Jeff Duntemanns Drive-By Wi-Fi Guide

A Matter of Trust

Any security system requires two kinds of trust: Trusting technology, and trusting people. Not just other people, either. It often requires trusting yourself to follow your own procedures, which isn't always easy when time is short and the swamp isn't cooperating with your efforts to drain it. If either the technology or the people violate that trust, security weakens, and if the bad guys learn of that weakness (and understand how to exploit it) the security system will fail.

Trusting technology is problematic for several reasons:

• We don't always sufficiently understand the details of the technology we are called upon to trust, which makes it hard to fulfill our part of security's bargain.

• We often attempt to use technology for purposes it was never designed to fulfill, because it's cheaper or easier (or both) than buying or building technology appropriate to the challenge at hand.

• Technology always contains flaws that even the experts (and its own creators) don't know are there until someone finds them.

• Technology advances, and new technology regularly appears that renders old technology ineffective (whether or not it has serious flaws) and thus unworthy of trust.

• Even if subverting a trusted technology is initially hard and requires an expert, technology can automate any difficult process so that anyone can do it. In other words, breaking a trusted technology only has to be done once.

Trusting people is problematic for different but equally important reasons:

• People don't always do what they're told, even when it's in their interest and they know what to do and have done it for a long time.

• People are not always given sufficient information and/or training in how to do what they must do to participate in a secure system.

• People sometimes tell lies about their own loyalties and agendas, and betray trust that has been granted to them.

Let's talk about these points in greater detail, because you know that's where the devil always hides.