On Wednesday 22 June 2005 18:09, Gervase Markham wrote: > Tyler Close wrote: > > A reasonable conclusion to draw from the MIT study is that if the user > > is not actively involved in the protection mechanism, he will ignore > > it. > > How is that a reasonable conclusion from anything? A user isn't actively > involved in his car's airbag, but it still protects him in the event of > a crash.
This is the difference between 'safety' and 'security'. In brief, a 'safety' good works statistically well, and generally does what it intends. If it fails, it fails in known non-malignant ways so just little tricks like making it bigger will help. In contrast a 'security' good has to face a malign attacker who deliberately inserts the attack into the gaps. To puncture the analogy, the airbag won't protect when the driver has a spike for a nose... For this reason we could consider that deploying two agents working together works well: a human spots anomolies and can deal with suspicion which it good for spotting the between-the-cracks attacks. Whereas software is good at doing routine but boring things like checking a cert. It just doesn't ever know if it is has been handed the wrong cert to check, for that it needs a suspicious person. The two strengths work well together and help to address each other's weaknesses. (But, to close the loop, to spot those anomolies, the user has to play their part. Hence, making them an active albeit efficient part of the security model is necessary for high security in the face of an active attack.) iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security