On Sat, 21 May 2005 06:36:29 PDT, Nora Barrera said: > What's the use of security functions if they can be circumvented? Rule #1 of security: It's never perfect. Rule #2 of security: It's stupid to spend more effort on security than you need to. Rule #3 of security: Good security features raise the attacker's cost faster than they raise your cost. Bad security features are the opposite. Rule #4 of security: The "right security" is that set of features which raises the attacker's cost to equal the value of the target, while having the lowest total sum cost to you. Almost all bank vaults have security functions (big lockable doors, solid walls, and so on). The fact that they are still circumventable doesn't mean they're useless. If the bank has (for instance) an average of $150K in the vault at a given time, they don't need perfect security - they only need enough security so it costs an attacker at least $150K to break it. Yes - there's probably some psycho asshole bank robber who will attack the bank *anyhow*, even if it costs him $250K and he ends up $100K in the hole. Since it's going to cost you a lot *more* to stop the $250K attack, your best bet at that point is to quit improving the security any further, and just shell out the $5K/year in insurance premiums to cover the bank's losses.. ;) (This also explains why major branches that may have $3M in cash have lots more sophisticated vaults than tiny branches, which tend to the wimpier vaults...) Why is the credit card system basically insecure? Because the banks have figured out that if they spend $X, the fraud rate will be 3%, but to push it down to 1% would cost a LOT more $X. What maximizes their return seems to be spending enough on security to keep the fraud rate around 2%. Schneier's "Secrets and Lies" has a lot more good stuff to say about this...
Attachment:
pgpBn9nijJqN7.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/