Tuesday, July 14, 2009

Podcast: Crypto-Gram 15 April 2008: Security mindset.

from the Apr 15, 2008 Crypto-Gram Newsletter
by Bruce Schneier

* The Security Mindset

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.

We can't help it... <~ this is very cool this is *exactly how I feel" I cannot go in a bank without thinking how I can rob this bank, how can smuggle gun inside... same story airport... same story in shops, how I can steal, going to movie without paying, exploiting facebook... etc... not that I want it, but I simply cant help to think every way to exploit a potential vulnerability..

I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset.

I should start blogging possible way to exploit all around me...

* The Feeling and Reality of Security

Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it.

There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other. There is value as well in recognizing when the two converge, understanding why they diverge, and knowing how they can be made to converge again.

Rabbits that are good at making that trade-off will tend to reproduce, while the rabbits that are bad at it will tend to get eaten or starve.

People make most trade-offs based on the *feeling* of security and not the reality.

If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us *feel* more secure over security that actually makes us more secure.

2 ways to make people feel more secure:
1) to make people actually more secure and hope they notice.
2) to make people feel more secure without making them actually more secure, and hope they don't notice.

The key here is whether we notice.
The feeling and reality of security tend to converge when we take notice, and diverge when we don't.

People notice when:
1) there are enough positive and negative examples to draw a conclusion
2) there isn't too much emotion clouding the issue.

length: 23:22m
PS: this is my cheat sheet of Bruce Schneier's Podcast:

Labels: ,


Post a Comment

<< Home