232 lines
20 KiB
Plaintext
232 lines
20 KiB
Plaintext
|
Episode: 1581
|
||
|
|
Title: HPR1581: Sensible Security: The Schneier Model
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1581/hpr1581.mp3
|
||
|
|
Transcribed: 2025-10-18 05:16:38
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This episode of HBR is brought to you by AnanasThost.com.
|
||
|
|
Get 15% discount on all shared hosting with the offer code HBR15.
|
||
|
|
That's HBR15.
|
||
|
|
Better web hosting that's honest and fair at AnanasThost.com.
|
||
|
|
Hello, this is Ahuka, welcoming you to Hacker Public Radio and
|
||
|
|
another exciting episode in our security and privacy series and in this one what I want
|
||
|
|
to do is I want to give you a way of thinking sensibly about security and to do this I'm
|
||
|
|
going to be pulling on some stuff done by real smart security people in particular for
|
||
|
|
this one Bruce Schneier.
|
||
|
|
If you cast your mind back to 2001 there was a certain incident on September 11th that led
|
||
|
|
many people to go oh my god we are doomed we must increase security do whatever it takes
|
||
|
|
and the NSA was happy to oblige and on 7705 July 7th of 2005
|
||
|
|
an attack in London added to the frenzy.
|
||
|
|
I think it is fair to say that the security agencies felt they were given a mandate to
|
||
|
|
do anything as long as it stops the attacks and thus was the overwhelming attack on privacy
|
||
|
|
moved to a whole level higher. Now to be clear security agencies are always pushing the limits
|
||
|
|
it is in their DNA and politicians have learned that you never lose votes by insisting
|
||
|
|
on stronger security and appearing tough but the reality is that security is never 100%
|
||
|
|
and the higher the level of security the greater the costs in terms of our privacy and liberty
|
||
|
|
and it is also the case that total insistence on liberty and privacy would cause your security
|
||
|
|
to go down as well so you should not adopt any simple-minded approach to this problem
|
||
|
|
in general as you add layers of security each added layer gives you less benefit some simple
|
||
|
|
security steps can give you a lot but as you add more and more the added benefit drops and this
|
||
|
|
is an example of what we call the law of diminishing returns by the same token each added measure
|
||
|
|
extracts an ever-increasing cost in terms of the loss of liberty and privacy
|
||
|
|
and conceptually you could draw a couple of curves one rising for the costs the other falling
|
||
|
|
for the benefits look for where the curves cross to determine the optimum level of security that
|
||
|
|
balances the costs and benefits in practice it's not that simple measuring these costs and benefits
|
||
|
|
tricky and there is no simple equation for either curve nonetheless a balance of some kind does need
|
||
|
|
to be struck and I want to be clear that my position is I don't think we should get rid of all
|
||
|
|
government security services I don't think that spying is one of those things that no one should
|
||
|
|
ever do for any reason and I think they very often do valuable things in some cases I'd like
|
||
|
|
to see them do more you know when we take a look at cyber security and how do we secure computer
|
||
|
|
systems I think it's a very valuable role for government experts in helping to make this happen
|
||
|
|
so I'm not I'm not an anarchist about all of this but my my position is you have to strike a
|
||
|
|
balance and as a member of the public I think I need to have my voice heard about this so
|
||
|
|
in the wake of the 9-11 attacks Bruce Schneier published a book called Beyond Fear
|
||
|
|
Thinking sensibly about security in an uncertain world came out in 2003
|
||
|
|
in this book he shows that hysteria is not a good approach to security and that you need to ask
|
||
|
|
yourself some questions to see what the cost versus benefit calculation looks like for you
|
||
|
|
I'm going to draw on his model to talk about security as we are discussing it in this series
|
||
|
|
now you've probably all heard the old joke about what constitutes a secure computer and the answer
|
||
|
|
is is that it has to be locked in a vault with no network connection and no power connection
|
||
|
|
and even then you need to worry about who can access the vault now it's a joke in the sense that
|
||
|
|
no one would ever do this we use computers in the internet because of the benefits they give us
|
||
|
|
and having a computer in a vault with no network connection and no power connection is just
|
||
|
|
a waste of money we accept a certain degree of risk because that's the only way to get the
|
||
|
|
benefits we want so how does Schneier approach this he suggests a five step process for any security
|
||
|
|
measure you are contemplating you need to have a clear eyed rational look at the costs and benefits
|
||
|
|
and Bruce's five step process looks to accomplish this this is a series of questions you need to
|
||
|
|
ask in order to figure out if this particular measure makes any sense it's a question number one
|
||
|
|
what assets are you trying to protect this is what defines the initial problem any proposed
|
||
|
|
counter measure needs to specifically protect these assets need to understand why these assets are
|
||
|
|
valuable how they work and what are attackers going after and why so if your problem is that
|
||
|
|
someone has been stealing the email out of your mailbox and your security measures to lock the
|
||
|
|
back door hmm kind of a mismatch there locking the bad back door may or may not be a good thing to do
|
||
|
|
