RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 06/19/05

  • Next message: Brian Loe: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd" 
    To: "Bill Royds" <broyds@rogers.com>, "'George Capehart'" <capegeo@opengroup.org>
Date: Sat, 18 Jun 2005 21:07:45 -0400

    Bill Royds wrote:
    >The problem is that people have never truly analysed trust in a systematic
    >mathematical way.

    Actually, they have. There are a lot of folks who were thinking of
    this stuff back when I was learning to walk. There are excellent
    papers and research on the topic; Ken Thompson's Turing Award
    Lecture ('on trusting trust') is a classic many of us are familar
    with (http://www.acm.org/classics/sep95/) that describes some of
    the transitive trust problems in software. The Orange book guys
    and the early designers of multi-level secure systems also
    made interesting discoveries on trust (namely "classification creep")
    There were several research projects (Truffles and Ficus) that
    dealt with trust issues in shared collaborative networked filesystems,
    etc. Peter Neumann has written some really interesting papers
    (large!) on composable trusted architectures - trusted building
    blocks. And so on...

    The problem is not that people have failed to think about trust; the
    problem is that (once again) computer "scientists" have utterly
    failed to examine the good thinking that has gone before them,
    preferring instead to pursue the science of producing 3d dancing
    pigs and fancy desktop widgets instead of actually thinking about
    what they're doing.

    >Trust is assumed to be a transitive property when it obviously is not.

    Here I get to channel for Peter (since he doesn't follow this list)
    Do you mean Trust or Trustworthiness?

    Trust is transitive. Trustworthiness is altogether a different proposition.

    >If Alice
    >Trusts Bob and Bob trusts Charles it is not true that Alice should or would
    >trust Charles. Trust is not even transitive. We seem to see it as a simple
    >relationship when it is not even well understood at all.

    Yup.

    > There has recently been
    >some theoretical work on trust algebras (see
    >http://security.polito.it/cms2003/Program/Roessler13/1Roessler.pdf or
    >http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but
    >little of it has filtered into actual practice.

    Cool.. Reading now... Looks like their perspective is that Trust
    and Trustworthiness are a matter of degree. I think that's a terminology
    issue, but I'm kinda sticking with "Trust" as a platonic ideal - the
    absolute, uber-Trust 100% Good Stuff. Everything else is "acceptable
    risk"

    Y'know it occurs to me that one metric by which we might be able
    to tell that "computer science" and computer security have matured
    somewhat as a field is the eventual acceptance of a body of classical
    knowledge that a practitioner must be familiar with, in order to avoid
    being laughed at. Other than Denning and Cheswick/Bellovin/Rubin
    and maybe Schneier I'm coming up dry. Hmmm...

    > Yet we are building whole
    >financial edifices on completely flawed understanding of how to use distributed
    >trust.

    What do you mean "We" kemosabe? ;)

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Brian Loe: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

    Relevant Pages