From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Tue Jul 16 2002 - 12:42:24 MDT
On Tuesday, July 16, 2002, at 01:15 pm, Rafal Smigrodzki wrote:
> Harvey Newstrom wrote:
>
> In rigorous security analysis, it turns out that trust is a bad thing.
>
> ### I think you are right, however, dealing with trustworthy agents is
> vastly more economically productive and safer than dealing with
> deceptive
> ones, even if you are capable of verifying their behavior. Strong
> security
> tends to be expensive, in terms of the transaction costs, and the
> ability to
> reduce the expense without incurring losses from deceptive behavior is
> clearly a boon. Instead of having to minutely check every detail of your
> dealings, you can afford to do only spot checks, and ruthlessly remove
> cheaters. So in a more general and long-term analysis of the society
> as a
> whole, trustworthiness (and by extension, well-placed trust) are a good
> thing.
This is the airport random screening philosophy, and frankly it doesn't
work. If you don't secure every transaction, you are merely playing a
gambling game with statistics. This is not real security, and not
likely to prevent attacks. Even if it works 99% of the time, the
attackers just keep retrying until they get through. Also, security
saves money rather than costing money. Blocking a single 9/11 magnitude
incident would pay for a lot of security.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:15:29 MST