in many cases it's probably a good thing to do but it's not going to stop anyone from stealing your
|
||
|
|
mail all right so what are the risks against these assets to do this you need to analyze who threatens
|
||
|
|
the assets what are their goals how might they try to attack your assets to achieve these goals
|
||
|
|
you need to be on the lookout for how changes in technology might affect this analysis
|
||
|
|
right the risks are going to be a changing thing as the technology changes for instance we've
|
||
|
|
talked a lot about encryption in this series that's what we started off with
|
||
|
|
and we talked about creating keys and one of the things we said was the expectation by NIST
|
||
|
|
was that 2048 bit PGP would stand up to attack until the year 2030 now they come up with that by
|
||
|
|
making estimates of how quickly computing power is increasing you know looking at Moore's law
|
||
|
|
and things like that if there's a breakthrough in quantum computing that's going to change everything
|
||
|
|
now if there's a breakthrough in quantum computing our standard ways of encryption almost
|
||
|
|
immediately become like tissue on the other hand what I haven't heard too many people say yet
|
||
|
|
is if we have a breakthrough in quantum computing maybe there is a new way of doing encryption
|
||
|
|
you know it is kind of an arms race here but you need to keep up with what's going on in technology
|
||
|
|
question three how well does the security solution mitigate the risk now mitigate is a useful term
|
||
|
|
here as opposed to totally eliminate because very rarely do you totally eliminate a risk
|
||
|
|
very often is just a matter of making it not worth anyone's while you know I remember a joke
|
||
|
|
about two campers who are out in the woods and all of a sudden they realized that there's a bear
|
||
|
|
who is prowling around their campsite and one of the guys says all right I've got to get my track
|
||
|
|
shoes the other guy says well track shoes aren't going to help you cannot run a bear and the first guy
|
||
|
|
says don't have to I just have to outrun you you know mitigation is very often a case of
|
||
|
|
making it just you know giving yourself a little edge you know a good example of mitigation
|
||
|
|
is locking your front door most of us do that at least in the United States maybe where you are it's
|
||
|
|
different I always lock my front door when I leave in the morning could someone still break into my
|
||
|
|
house yeah they could it's a little harder if the door is locked so to me that is a reasonable
|
||
|
|
amount of safety you know if they have to break down the door that you know might get noticed by
|
||
|
|
the neighbors someone might call the police and generally the feeling is if you just make it a
|
||
|
|
process where they they move on to some other place that's easier to deal with then you've achieved
|
||
|
|
your goal so understand your counter measure all right how will it protect the asset when it works
|
||
|
|
properly but you know you also need to take an account what happens when it fails because no
|
||
|
|
security measure is a hundred percent foolproof and everyone will fail at some point in some
|
||
|
|
circumstances a fragile system fails badly a resilient system handles failure well
|
||
|
|
that think about that a fragile system fails badly a resilient system handles failure well
|
||
|
|
one of the things about nine eleven that I have not heard enough people talk about
|
||
|
|
is that the experts didn't do a damn thing that was useful it was individual people
|
||
|
|
all right individual people are resilient security systems tend to be very fragile
|
||
|
|
now a security measure could be slightly less effective under ideal conditions but handle
|
||
|
|
failure much better and that might make it the optimum choice so that's one of the things you
|
||
|
|
need to think about another one is a measure that guards against one risk may increase vulnerability
|
||
|
|
somewhere else and then you got to watch out for the whole false positive versus false negative
|
||
|
|
trade-off it is a truism that any set of measures designed to reduce the number of false negatives
|
||
|
|
will increase the number of false positives and vice versa reduce the false positives the false
|
||
|
|
negatives will go up now false positive is when you think you've discovered an attack and you
|
||
|
|
didn't really a false negative is where you think everything's fine and yet you really are under
|
||
|
|
attack you know both of those are problems question four what other risks does the security solution
|
||
|
|
cause security countermeasures always interact with each other and the rule is that all security
|
||
|
|
countermeasures cause additional security risks question five what trade-offs does the security
|
||
|
|
solution require every security countermeasure affects everything else in the system it affects
|
||
|
|
the functionality of the assets being protected it affects all related work connected systems
|
||
|
|
and they all have a cost frequently but not always financial but also in terms of usability
|
||
|
|
convenience and freedom so these are the five steps that you want to go through to evaluate
|
||
|
|
and you don't just do this once you need to re-evaluate as the systems evolve as the technology changes
|
||
|
|
there's a saying security is a process and that's really what we're talking about
|
||
|
|
now i'm going to take a look at a very common one and in fact it's going to set me up
|
||
|
|
because i want to talk about this some more going forward and that's passwords and we take a
|
||
|
|
