Risk Management
One of the things we’re not very good at, in general, is assessing risk.
We saw how that all played out during the covid farce when people went a bit loopy. To be fair, a large part of the blame for this can be placed on governments, the media and the evil corporate blob. We were saturated with propaganda, with mis-, dis-, and mal-information.
The correct information, that would have helped people to come to a better assessment of risk, was suppressed and those who supplied it kicked off the platforms that would have allowed it to disseminate more widely.
The world of security, in my view, is almost entirely about risk management.
When you’re designing any security system, or process in which security is necessary, one must
Delineate the threats
Assess the likelihood of each threat
Asses the consequences should that threat be realized
It can be a complicated process. It’s usually somewhat iterative, too. It’s usually almost impossible to list all of the possible threats. There will, inevitably, also be new threats that emerge as people figure out new ways to ‘get around the system’. You have to continually assess and monitor things.
Perfect security is a myth.
The basic idea with security is that you want to make any possible attack ‘not worth doing’.
In crypto, for example, you try to design an algorithm so that the fastest possible attack is a brute force attack. This is an attack which simply cycles through all the possible ‘keys’. If you then make your key large enough you will force the attacker to spend too much time on this process.
If you have an electronic door lock you could have a 4 digit code. Someone trying to get into your house through the door would have to try up to 10x10x10x10 = 10,000 combinations in order to get in that way1. If you use an 8 digit code that number of tries jumps up to 100 million.
But such a lovely gee-whizz electronic lock gizmo is bugger all use if you leave your bloody windows open.
You can put in the world’s best crypto so that pretty much nobody is able to read the messages you send in transit, but if you allow your employees to install whatever software they like onto a computer connected to your internal network, then you’re leaving your bloody windows open.
We’re used to TV shows and movies in which some desperate chase to protect (or destroy) some ‘code’ occurs. Some algorithm that can ‘break’ any crypto, for example. We don’t want that to fall into the hands of the baddies, do we?
But security is not all about secrecy, and nor is it all just about crypto.
In broad terms the 2 things we’re concerned about are secrecy and authentication. Again broadly speaking we can classify these necessary things as follows
Secrecy : determines who can read a message
Authentication : determines who can send a message
If you’re paying a bill online, for example, you want the transaction to be secret. The only people who can ‘read all about it’ should be you, the payee, and the respective banks.
But you also don’t want the following to be possible. You don’t want someone to be able to tinker with that message, even if they can’t read it.
You definitely don’t want someone to be able to change the payee account number, even if they can’t read what that account number is.
This example gives us a nice illustration of the difference between secrecy and authentication.
Many of us are focused on elections at the moment. We’ve got one coming up next week in the UK. The dreadful performance of the Cadaver-in-Chief in the recent presidential debate in the US has somewhat focused people’s minds about the elections in the US in about 5 months’ time.
Elections are almost, but not quite, entirely about authentication. The secrecy comes in from the requirement that we need our votes to be anonymous. The threats here come from any number of coercive measures that might be applied should it be possible to find out how someone votes.
The only person who can ‘read’ the information “person A voted for person B” should be person A. Everyone (if you want things to be open and fair) should be able to ‘read’ that person B was voted for, but not who casted that vote.
So, what are the primary authentication requirements for an election?
Only those eligible to vote can vote
Person A cannot use person B’s vote - even if both parties are actually eligible to vote
A vote, once cast, cannot be changed either by error or fraud
The vote tally must be accurate and must consist of only those votes cast during the election process
Someone who has already voted cannot vote again
Once you have a list of the things you’d like to achieve with the process, you can then start figuring out the how.
It does not take a genius to figure out that, in security terms, things like no voter ID requirement and mass mail-in ballots, are a non-starter. If you have either of these, you cannot claim your election is secure. At all.
It is utterly baffling to me, as someone who used to work in the security field (crypto, public key infrastructures, electronic voting, etc) how the 2020 US election could have been claimed to have been the fairest and most secure ever in US history, which some did.
Good Lord. What on earth were the other elections like?
It’s truly mind boggling.
