Countermeasures That Can't Be Modeled

  2007-09-06

Countermeasures That Can't Be Modeled

  21:53, by Hagai Bar-El   , 800 words
Categories: Security Policies

A couple of nights ago I drove back from some family event and got pulled over by a cop. Okay, I agree that this for itself is not worth a blog post. The cop asked me to open the window, he looked at me, asked me where I come from and where I am going to, and sent me off my way, without even bothering to carry out the standard papers check. The entire event took no longer than two minutes.

What took more than two minutes was my discussion with my wife about whether or not this sort of “examination” is worth anything. She believes it is probably a waste of tax payers money, to stop people just to ask them how they're doing. I happen to think that not only that this is not a waste of money, but it's probably one of the most effective uses for this money; at least for the money that is devoted to security.

The cop couldn't care less where I am coming from and where I am going to. He wanted to sense how much discomfort I feel when having to face an investigation, and thus derive how much I have to hide. And yes, as unpleasant as it may be to admit it, he was also trying to figure out my accent. When a cop pulls you over, all he can really check is that you do not drive without a valid license, that you do not drive a stolen vehicle, and that you are not wanted. He cannot check for any other felony you may have been (or are planning to be) involved in. I would appreciate if that cop did check the paperwork to verify these three items, but I do appreciate his exercising his only tool to detect anything else — intuition of a skilled security person.

Many posts by Bruce Schneier and others elaborated on the importance of utilizing people's “gut feeling” for security purposes, especially when these people were trained for such things. But why is this so effective?

One of the reasons must be that it can detect, or at least give signs, to mal-doing that is not detectable by other means. A terrorist may be picked out of a crowd even if he does not hold any one of the materials that are typically searched for. A second reason is that it saves time. Have a look at the security lines at the airport to see how much time and effort intensive screening can take. You really do not want to face this screening procedure upon entering each and every public area. The third reason is more interesting: this countermeasure is one that is hard for the opponent to model.

Typically, the good guys come up with some countermeasure, and the bad guys try to find ways to circumvent it. It's true for information security and it's true for security in general. One of the prerequisites for the attacker when countering a countermeasure is that he knows how it works. It's extremely difficult to counter a measure that you know very little about. We usually do not pay much attention to this fact because in security, computer and otherwise, we seldom have this privilege. The attacker always knows what we invented. If we do not make this knowledge assumption on the attacker, let alone if we specifically assume that the attacker has no visibility of whatever we're doing to protect the asset, then we are accused of relying on security through obscurity, and rightly so.

Having the attacker unable to model your countermeasure is good, but it's a situation hard to come by. When dealing with computer security, nothing can really be hidden for long, at least not in commercial applications. We thus notate our hidden mechanism as obscured, which is not really like unknown. Obscurity is our illusion of the attackers inability to model our countermeasure. Since the design of the countermeasure is always to leak, be reverse engineered, etc., assuming the attacker will never have enough information to model our countermeasure is irresponsible.

But intuition does not fall in this category. If intuition was taught in school, then we could have considered intuition-based countermeasures as something that in the best case can be “obscured”. As long as intuition is a natural, largely un-modeled, individual trait, the attackers lack of knowledge of how it works is not merely obscurity. Rather, it is somewhat closer to entropy, that is, to “proven” lack of knowledge. This lack of knowledge on the countermeasure by its opponent puts it at a higher potential success rate than of many other countermeasures that are equally known to both parties.

I am happy that the cop focused on something that has better chances of actually working. One other good thing is that he didn't notice I was speeding.

No feedback yet


Form is loading...