Legal responsibility of WLAN insecurity
in [Cryptography]
|
Prev: Major step ahead for cryptography
Next: SHA-3 Ouch!
From: Mok-Kong Shen on 31 May 2010 14:38 Gordon Burditt wrote: >>> What is the legal status of such cases in other countries? >> >> While references to laws in other countries are awaited, the following >> question seems also to be interesting: >> >> If in a concrete case the court (acting like in Germany) asks an expert >> to testify whether the passeword involved is secure, how would he >> proceed? > > If in a concrete case the court asks an expert to testify whether the > bank vault involved is secure, how would he proceed? > > No bank vault is secure against a sufficient number of nuclear > weapons (and for ones that aren't buried, 1 is likely to be > sufficient). If it can be opened with a combination alone, the > combination can be guessed. Some *unlocked* bank vaults are secure > against 3-year-olds, who lack sufficient strength to open them. > Security is a matter of degree, not an absolute. > > Sometimes a question as phrased has no answer, and an expert witness > should ask to have the question rephrased, or refuse to answer on > the grounds that he doesn't understand the question. Is the defendant > evil? Is the defendant stupid? Is the defendant a jerk? I would be interested anyway to see some arguments of security "parallel" to the case of the bank vaults in the case of passwords, despite there being clearly inherent differences. For that would be a good start for further fruitful discussions. I certainly don't assume that your last paragraph meant that the term "security of passwords" were scientifically undefined or ill-defined. So would some experts of the group "commence" to say something on the issue? Thanks. M. K. Shen
From: Gordon Burditt on 31 May 2010 16:41 >>> If in a concrete case the court (acting like in Germany) asks an expert >>> to testify whether the passeword involved is secure, how would he >>> proceed? >> >> If in a concrete case the court asks an expert to testify whether the >> bank vault involved is secure, how would he proceed? >> >> No bank vault is secure against a sufficient number of nuclear >> weapons (and for ones that aren't buried, 1 is likely to be >> sufficient). If it can be opened with a combination alone, the >> combination can be guessed. Some *unlocked* bank vaults are secure >> against 3-year-olds, who lack sufficient strength to open them. >> Security is a matter of degree, not an absolute. >> >> Sometimes a question as phrased has no answer, and an expert witness >> should ask to have the question rephrased, or refuse to answer on >> the grounds that he doesn't understand the question. Is the defendant >> evil? Is the defendant stupid? Is the defendant a jerk? > >I would be interested anyway to see some arguments of security >"parallel" to the case of the bank vaults in the case of passwords, >despite there being clearly inherent differences. For that would be >a good start for further fruitful discussions. I certainly don't assume >that your last paragraph meant that the term "security of passwords" >were scientifically undefined or ill-defined. If you mean that a password is either secure or it isn't, no middle ground, then I'd certainly say that the term is undefined or ill-defined. There is no absolute security. >So would some experts >of the group "commence" to say something on the issue? If you mean to ask whether a password is secure or not, *AS A YES/NO CHOICE*, then the answer to the question asked is either that the question doesn't make sense, or "No password that can be guessed is secure". You can make a reasonable *economic* argument for "adequate" security. On the defender's side: How much will you lose if the password is guessed? How much does it cost for the password protection? How much does an equivalent amount of theft insurance cost? It's not reasonable to install a $5,000 lock to protect a piggy bank containing $5 for an attack lasting a year, but it is reasonable to install such a lock for a safe containing $500,000. On the attacker's side: How much will the attacker gain if he guesses the password? How much will it cost the attacker to mount an attack? If it costs $5,000,000 in time and effort to mount an attack to steal $500,000, chances are the attacker won't bother. There are easier targets out there, and perhaps easier ways to get the money in the safe, such as bribing an employee for the combination. In the case of open-access WLANs, the owner of the WLAN may lose almost nothing from an attacker using it, so not bother with a password which is "too much trouble". The attacker gets the use of the WLAN to spam, defraud, or whateve he does. The Internet at large loses a lot from the spam, fraud, and extra traffic.
From: Mok-Kong Shen on 10 Jun 2010 07:33
That the password issue in general remains unsatisfactory is reflected in recent articles e.g. http://www.computerworld.com/s/article/9177780/Researchers_Poor_password_practices_hurt_security_for_all |