Tag Archives: design principles

Ross Anderson and another edition of Security Engineering

Security Engineering, by Ross AndersonEvery cybersecurity professional knows – and almost certainly owns – this book. Ross Anderson published the first edition back around 2001. He’s starting a third edition and is using an on-line collaborative model for developing revisions. He has already posted drafts of a few revised chapters.

Ross recently pointed out a disappointing result from Edward Snowden’s releases of NSA classified documents: most published analysis has been reportage. No one has done a “deep dive” into the technical aspets of what was released. This would probably still be of technical interest. It astonishes me every day how, despite perceived ongoing radical improvements in technology, things don’t really change that much.

The Six Types of Cyber-Risks

BombMy textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:

Denial of service – Pillage – Subversion

Masquerade – Forgery – Disclosure

This is a work in progress as I figure out some conceptual ideas.

Continue reading The Six Types of Cyber-Risks

The Apple case isn’t “privacy” versus “safety”

The current fight is about whether we will impose a technological infrastructure which will be exceptionally vulnerable to attackers in order to provide nothing more useful than some very, very short-term advantages to people investigating crimes.

Let me say it differently: We put everyone in danger if we weaken cybersecurity. We only help a few detectives in a few investigations.

I don’t want hackers playing with my home thermostats, my car’s computer, my water or electric utility systems, or financial computers. If we make it convenient for police to reach into our computers, we also make it easy for hackers. This threatens peoples lives directly.

Continue reading The Apple case isn’t “privacy” versus “safety”

Example of KISS

Ok, this is a backwards observation.

One of my hot buttons is to spot “cyber security principles,” that is, general but pointed observations on how to improve cyber security.

A long-held principle is “Keep it Simple, Stupid.” Thanks to Moore’s Law and the constantly falling price of ever bigger, faster, and more complex tech, no one puts much effort into keeping things simple. The extra features draw more customers even if they make the tech more fragile.

Continue reading Example of KISS

GUIs: Control, Conveyance, Continuity, and Context

Scream of anguishI’m a sucker for basic principles distilled into pithy prescriptions.

A freelance writer, Brian Boyko, has distilled the basic features of graphical user interfaces (GUIs) into four principles: Control, Conveyance, Continuity, and Context. He uses them to structure a well-reasoned though shrill critique of Windows 8.

Continue reading GUIs: Control, Conveyance, Continuity, and Context