The existence of security flaws a mile wide does not, of course, automatically mean that someone actually drove through the gaps. There are, however, a number of indicators with the 2020 election in the US that these vulnerabilities were indeed exploited and in sufficient numbers to affect the result. I can’t say for definite, but there’s certainly enough doubt there for me to question the result, especially given the clear and manifest security flaws.
If you try to think of how you would achieve those voting goals for any length of time you will realize that in-person voting, with voter ID being required (and checked), on ballot papers handed out at the polling station, with a known number of secure ballot boxes with the votes cast counted on the day at the polling location, with the whole process being overseen by observers, comes decently close to meeting the requirements.
Indeed, it’s extremely hard (and maybe impossible) to think of a better way of doing it.
Postal votes, whilst necessary for those unable to get to the polling station, should be seen more of as an exception rather than the rule, and extra authentication processes need to be put in place for them.
The motives of anyone who argues against the voting requirements above, or weakens the security of an election process, are extremely suspect.
We are exposed to risks every day. We recognize and accept that risks cannot be entirely eliminated and so we do our best to minimize risk where necessary. Driving, for example, carries an obvious risk. We try to minimize those risks by not driving like a dickhead, having a well-maintained vehicle, and doing things like taking a break when we feel we’re getting tired. And so on.
If you leave your front door unlocked you are increasing your risk of being burgled. You cannot claim you were ‘secure’ on the basis that, yes, you left your door open but you weren’t burgled. You were just lucky2.
Why deliberately increase your risk?
Sometimes we decide to do just that. Few of us would want to make the maximum speed limit 20mph everywhere in the UK. Sure, it would greatly reduce the risk of a serious outcome should an accident occur. A collision at 70mph is a very, very, different prospect than one at 20mph. But we weigh up the costs and benefits and decide, on balance, that the elevated risk we face on faster roads is worth it.
Contactless card payments increase your risk of losing a smallish amount of money should your card be stolen, for example, but we’ve decided that the convenience benefit is worth it - or, at least, we’re not making much of a fuss about the elevated risk here.
I’ve been told that eating bacon might ‘double’ my risk of a heart problem. That sounds pretty dire, but if it’s doubling a risk of 0.01% to 0.02% then it’s fair to say I’m going to keep munching my way through the odd bacon butty.
So, the question of risk and what we do about it is very context-dependent and often subjective. There’s no ‘magic formula’ that can be applied for every situation.
Being psychotically ‘risk averse’ - which pretty much describes the behaviour of a lot of people during covid - is no way to live. You can be like this, if you want, but you may as well emigrate to Canazida and MAID yourself if you’re going to ‘live’ like that.
The other area where the issues of risk management come into play is women-only spaces. The UK Labour party is currently being asked some rather pointy out pointed questions about whether men should be allowed into the ladies’ loos. It won’t be enough to change the vote, or the election outcome, but many more people than Sir(vix) Starmer thinks are angry about Labour’s refusal to stand up for the rights of women properly.
Watching him prevaricate on the issue and vomit platitudinous bullshit about “respecting the dignity of everyone” and the like is doing nothing to reassure the majority of people in the UK who, despite what organizations like the BBC try to tell you, definitely do not think women have todgers.
David Lammy, who will likely be the next Foreign Secretary for the UK, recently said that it was his understanding that men can have a cervix installed “following various procedures”.
It’s not fucking air conditioning David, you prune.
This year I’ve saved up to have double glazing and a cervix installed?
These people seem to have no clue what the function of a cervix is which is to act as a conduit between the vagina and the uterus3. It ain’t just a fleshy ‘tube’, it’s an important gatekeeper. Perhaps we need something similar outside the ladies loos?
The ridiculousness of it all is infuriating.
As is the level of ‘debate’ on the GenderWoo side of things. The issue when it comes to ladies loos is, quite simply, another one of risk management.
It is clear that allowing any man who SELF-identifies as a ‘woman’ into women-only spaces represents a significant elevation of risk for women. There’s no question about that.
Just like allowing people to ‘self-identify’ as a legitimate voter.
But the sneaky freaky fuckers on the GenderWoo side of things try to tell you that it’s all about the very small number of people who have a serious mental condition known as gender dysphoria. No, no, and no.
By enabling self-ID you are enabling any sick predator or perv to invade a woman’s intimate space just by the simple expedient of declaring themselves to be a ‘woman’.
