Bright Stove

Reflecting information risk journey

On “Has the entire AV industry been wrong since its start?”

leave a comment »

Have not been using Windows Live Writer for a while since trying out the beta version. On running it again today, after installing the release version, then discovered that I have the blog below drafted but not completed and published. It is great that the Writer application didn’t simply discard the old data associated to the beta version. So, here’s the long overdue one to share.

Sep 12, 2007. Just come across this article, which commented on Joanna Rutkowska’s comments about the ineffective of AV approaches today, and that digital signature is the way to go:

Has the entire AV industry been wrong since its start?

This is another classic "silver bullet" idea, or in Chinese saying, a "Xian Dan" (仙丹) that can get rid of and prevent all kinds of illness. Unfortunately, the nature of information security is that it exists as part of a larger system, and as the threat environment and technology, process, and people aspects of the system change, the security requirements change. A solution today may even become a vulnerability tomorrow. There’s no silver bullet.

Take the digital signature approach as proposed for example. Digital signature relies on cryptography, and more commonly, public key cryptography. Public key cryptography depends on the security of a mathematical trapdoor that can only be unlocked by the private (or secret) key. If the trapdoor can be found without using the private key (as some public key cryptographic algorithms were cracked before, such as the Knapsack Cipher), the system breaks. As such, there’s a dependency involved, and therefore associated risk to be considered. No perfect solution. The approach, I would think necessary, is always be prepared for potential failures. Understand how failures may occur, and determine the triggering events that we need to monitor so that we can respond at the earliest moment, in a most effective manner. Technology, or security techniques, should not be the starting point for evaluating security problems. Understanding the security problems should be the starting point.

Written by mengchow

January 21, 2008 at 4:41 pm

Posted in Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: