Re: best practices considered bad term

From Wet Echidna, 10 Years ago, written in Plain Text.

URL http://geopaste.scratchbook.ch/view/b81a64f8

Shorturl

Error: Input provided by user is not valid

Embed

From: Peter Gutmann <pgut001-AT-cs.auckland.ac.nz>

To: iang-AT-iang.org

Subject: Re: best practices considered bad term

Date: Mon, 02 Feb 2015 03:44:42 +1300

Message-ID: <E1YHvlS-0007fQ-NU@login01.fos.auckland.ac.nz>

Cc: for-gmane-AT-mutluit.com, cryptography-AT-metzdowd.com, kentborg-AT-borg.org

Archive-link: Article, Thread

ianG <iang@iang.org> writes:

>As a wider philosophical question, is it even appropriate to promote or

>accept 'best practices' in the security world? It's presence is almost a

>complete proof that we're not doing security, we're instead participating in

>a rain dance or voodoo for purposes of avoiding security.

This is particularly the case for the "cryptography" subset of "security", for

which "best practice" seems to be synonymous with, as Linus put it, "people

wanking around with their opinions". In something like medicine we have

evidence-based best practice, "don't discontinue your antibiotics until you've

gone through the full course". In agriculture we have "don't overuse one type

of fungicide or you'll end up with resistant strains".

In contrast in crypto it's "Use ECC!" / "No, use RSA with an 8K key!" / "No,

use AES-GCM!" / "No, use Poly1305-AES" / "No, use ECC but only with My Pet

Curve!" / "No, use Ed25519" / "Camellia! Gost! Twofish! SEED! LIONs and

Tigers and BEARs, oh my!", ignoring the fact that an attacker won't care what

you do since they're exploiting a buffer overflow in some ancillary support

library that you don't even know exists.

In medicine and agriculture we know from real-world experience that if you

don't follow best practice (in the use of antibiotics, fungicides, whatever),

bad things will happen. In the crypto world if you don't follow best practice

(pick someone's at random, it doesn't make much difference) chances are

nothing will happen, and even if you do follow best practice, you'll probably

get owned anyway because crypto won't stop anyone who wants to get in (see

Shamir's Law, what I mean here is that if there's a way in then it won't

involve breaking the crypto, an extended form of which is in this slightly

NSFW poster: https://www.kiwicon.org/site_media/poster_shit.pdf).

So it's certainly a rain dance, but I wouldn't say it's for avoiding security,

it's for avoiding liability, a la "no-one ever got fired for buying IBM".

Peter.

Author

Title

Language

Your paste - Paste your paste here

From:	 	Peter Gutmann &lt;pgut001-AT-cs.auckland.ac.nz&gt;
To:	 	iang-AT-iang.org
Subject:	 	Re: best practices considered bad term
Date:	 	Mon, 02 Feb 2015 03:44:42 +1300
Message-ID:	 	&lt;E1YHvlS-0007fQ-NU@login01.fos.auckland.ac.nz&gt;
Cc:	 	for-gmane-AT-mutluit.com, cryptography-AT-metzdowd.com, kentborg-AT-borg.org
Archive-link:	 	Article, Thread
ianG &lt;iang@iang.org&gt; writes:

&gt;As a wider philosophical question, is it even appropriate to promote or
&gt;accept 'best practices' in the security world?  It's presence is almost a
&gt;complete proof that we're not doing security, we're instead participating in
&gt;a rain dance or voodoo for purposes of avoiding security.

This is particularly the case for the &quot;cryptography&quot; subset of &quot;security&quot;, for
which &quot;best practice&quot; seems to be synonymous with, as Linus put it, &quot;people
wanking around with their opinions&quot;.  In something like medicine we have
evidence-based best practice, &quot;don't discontinue your antibiotics until you've
gone through the full course&quot;.  In agriculture we have &quot;don't overuse one type
of fungicide or you'll end up with resistant strains&quot;.

In contrast in crypto it's &quot;Use ECC!&quot; / &quot;No, use RSA with an 8K key!&quot; / &quot;No,
use AES-GCM!&quot; / &quot;No, use Poly1305-AES&quot; / &quot;No, use ECC but only with My Pet
Curve!&quot; / &quot;No, use Ed25519&quot; / &quot;Camellia! Gost! Twofish! SEED!  LIONs and
Tigers and BEARs, oh my!&quot;, ignoring the fact that an attacker won't care what
you do since they're exploiting a buffer overflow in some ancillary support
library that you don't even know exists.

In medicine and agriculture we know from real-world experience that if you
don't follow best practice (in the use of antibiotics, fungicides, whatever),
bad things will happen.  In the crypto world if you don't follow best practice
(pick someone's at random, it doesn't make much difference) chances are
nothing will happen, and even if you do follow best practice, you'll probably
get owned anyway because crypto won't stop anyone who wants to get in (see
Shamir's Law, what I mean here is that if there's a way in then it won't
involve breaking the crypto, an extended form of which is in this slightly
NSFW poster: https://www.kiwicon.org/site_media/poster_shit.pdf).

So it's certainly a rain dance, but I wouldn't say it's for avoiding security,
it's for avoiding liability, a la &quot;no-one ever got fired for buying IBM&quot;.

Peter.

Create Shorturl - Create a shorter url that redirects to your paste?

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Re: best practices considered bad term

Reply to "Re: best practices considered bad term"