look at that in this context so i have a cartoon on the wall of my cubicle at work that shows an alert
|
||
|
|
box says password must contain an uppercase letter a punctuation mark a three digit prime number
|
||
|
|
and a Sanskrit hieroglyph i think the only thing that left out was a squirrel noise
|
||
|
|
now we've all encountered this it does get frustrating this is a humorous take on something that
|
||
|
|
is an accepted best practice i recall the story about a fellow who worked at a company that
|
||
|
|
insisted he regularly changed his password and would also remember the eight previous passwords
|
||
|
|
and not let him use any of them again but he liked the one he had so he spent a few minutes
|
||
|
|
changing his password nine times in a row the last time being back to his favored password
|
||
|
|
now was he a threat to security or was the corporate policy misguided let's try Bruce's model and see
|
||
|
|
where we get what assets is the company trying to protect now i think this has several possible
|
||
|
|
answers the company may want to prevent unauthorized access to corporate data on its network
|
||
|
|
or the company wants to prevent unauthorized use of its resources possibly with legal implications
|
||
|
|
and the company may be concerned to prevent damage to its network all of these are good
|
||
|
|
reasons to try and control who has access to this asset and to protect it but knowing which of
|
||
|
|
these is being targeted may matter when we get to trade-offs and effectiveness of the proposed
|
||
|
|
countermeasures for now let's assume the primary interest is in preventing unauthorized access
|
||
|
|
to the data such as credit card numbers on an e-commerce site question two what are the risks
|
||
|
|
against these assets well if we're talking about credit card numbers the risk is that criminals
|
||
|
|
could get their hands on these numbers from the company standpoint though the risk is what
|
||
|
|
can happen to them if this occurs will this cause them to assume financial penalties will the CEO
|
||
|
|
be hauled in front of legislative committees will their insurance premiums rise as a result
|
||
|
|
this is the sort of thing companies really care about and when you understand this you begin to
|
||
|
|
see why companies all adopt the same policies when people talk about best practices
|
||
|
|
you should not assume that anyone has actually determined in a rational manner what the best
|
||
|
|
practices should be it only means that they are protected in some sense when things go wrong
|
||
|
|
after all they followed the industry best practices the biggest failure of security
|
||
|
|
is when companies or organizations just apply a standard instead of rules instead of creating
|
||
|
|
a process of security I see this criticized constantly in my daily newsletter from the sans
|
||
|
|
institute question three how well does the security solution mitigate the risks
|
||
|
|
this becomes a question of whether forcing people to change their passwords frequently is a
|
||
|
|
significantly effective measure in preventing unauthorized access to computer networks and here's
|
||
|
|
where things really start to break down it is very difficult to come up with many examples of
|
||
|
|
cases where a password in use for a long time leads to unauthorized access that's simply not how
|
||
|
|
these things work we know that the majority of these cases derive from one of two problems
|
||
|
|
social engineering to get people to give up their password and malware that people manage to
|
||
|
|
get on their computer one way or another now how does that work constantly let's take social
|
||
|
|
engineering for number one we're always hearing stories about how some security company and I
|
||
|
|
have a friend who does this kind of testing for his customers he's a security professional
|
||
|
|
and you know the first thing they do when they're evaluating the security is they start calling
|
||
|
|
people up and something oh hi I'm from the IT department I just am trying to verify something
|
||
|
|
could you give me your password and about half the time people well this has been done over and
|
||
|
|
over again all you have to do is you know plausibly look like you're the sort of person they ought to
|
||
|
|
give this stuff to now does changing your passwords frequently stop that attack no
|
||
|
|
that do a damn thing now the other one is people managing to get malware okay RSA which is a security
|
||
|
|
company they lost the keys to the kingdom they lost the keys to the RSA security tokens
|
||
|
|
from malware because a secretary clicked a link in an email there there was a attack levied
|
||
|
|
against Iranian facilities and the median for that was and it's pretty clear now is some
|
||
|
|
combination of the US government and the Israeli government that worked on all of this
|
||
|
|
and the way they got it on there was by dropping usb keys on the ground in the vicinity of the
|
||
|
|
facility figuring will someone will pick it up and say oh look usb key lucky me plug it into
|
||
|
|
their computer and then the software we get in there there's lots of ways to do this okay
|
||
|
|
making people change their passwords won't guard against any of these things and and this is
|
||
|
|
really the thing you've got a policy that everyone complies with because it is a best practice
|
||
|
|
and when you look at it it does not guard against the risks that are out there
|
||
|
|
now can you make an argument that forcing people to frequently change passwords might in rare
|
||
|
|
cases actually do some good maybe but there's no way to say that this is in general an effective
|
||
|
|
countermeasure against unauthorized access it simply isn't question four what other risks
|
||
|
|
does the security solution cause there are several possible risks that come out of this
|
||
|
|
first since all security measures require a variety of resources and remember people's time and
|
||
|
|
attention is one of those resources emphasizing one security measure may take resources away from
|
||
|
|
more effective measures that don't get sufficient attention but there are also risks from how people
|
||
|
|
act in response to this policy in the ideal world of the security department each person with
|
||
|
|
access would choose a long complicated password each time chosen for a maximum entropy and then
|
||
|
|
memorized but never written down yeah that'll happen sadly for the security department they
|
||
|
|
have to deal with actual human beings who do not do any of these things most people at the very
|
||
|
|
least consider this an annoyance some may actively subvert the system like the fellow in our story
|
||
|
|
who changed his password nine times in a row to get back to the one he liked but even without
|
||
|
|
this type of subversion we know what people will do if you let them they will choose something
|
||
|
|
that is easy to remember is their first attempt and that means they will most likely choose a
|
||
|
|
password that can easily be cracked in a dictionary attack if you instead insist that each password
|
||
|
|
contain letters numbers upper and lower case a Sanskrit higher or a glyph and two squirrel noises
|
||
|
|
they will write it down probably on a yellow sticky note attached to their monitor
|
||
|
|
if the person question is a top executive of course it gets even worse because they don't put
|
||
|
|
up with the BS that the ordinary worker bees have to tolerate question five what trade-offs does
|
||
|
|
the security solution require well this policy causes a major impact on usability and convenience
|
||
|
|
and all of this for a policy that we saw above actually accomplishes very little in the majority
|
||
|
|
of organizations the IT department is viewed with a certain amount of hostility and this is part
|
||
|
|
of it in addition anyone in an IT help desk can tell you that they get a lot of calls from people
|
||
|
|
who cannot log in because they forgot their password which is a natural consequence of forcing
|
||
|
|
people to keep changing it so bottom line what does all this mean in the final analysis
|
||
|
|
I think it means you need to carefully consider which measures are actually worth taking
|
||
|
|
and this is at least impart a cost versus benefit analysis for instance as I have
|
||
|
|
initially written this the heartbleed vulnerability was in the news and I got to hear
|
||
|
|
Bruce Schneyer discuss how people should react and he did not say oh my god change all your
|
||
|
|
passwords right now he said you should assess the case if it is your password to log into your bank
|
||
|
|
probably something you want to change but if it was some social network you access once every two
|
||
|
|
weeks he said and don't bother and that seems reasonable and as another example although I have
|
||
|
|
discussed how to encrypt emails and digitally sign them that does not mean I open up GPG every
|
||
|
|
time I send an email it is something of a pain in the posterior to do and I use it judiciously
|
||
|
|
I don't see the point in digitally signing every email when a lot of it is just stupid stuff anyway
|
||
|
|
so I'm going to give three final rules from Bruce Schneyer
|
||
|
|
all of this is in his book Beyond Fear by the way and he goes into this in much more depth
|
||
|
|
rule number one risk demystification you need to take the time to understand what the actual
|
||
|
|
risk is and understand just how effective any proposed security countermeasure would be
|
||
|
|
there will always be a trade-off if the risk is low and the countermeasure is not particularly
|
||
|
|
effective why are you doing this saying we must do everything on our power to prevent
|
||
|
|
a risk that is unlikely and where the countermeasures are not likely to work is how you get to
|
||
|
|
what Snowden revealed rule number two secrecy demystification secrecy is the enemy of security
|
||
|
|
to get that secrecy is the enemy of security if you're looking for security
|
||
|
|
making things secret doesn't get you there security can only happen when problems are discussed not
|
||
|
|
when discussions are forbidden secrecy will always break down at some point see above Snowden
|
||
|
|
this is the failure mode of security by obscurity most often secrecy is used to cover up incompetence
|
||
|
|
or malfeasance rule number three agenda demystification people have agendas and
|
||
|
|
often use security as an excuse for something that is not primarily a security measure
|
||
|
|
and emotions can lead people to make irrational trade-offs
|
||
|
|
so with that this is a hookah signing off and as always reminding you to support free software bye bye
|
||
|
|
so like all our shows was contributed by an hbr listener like yourself if you ever thought of
|
||
|
|
recording a podcast and click on our contributing to find out how easy it really is
|
||
|
|
hecka public radio was founded by the digital dog pound and the infonomicon computer club
|
||
|
|
and it's part of the binary revolution at binrev.com if you have comments on today's show
|
||
|
|
please email the host directly leave a comment on the website or record a follow-up episode yourself
|
||
|
|
unless otherwise stated today's show is released on the creative comments attribution share
|
||
|
|
free www.fieldrie.org license
|