Re: solving the wrong problem
On Tue, Aug 09, 2005 at 01:04:10AM +1200, Peter Gutmann wrote: That sounds a bit like unicorn insurance [..] However, this is slightly different from what Perry was suggesting. There seem to be at least four subclasses of problem here: 1. ??? : A solution based on a misunderstanding of what the real problem is. 2. Unicorn insurance: A solution to a nonexistent problem. 3. ???: A solution to a problem created artificially in order to justify its solution (or at least to justify publication of an academic paper containing a solution). 4. PKI: A solution in search of a problem. Nice list, and terms for the remaining ??? cases would be nice, but I'm not sure that any of these captures one essential aspect of the problem Perry mentioned, at least as I see it. One of the nice aspects of the snake oil description is the implications it has about the dodgy seller, rather than the product. To my view, much of the Quantum Cryptography (et al) discussion has this aspect: potentially very cool and useful technology in other circumstances, but being sold into a market not because they particularly need it, but just because that's where the money is. Certainly, that's the aspect I find most objectionable, and thus deserving of a derogatory term, rather than just general frustration at naive user stupidity. None of the terms proposed so far capture this aspect. The specific example given doesn't quite fit anywhere on your list. It's somewhere between #3 and #4; perhaps it's a #4 with a dodgy salesman trying to push it as a #3 until a better problem is found for it to solve? I was going to suggest porpoise oil (from not fit-for-purpose), but how about unicorn oil - something that may well have some uncertain magical properties, but still sold under false pretenses, and not really going to cure your ills? -- Dan. pgp6yaUOzDOti.pgp Description: PGP signature
Re: solving the wrong problem
Perry E. Metzger writes: Anyone have a good phrase in mind that has the right sort of flavor for describing this sort of thing? Well, I've always said that crypto without a threat model is like cookies without the milk. -- --My blog is at blog.russnelson.com | In a democracy the rulers Crynwr sells support for free software | PGPok | are older versions of the 521 Pleasant Valley Rd. | +1 315-323-1241 | popular kids from high Potsdam, NY 13676-3213 | | school. --Bryan Caplan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Peter Fairbrother [EMAIL PROTECTED] writes: Peter Gutmann wrote: Peter Fairbrother [EMAIL PROTECTED] writes: Didn't the people who did US/USSR nuclear arms verification do something very similar, except the characterised surface was sparkles in plastic painted on the missile rather than paper? Yes. The intent was that forging the fingerprint on a warhead should cost as much or more than the warhead itself. Talking of solving the wrong problem, that's a pretty bad metric - forging should cost the damage an extra warhead would do, rather than the cost of an extra warhead. That's got to be in the trillions, rather than a few hundred thousand for another warhead. The cost was US$12M per warhead. I think that's sufficient. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Two results on SHA-256 in progress
I haven't seen this announced anywhere, so here it goes: http://www.cosic.esat.kuleuven.be/WeWorc/allAbstracts.pdf Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk pp. 140 Preliminary Analysis of the SHA-256 Message Expansion Norbert Pramstaller and Christian Rechberger and Vincent Rijmen pp. 145 Still work in progress, these two papers are just appetizers ;-) -- Mads Rasmussen Security Consultant Open Communications Security +55 11 3345 2525 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
John Denker wrote: That's an interesting topic for discussion, but I don't think it answers Perry's original question, because there are plenty of situations where the semblence of protection is actually a cost-effective form of security. It's an example of statistical deterrence. i've frequently used a metaphor about a bank vault door installed in the middle of an open field. http://www.garlic.com/~lynn/aadsm15.htm#9 Is cryptography where security took the wrong branch? http://www.garlic.com/~lynn/2002l.html#12 IEEE article on intelligence and security http://www.garlic.com/~lynn/2003h.html#26 HELP, Vulnerability in Debit PIN Encryption security, possibly http://www.garlic.com/~lynn/2003n.html#10 Cracking SSL the other metaphor is the one about if all you have is a hammer, then all problems become nails. and for some of the PKI related ... frequently they start out claiming the answer is PKI ... before asking what the problem is. one of the current issues is that some financial operations are using a value for a userid-like capability and at the same time using the same value as a password-like capability. userid requires fairly high security integrity ... aka from PAIN * privacy * authentication * integrity * non-repudiation and the userid capability also requires fairly general availability in order to establish permissions and as the basis for other business operations. however, the password capability requires very high privacy and confidentiality. the result is relatively high diametrically opposing use critiaria ... high integrity and generally available ... vis-a-vis high confidentiality. pure encryption might claim that they could meet the high confidentialilty requirements ... but that then tends to break all the generally available requirements for its userid function (and/or esposing it in the clear for all its business use operations creates enormous number of points for the value to leak out) the fundamental threat model then turns out not to be there isn't enuf encryption ... the fundamental threat model is a dual-use compromise ... where the same information is being used to select permissions (aka userid) and needs to be generally available ... while at the same time serving as a password (for authentication). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Dave Howe wrote: Nonsense fence maybe less metaphoric but more clear. I disagree - one picket fence gives a clear impression of a protective device that is hardened at but one point - leaving the rest insecure. nonsense fence doesn't give any real image. Perhaps, but sometimes rubbish just better be named rubbish without any metaphorical allusions. For everyone's good. -- Ilya Levin http://www.literatecode.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
spyware targets bank customers. news at 11.
A major identity theft ring has been discovered that affects up to 50 banks, according to Sunbelt Software, the security company that says it uncovered the operation. The operation, which is being investigated by the FBI, is gathering personal data from thousands of machines using keystroke-logging software, Sunbelt said Monday. http://news.com.com/ID+theft+ring+hits+50+banks%2C+firm+says/2100-7349_3-5823591.html (Hat tip to Adam Fields for pointing this one out to me.) Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]