[NTLUG:Discuss] OT? security comparsion

steve sjbaker1 at airmail.net
Wed Nov 16 07:17:28 CST 2005 

Neil Aggarwal wrote:
> Terry:
> 
> Using your analogy, I think it is like putting the key in an envelope,
> writing the word "Key" on the outside, and leaving it on top of the doormat.
> 
> Anyone that is looking will have full access to whatever you are sending.
> 
> If they are looking the in the first place, they have some mischeivious
> or malicious intent.

A lot depends on just how sensitive that information is - and who you
are protecting it from.

If you are in business and you suspect that a well motivated and
unscrupulous competitor is watching you - then you're going to need
a lot more security than if you are just worried about whether
someone might spot your credit card number in an email to some
small online trader.

In the former case, someone with a lot of resources knows exactly
where to look and what they are looking for.  There is sufficiently
little information coming out of your business for them to carefully
look at each email and have a human read it.   Simply zipping up
the information and putting it into an attachment is zero security.

However, in the latter case, it's remotely possible that someone
is intercepting emails and looking in the body of the email for
things that look like credit card numbers - but there is simply
so much traffic for them to look at with such a phenomenally low
probability that any given email is of interest to them that they
MUST be using some kind of automated scanner.  In that case, it's
pretty unlikely that they'll be bothering to  unzip binary attachments
(which are overwhelmingly going to contain junk as far as they are
concerned).

It also depends crucially on how sensitive the information you are
protecting is.  It's not worth encrypting letters to your mother
asking how she's feeling today.   It is worth encrypting bank
records.

So it's hard to come up with hard and fast rules.

"Security through Obscurity" (which is what you have by zipping
up information) is only effective against relatively unmotivated
automated search systems.  It doesn't work against determined
attackers.

It's the same analogy as the house key.   No matter where you
hide it, a determined search will find it - but a burgler cannot
afford the time and effort to do a microscopic search of your
front yard in the remote offchance that there is a key there.
He gets a better return on his efforts by looking under the
mats of 100 homes than doing a detailed search of one home's
entire front yard.  However, someone spying on your business
might well do a careful search of your trash cans just on the
offchance of finding some interesting business information.

But it also depends on what you are protecting.  The key to
my garden shed protects a couple of hundred dollars of
lawn mowers and weed eaters.  I can leave it in plain sight.

The wall safe that contains my most important paperwork has
a sophisticated combination lock and is inside my home which
has a key that I keep only on my person.

Different levels of protection for things of different value.

Saying that the Internet isn't utterly secure is like saying that
nothing in the whole wide world is utterly secure.   It's
true - but not a useful statement.   The Internet is REASONABLY
secure for transactions of REASONABLE value.   I have no qualms
at giving PayPal my credit card number and the security code
on the back - then using it to buy stuff on eBay.   I'm sure
it's not 100% secure - but it's secure enough for me.

More information about the Discuss mailing list