Is Computer Security a Pseudo Science?

A major paper trying to explain why security experts have so frequently failed. secure_insecure

 

Cormac Herley: The Unfalsifiability of Security Claims paper /slides.

It starts with a great classic, Karl Popper philosophy of science which would be the basis to say “security” is some sort of pseudo-science. We read that “there is no empirical test that allows us to label an arbitrary system (or technique) secure”.

Really?

I thought the same for the last 20 years, but in fact, well, possibly there is one.

As long as MONEY is stored in computer systems in terms of private keys [e.g. bitcoins] it is that either these bitcoins will be stolen OR the system is secure or secure enough [for short or medium term]. This combined with reputation of vendors, developers and scientists could win us the repeated game: achieve secure systems.

One problem however is that reputation of these people is at all times low due to the Snowden scandal. We are today more relucant to trust experts and vendors.

Here come bets, crypto challenges and prediction markets. It is one thing to claim that something is secure, another thing is to bet money on it. The problem maybe is that until now experts and developers had no incentive to get it right or to be right. Many have been corrupted or manipulated to give wrong security advice. Bad security advice and misplaced priorities has in my opinion been the primary activity for decades, in bitcoin, linux, mainstream crypto community, etc.

Bad News?

Going back to the paper the author also claims that “errors accumulate” and that we can be even “blind to danger”… Interesting.

  • Yes, most people who use bitcoins, ignore blissfully what is secp256k1. Even experts do not know how dangerous it is to use this curve.
  • Waiting for the next security scandal. As I was writing these words, some 50M$ have been stolen from DAO token holders.

Leave a Reply

Your email address will not be published.