This post originated from an RSS feed registered with Python Buzz
by Ian Bicking.
Original Post: State of Cryptography
Feed Title: Ian Bicking
Feed URL: http://www.ianbicking.org/feeds/atom.xml
Feed Description: Thoughts on Python and Programming.
Christopher Allen has an interesting article (via) on the state of
the encryption business. But he doesn't just whine, he comes up with
an interesting analysis:
The decline of the security industry is based upon a basic
disconnect between the business world and the security world.
Within the security industry we base our models of trust upon
mathematics. We strive to continually push the envelope by
codifying security and improving it. On the other hand the
business industry bases its models of trust upon risk. It balances
the risk of a bad outcome, the cost of that bad outcome, and the
cost of reducing that risk. Even if a system is technically
insecure, the business world will accept it if the risk of a
security breach is low, the cost of a security breach is low, or
the cost of closing that breach is high.
Where our model is mathematics, theirs is economics. These two
models worked well in tandem for quite a few years; the need for a
security industry was initially obvious because of the totally
undefined risks and the potentially high costs that were out
there, waiting to be taken advantage of.
But now, years later, we've done our job too well. We've taken all
those undefined risks and codified them -- made them real and
quantifiable. We've offered real demonstrations of online security
through years of ecommerce, and in doing so we've proven lower
rates of credit card fraud, and almost total proof from high-cost
offline problems like extortion and bad reputation. We've helped
fill out business' risk models and so shown when we were necessary
and when weren't.
I would add that it's not just the cost of closing a breach or
implementing a secure system -- increased security often has a
significant effect on usability and reliability of systems (for the
worse). But then he brings this up too. We don't need more secure
systems -- at least in most traditional areas of security concern --
we need more usable security.
Outside of business concerns -- i.e., for individuals -- there's still
a lot of security problems. But then, he talks about that too, so
now I'm just repeating him. Anyway, interesting article.