On Feb 25, 2010, at 7:14 AM, Brian Postow wrote: > As a theorist I agree. You can't win that game. The hacker, if they re-write > the OS can always get around whatever you put there, and usually there are > easier ways than that. > > OTOH, it depends a lot on your customers (or your customer's customers). If > they are programmers, then you either want to make it really really strong, > or just give up and rely on good will to "not cheat". If they are "normal > people" then just making it difficult may be enough.
Absolutely. In security parlance, you need to consider your threat model. The threat model includes the characterization of attackers' capabilities, from which you decide which attackers you will work to defend against and which attackers you will ignore. Toy example: the lock on your little sister's diary. The threat model includes you (at an appropriate big brother or sister age), your parents, and the local police. The lock is secure against you: you do not have the capability to pick the lock, and you are unwilling to damage it and face the wrath of your parents. The lock is an obstacle to your parents: they can't pick it either, but will not damage it without sufficient motivation. The lock is no obstacle to the police: they can simply pick it undetected. Bigger example: your SSH client. It's secure against casual eavesdroppers. It is less secure against a man-in-the-middle attack, but the attacker would need more power and more money to gain sufficient control over your network. It is likely insecure against a well-funded government motivated enough to spend money searching for bugs in the code. The question is not "is the diary lock secure" or "is the SSH client secure". Instead you need to know "is it secure enough" compared to your needs and the costs of making it more secure. The diary lock is secure enough for your kid sister, but not secure enough for a bank's records. The SSH client is secure enough for you, but possibly not secure enough for the NSA. Back to DRM: the risk in the DRM threat model is not that you have lots of well-funded or well-motivated attackers, but rather that if a single well-funded or well-motivated attacker succeeds then the results will likely be distributed to the other poorly-funded and poorly-motivated attackers. By comparison, if the NSA breaks your SSH client they're unlikely disclose any details to the local eavesdropper who's scanning for credit card numbers. -- Greg Parker gpar...@apple.com Runtime Wrangler _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
