Security systems and requiring attacks instead of accidents to evade them

December 27, 2021

Very recently, in the course of a conversation on Twitter that more or less about our internal network access authentication needs, it struck me that sometimes that part of the purpose of a security system is to make it so that an actual attack is required to get past the security, instead of just an accident. I am considering attack in a broad sense, in the sense that someone who wants to sidestep your security needs to actively do something unusual.

There are two useful things that come from this simple dividing line. On the technical side, your security system is avoiding accidents. Here, for example, we don't want the "accident" of a new person plugging their laptop into our network (or getting on to our wifi) and immediately getting Internet access. In practice our network access system may not be throwing a big roadblock in their way, but it is throwing some sort of roadblock, one that they can't just go right over without noticing.

(Our wifi network has a network password, but you can imagine situations where the network password might get posted on a sign on the wall and lead visitors to think it was an open-access network. And a visitor might well have heard the instruction 'plug your laptop into any red network cable', which is a common one that people are told.)

On the social side, it makes a social and policy difference that a person has taken active steps to evade your security. Such a person can't claim to have made an innocent mistake, like plugging their laptop into a handy network cable and then accepting the result. They've taken active steps to bypass security. Because this is the case, you can also react to any unauthorized activities that you notice with the pretty sure knowledge that this isn't an innocent mistake. The person involved has little to no cover and you have more certainty about what's going on.

To use a metaphor, even if a fence is low, it means that people have to actively step over it instead of merely walking along.

(I've probably had something like this realization in the past, but I don't think I've written it down before.)

Written on 27 December 2021.
« Our webmail is a surprisingly popular service
A thesis: large, significant open source projects must keep moving or die »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Dec 27 00:05:36 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.