Immutable Security Laws

There are bad guys and good guys. Owners of computers will usually not run software from other people on their machine. People can be persuaded to install other people's software. Getting persuaded to install software from "bad" guys is an error of the computer owner. If the software owner is bad, the computer owner loses control. If the software owner is "good" the computer owner will not lose control. Software takes control of complete computers through the process of installation and running the program.

The text leaves interesting logical holes: nothing is said about how to distinguish "bad" guys from "good" guys. Nothing is said about the differences in software between those guys. A computer cannot defend itself in case of installation of software from "bad" guys. No explanation is given WHY the computer owner loses control through installation of software or why the computer cannot defend itself..

Call me picky but the logic given in those statements has a hard time constituting "immutable laws" of security. The statements prescribe the way certain operating systems work as canonical, nothing more. There are lots of alternatives that do not make a system dependent on the psychological state of a programmer. Take a look at the capability work at erights.org and the captalk mailing list to get an understanding. If you are not into software just take everyday things like cars and apply the "laws" to those: "if somebody changes a lightbulb on your car you will no longer have control over it.." to see how hopelessly dependend on concrete implementations of systems those "immutable security laws" really are.

Operating systems control a computer. Bad guys can change the operating system. If this happens a computer owner loses control of the computer. The operating system gives user control of the computer. No explanations why and how the change of an operating system happens. Bringing law1 and law2 together one can conclude that installation of foreign software might be a means to do so. Any change in an operating system will have the effect of losing control. No explanation is given why any change has such drastic consequences. (compare with a dead headlight in your car: the brakes/engine etc. still work). Operating systems have all or nothing characteristics.

Again, the statement that an OS is all-or-nothing cannot be an immutable law because it depends on implementation characteristics of systems whether they exhibit such a behavior.

Unrestricted physical access to a computer causes the complete loss of control over this computer for the owner. No explanation is given why this all-or-nothing behavior is exhibited by the computer and its operating system - which controls the computer as we have learned form law2. No explanation is given on what "physical access means but from cultural knowledge we can conclude that it means change of harddisks etc. No means of protection of a computer system exist that would survive physical tampering.

Think about harddisk encryption, keys on smartcards and in general the principle of protection through cryptographic secrets and you will understand that again we hear about a specific implementation of an OS and NOT about immutable laws.

This is just a variation of law number one but assumes that the computing platform of a website has the same problematic use of ambient authority as a PC. The Cross-site-scripting dangers are not mentioned.

The assumptions behind are: there is a possibility of strong security using passwords. There are strong passwords and weak passwords. With strong passwords security is OK. Now what makes passwords weak? You got it - it's the dreaded user again. All the users fault if they are too dumb to remember long and arbitrary sequences of alphanumeric characters with the occasional special char mixed in. Againd the same pattern as above: put the blame on somebody else. The facts: Passwords are NO GOOD security mechanism in ANY case. The password mechanism requires giving a secret away and therefor relies on all participants to be "good" (don't they just love the good guys at Microsoft? It only gets better when they make the Bitcom lobbyists demand tougher laws to keep the "bad" guys from doing their stuff. It has NOTHING to do with software architecture of course...). Passwords do NEVER scale and cannot provide non-repudiation. Given the human weaknesses password synchronization MUST happen and will cause complete breaddown of a security mechanism. There is no "strong" security if a password mechanism is included! Again the failure mode is "complete and utterly" and not gradually.

This "law" assumes that all computer systems have/need an allmighty administrator. The administrator is controlled through "trust" and there is no other way. There is nothing internal in a computer system that cannot be changed or circumvented if an administrator wants.The facts: There are a lot of approaches to provide mandatory control which of course also includes a full audit path. Cryptographic means can prevent administrators from manipulating the system. Fine-grained control through software is possible which restricts the power (and the need for) of an administrator. The well-known and bad concept of an administrator in Unix and Windows is taken as a law. And on top of that: security has nothing to do with "trusting" a person - quite the opposite is true. You get security if you do NOT TRUST somebody. The fact that you need to have trust in somebody working on computer simply shows a huge problem in the software architecture of your system.

A decryption key is able to recover the original text from an encrypted message. Decryption keys are not secure. The keys need to be protected. There are ways to steal those keys. The facts: yes, key management is a problem. But what about smartcards? And why is key management such a problem on PCs? Because a PC with the typical OS running on it has problems keeping the keys secure. No ways to attack stored keys are given.

A virus scanner detects viruses. New viruses show up every day. The virus scanner needs to learn about the new viruses. Updates are the mechanism of choice to do so. The more often the better because of the many new viruses that show up every day. There is a period of time between the appearence of a virus and the time the scanner learns about it. During this period the system is utterly defenseless and helpless against the new virus. No explanations are given why that is so. I 've explained it many times why malware is dangerous because of bad software architecture and will not repeat myself here. The "law" simply restates that virus scanners are the defensive measure of choice against malware - which is utterly wrong from a system persepective. And why would a virus scanner be outdated? Yes, because of the brainless user again! Did he forget to update the scanner? Did he get careless? Why don't the vendors install updates automatically? Why do we have to confirm something that cannot be our concern anyway? It is to keep up the illusion that security of a system is the business of the user. It is not. It is the business of software architecture and therefore of the software vendors of operating systems.

The interpretation of this law depends a lot on how one interprets "not practical". Does it mean "not possible" or "not useful"? Depending on the outcome this law is either trying to defend the way Windows betrays their users with respect to their privacy (see the Garfinkel thesis on usablity and security for more information) or a rather useless statement by itself.

Assumes there are problems which won't be solved by technology. Again, either a rather pointless statement or - in the context of the whole text on "laws" a try to emphasize the users responsibilities for the security of his computer system. I bet the Microsoft employess perform a brake check, engine check and lights check on their vehicles every morning - we know, technology is not a panacea.