are plenty of situations where the semblence of protection is actually a cost-effective form of security. It's an example of statistical deterrence. Look at it from the attacker's point of view: If a fraction X of the beware-of-dog signs really are associated with fierce dogs, while (1-X) are not, *and* the attacker cannot tell which are which, and there are plenty of softer targets available, the attacker won't risk messing with places that have signs, because the downside is just too large. The fraction X doesn't need to be 100%; even a smallish percentage may be a sufficient deterrent. OTOH of course if the sign-trick catches on to the point where everybody has a sign, the sign loses all value. We can agree that the dog-sign is not a particularly good application of the idea of statistical enforcement, because there are too many ways for the attacker to detect the absence of a real dog. A better example of statistical deterrence is traffic law enforcement. The cops don't need to catch every speeder every day; they just need to catch enough speeders often enough, and impose sufficiently unpleasant penalties. The enforcement needs to be random enough that would-be violators cannot reliably identify times and places where there will be no enforcement. Statistical enforcement (if done right) is *not* the same as security by obscurity. This is relevant to cryptography in the following sense: I doubt cryptological techniques alone will ever fully solve the phishing problem. A more well-rounded approach IMHO would include sting operations against the phishers. Even a smallish percentage chance that using phished information would lead to being arrested would reduce the prevalence of the problem by orders of magnitude. = Let me propose another answer to Perry's question: Wearing a millstone around your neck to ward off vampires. This expresses both ends of a lose/lose proposition: -- a burdensome solution -- to a fantastically unimportant problem. This is related to the anklets on the White Knight's horse, to guard against the bites of sharks ... with added emphasis on the burdensomeness of the solution. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]