Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
User Journal

Journal Zarf's Journal: Convenience To Security Scale 6

I was thinking about a few things... we're doing a kind of security system audit at work and I've come up with a few koans about it:

Convenience is inversely proportional to Security.

The more secure something is the more inconvenient it is.

The easiest security system to use is one that doesn't exist.

In one measure the goal of security is to make things hard for people. Specifically, it should make things extremely hard for Bad People (tm) and not too hard for Good People (tm).

So to that effect I've created the Convenience to Security Scale (patent pending).

On a scale from 1 to 10 a system that rates a 1 has no security whatsoever and is (presumably) very easy to use. And, a system that rates a 10 is perfectly secure because it is completely inaccessable. The goal is to judge where on the scale your system needs to be.

This model works even for insecure and frequently crashing programs since the frequent crashes are viewed (in this model) as a security feature preventing attackers from using the service. So making the program more stable and thereby more useable makes it more attackable... lowering its rating on the scale. A program that can't execute is perfectly secure since it can never be attacked.

The "secure" in this model is also referring to the protection of information... no "secret" information is divulged by the program. So a program that can't produce output is perfectly secure... it is also perfectly unusable.
This discussion has been archived. No new comments can be posted.

Convenience To Security Scale

Comments Filter:
  • It actually comes around full circle -- having no possibility of gaining access is just as easy as having unrestricted access (it's just as though the thing to be accessed didn't exist, that's all). It's the stuff in the middle that's a pain -- jumping through hoops to get access.
    • Wierd, I guess it does. A perfectly unusable system is perfectly easy to use because you can use it perfectly in all the ways that you can use it... because you can't use it in anyway...

      Uh, I guess it's like dividing by zero.
  • Is to make it just insecure enough that the used will still bother to use it.
    • Or that the "Good Users" will still use it and the "Bad Users" will stop using it. For example: Easy enough for "Good" Email to get through but hard enough to stop Spam.
  • You didn't think that everyone would miss the glaring flaw, did you?

    This model works even for insecure and frequently crashing programs since the frequent crashes are viewed (in this model) as a security feature preventing attackers from using the service. So making the program more stable and thereby more useable makes it more attackable... lowering its rating on the scale. A program that can't execute is perfectly secure since it can never be attacked.

    Where, then, on the scale does Windows fit with i
    • Where, then, on the scale does Windows fit with its BSODs-O-plenty?

      It seems to me you've illustrated a paradox. Perhaps it's so obvious, I shouldn't have even brought it up.


      That would be the point. Having to reboot every 14 days or not being able to handle a heavy load could actually be seen as a security device. While I was in Germany I would hear US Army radio... they had a PSA that said, "Click it, Flick it, and Stick it to the Hackers!" Shutting your computer down at night was seen as a security f

Profanity is the one language all programmers know best.

Working...