Countermeasures to Wishful Thinking: Bahrain Lecture

Bahrain talk (2006)

A lecture by Roger Johnston, Ph.D. at Argonne National Labs.  He discusses the following myths:

 security maxims (there’s no free lunch)
 high tech ≠ high security
 inventory ≠ security
 RFIDs & CMBs
 tamper-indicating seals & cargo security
 tamper-evident packaging
 biometrics & access control systems
 counterfeiting security devices
 data encryption/authentication
 polygraphs
 “security in depth”
 effective vulnerability assessments

Read about the common security maxims:

1. Infinity Maxim: There are an unlimited number
of vulnerabilities, most of which will never be
discovered (by the good guys or bad guys).

2. Arrogance Maxim: The ease of defeating a security
device is inversely proportional to how confident the
designer, manufacturer, or user is about it, and to how
often they use words like “impossible” or “tamper-proof”.

3. High-Tech Maxim: The amount of careful thinking that
has gone into a given security device is inversely
proportional to the amount of high-technology it uses

4. Low-Tech Maxim: Low-tech attacks work
(even against high-tech devices).

5. Yipee Maxim: There are effective, simple, & low-cost
countermeasures to most vulnerabilities.

6. Arg Maxim: But users, manufacturers, and
bureaucrats will be reluctant to implement them.

7. Insider Risk Maxim: Most organizations will ignored
or seriously underestimate the threat from insiders.