[cryptography] philosophical question about strengths and attacks at impossible levels

Ian G iang at iang.org
Fri Nov 19 23:41:12 EST 2010


On 20/11/10 2:10 PM, James A. Donald wrote:
> Ian G wrote:
>> On this I would demure. We do have a good metric: losses. Risk
>> management starts from the business, and then moves on to how losses are
>> effecting that business, which informs our threat model.
>>
>> We now have substantial measureable history of the results of open use
>> of cryptography. We can now substantially and safely predict the result
>> of any of the familiar cryptographic components in widespread use,
>> within the bounds of risk management.
>>
>> The result of 15-20 years is that nobody has ever lost money because of
>> a cryptographic failure, to a high degree of reliability.
>
> How about all the money lost because Wifi security does not work?

Yeah, good point...

I would say protocols like that are outside "open crypto".  Wasn't wifi 
security put together by closed industry cartels?  IMHO, they've been 
repeatedly shown to have not done a good job.

(Having said that, yes, it is an arguable boundary, "open crypto" versus 
other stuff.  Perhaps the point is to say that the job is done properly? 
  But that is circular and won't support my claim.)


> If the administrator selects encryption for the wifi network, follows
> good practices with passwords, and yet attackers get in, is that not an
> a cryptographic failure?

It sucks.  It sucks so badly, I decided in future that the only moral 
and ethical way one could use the words encryption or security or the 
like in any conversation was if the following were the case:

     there is only one mode, and it is secure.

What you describe is a non-secure system.  A wifi that can be configured 
to not use encryption?  That's funny, did they pay for that? :D

> A common, perhaps the most common, attack on corporations is to get
> inside the corporate network through wifi, then mount an sql injection
> attack on the corporate database, then steal the corporate database.
> This often causes extremely large monetary losses.

Right, that's now beginning to emerge.  I don't know if there is any 
reliable statistics or measurements on how much money is lost because of 
"WiFi security", but if we were to attribute the Gonzalez case to poor 
quality of wifi security entirely, then we're "in the money."

http://financialcryptography.com/mt/archives/001294.html
http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?_r=2&pagewanted=all

Unless the wifi was configurable, that is ... in which case, well, 
that's silly.



iang



More information about the cryptography mailing list