Of course, those people with real gender dysphoria who have ‘transitioned’ do not represent a significant extra risk to women in such spaces. We’re not talking about them, though.
It’s the same argument around why we have women-only spaces in the first place. The majority of men will not pose any danger to women in such spaces, either. But there’s no ‘test’ you can do to tell which are the safe vs unsafe men - and that’s why all men have been excluded from such spaces.
It’s interesting that this “old-fashioned” way of doing things provides a kind of implicit test. Any bloke who wants access to the ladies loos fails this test.
Yes, men can be gross pigs who are often driven a bit overmuch by their trouser tyrants. But the vast majority of men do not actually want to make women feel uncomfortable - we’re just a bit shit at figuring out why what we do sometimes makes women feel uncomfortable.
Self ID, be it in the claim to be a ‘woman’, or in the claim to be a legitimate voter, is an extraordinarily bad idea and it elevates the risk no end.
The old principle of “it’s always in the last place you look” applies here. Well, of course it bloody well is. What you gonna do? Carry on searching after you’ve found what you’re looking for? So, getting into a house by trying out 4 digit door combinations will not, on average, take you 10,000 goes.
Depends where you live, of course.
My uterus installation will have to wait to next year until I’ve saved up a bit more
I'm going to be boring:
4. Assess cost of 1-3 and preventing/mitigating the event.
Reason being, if the cost of protecting something is greater than its worth, you're doing it wrong.
Example:
You can have your eight-digit code, locked windows, and good security. Then I come along with my coolant spray-can, hammer and chisel, and a hinge-breaker and ignore your locking mechanism. There's not one place I've worked at, schools or other places, that I couldn't jimmie the lock or in other ways gain access in under a minute if prepared - without breaking windows.
Alarms and sensors can be spoofed or disconnected. Yeah, they'll send a car round to check. Maybe reset the alarm.
You think they'll do that the tenth time it goes off in the same night? Nope. They disconnect it and notify the techs, who'll pop around at nineish the next day, at earliest. Unless it's a holiday, then the alarm will be off until next weekday.
Speaking from experience, you need far fewer tries than 10 000. About twenty-thirty will do it, most of the time If:
The keypad has metal keys. Lean in close and breathe on it. Unless it is cleaned every day, fat from the fingertips of anyone entering the code will show up, because your breath will condense differently, giving you 4 numbers (or fewer, if a number occurs more than once in the code).
Your typical locker has an bolt going through the door with a flange fitting into a slot in the side of the locker, right? So, put a 4" metal bar (piece of rebar f.e.) through the lock and twist counter-clockwise; you'll easily turn the entire thing in the door. Takes about 5-10 seconds.
Or, if it's the kind of lockers schools favour for storing students' laptops, just turn the entire thing out from the wall so the back is clear. Most such lockers only have the top and side plates folded over the back plate to keep it in place - unfolding you can do with a metal butter knife, or a proper tool. Then peel the back off.
Sorry, I may have missed your actual point, getting locked in on the wrong stuff maybe, but there's a point to it: the tech is never better than the brain using it.
After 25 years in mission critical military software engineering I needed a change. After a chat with The Boss, I took on a new role aimed at improving our corporate cyber security posture. At the end of that period, our top national domestic security agencies stated that we were worldwide exemplars for cyber security. Far more so than our major banks and government departments, for example.
I was pleased with myself, but along the way had to deal with events such as the employee who, being bored at lunchtime used his best efforts to covertly install a computer game he'd downloaded off the net onto our internal network. This game contained Chinese malware of course, and set off alarms like atom bombs at our network perimeter as soon as it tried to connect to the mothership. He left our employment shortly thereafter.
Then there was the time I had to provide a security lecture to the CEO of one of our smaller suppliers. They had Nigerian malware on their internal network, which intercepted an invoice being prepared. The bad guys changed the payee details to their own bank account, and payment of nearly $100K went to them instead of to the supplier. The content of the lecture was "This is why you didn't get paid. Tough shit. Be more careful in future".
I could go on and on for hours...NorK spooks approaching our staff (and me!!) under the guise of being Brits looking for work etc...
Most civilians have no idea what a fantastically dangerous place the internet is.