Aswad
Posts: 9374
Joined: 4/4/2007
Status: offline
|
That's not the only elephant in the room, and it's probably the best understood one.
Encryption is theoretically sufficient, if proven techniques are used. Practically, however, you also need to access the data, and the encryption happens in real software on real hardware in real locations. That affords ample opportunities for data to be compromised, if one forgets about the difference between theory and practice, or fails to deal properly with the practical side of things. That, of course, was the problem with the Schengen database. It was encrypted, certainly. But neither key management infrastructure nor access infrastructure were adequately secured.
Also, there is a tendency for management to override technical decisions on political grounds. Some manager owns stock in a company, or has a friend in a company, or has constituents from a region where the company is a major source of tax income and/or jobs, and decides to use the solution that company is peddling. The professionals tell them the product is a closed solution that can't be verified as to its quality and that a quick analysis of what little one can access indicates there are probably serious flaws in the product. The manager insists on going ahead with using the inferior product, and notes that there will be serious repercussions for alerting upper management to the planned weak spot in the solution. Security gets breached as a consequence of using the inferior product, the technical staff gets slammed, middle management gets promoted, and upper management is mystified, while media propagate the nonsensical idea that it's impossible to avoid the problem, allowing management to continue getting away with sabotaging the work.
This is part of why I'm rather explicit in my contracts. I'll stand for my own mistakes, and the mistakes of a subordinate, but I'll not stand for the mistakes of a superior. Nor do I respond well to threats, so I prefer to be clear up front on what the lines of communication and decisionmaking are. If upper management doesn't want to know that there's problems, they don't get to know. If they want to know, they will know. Places that won't agree to clarifying the terms of my work there aren't worth working for. It'll always come back to bite you on the ass, otherwise.
Anyway, yeah, while encryption is great in theory, it's only a tiny piece in the puzzle, practically speaking.
As usual, the problems are human, as are the solutions.
IWYW,
— Aswad.
P.S.: Have you been reading the visions Selmer Bringsjord has been pushing at Congress?
ETA: The petition to pardon Snowden (link). Just realized I haven't posted it here before.
< Message edited by Aswad -- 6/22/2013 2:36:20 PM >
_____________________________
"If God saw what any of us did that night, he didn't seem to mind.
From then on I knew: God doesn't make the world this way.
We do." -- Rorschack, Watchmen.
|
RE: An example of why modern 'national security' databa... - 
Profile
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread