Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Re: [Full-Disclosure] Security & Obscurity: physical-world analogies
From: James Tucker (jftuckergmail.com)
Date: Thu Sep 02 2004 - 19:49:32 CDT
A very well stated argument.The only remaining point I would like to
hear your opinion on is whether said analogies may be useful (although
clearly never complete) in the education of people, in order to
provide an abstraction which they may understand more immediately
rather than to require further knowledge in the field?
On Thu, 02 Sep 2004 17:37:20 -0500, Frank Knobbe <frankknobbe.us> wrote:
> On Thu, 2004-09-02 at 11:24, Peter Swire wrote:
> > I think there is a strong analytic similarity between a firewall
> > and physical settings where guards are deciding whether to let
> > people/trucks/etc. through a gate.
> > [...]
> > In both cases, there is "filtering" by the defenders. Some
> > entrants are excluded. Some get more intensive screening. The level of
> > filtering varies with the perceived level of the threat.
> I was trying to stay out of this discussion, but I do have to throw in
> some comments. I do not believe that we can make accurate and meaningful
> analogies between the physical realm and the information technology
> realm or cyber space or whatever you want to call it.
> The analogies we to make "appear" to serve our purpose for making it
> easier to understand the difficult issues surrounding IT based
> scenarios, but in fact are presented solely for one situation. Any
> modification of the situation, and reaction scenarios, break down
> quickly because they can not be performed in both worlds with the same
> results and same action-reaction behavior.
> Case in point: You say firewalls are like entrances. People (on lieu of
> packets) are inspected and gain entrance or not. For a single
> person/packet, this works. While in the physical the person can not
> circumvent the entrance, in the information world this is quite easily
> achieved. In cyber space, the person-packet would just clone or copy
> itself a million times, overwhelming the inspectors and slip passed the
> To really illustrate the point, let me make a more colorful example.
> People-packets in the real world can be stopped by a moat around the
> castle. The people-packet runs towards the castle and falls into the
> moat. People-packet has ceased to exist. In cyber space, the
> people-packet will again clone itself and run "purposefully" into the
> moat, piling up the "dead" people-packets until the moat is full. The
> remaining people-packets can then enter the castle.
> Feel free to play through the same scenario with a wall where "dead"
> people-packets get purposefully deployed in front of the wall until the
> last people-packet can climb the packet mountain and pass over the wall.
> There are some that say certain aspects don't work in the real world...
> these people think in terms of the real world. There are other people
> that say other aspects don't work that way in cyber space. That's
> because they think through the scenario with information technology as
> the background. There will be people in each camp that see certain
> aspects as useful, but each will again view it from their own
> Analogies between the "worlds" work when we want them to work. The same
> analogies can be shot down if we don't like them. These analogies do no
> allow us to represent one world when trying to make a point in another.
> The copy conundrum: You have a chair. Dave wants to steal your chair. If
> he does, you know your chair has been stolen. In cyber space, Dave can
> steal your chair by making a copy. You still have your chair and you do
> not know if it was stolen or not. Dave does have your chair now, but you
> don't know.
> Leftovers: Let's say you burned said chair. Let's say Dave told you that
> he came to your house, made a copy of your chair, drove home and put the
> copy into his living room. In the real world you might go to Dave's
> house and remove/destroy your chair. In the IT world you will find that
> said chair is not only present in Dave's living room, but there is an
> inadvertent copy left in his car. Oh, and also on his hands, or any
> other place that the chair passed through.
> Physical objects can not be compared to information. Try to imaging a
> computer programs in the real world. It doesn't work. Information and
> ideas, communication and packets, security vulnerabilities, attacks and
> security countermeasures can not be quickly substituted with real world
> physical objects. Henceforth any attempt to place analogies of scenarios
> from one world into the other is flawed.
> PS: When I flew over your paper, I read a lot about security and secrecy
> of information. What I did miss was the distribution of misinformation.
> And no, it does not easily compare to obscurity. While obscurity does
> not improve security, it does add value along with security. .... in the
> physical as well as information technology world.
Full-Disclosure - We believe in it.