Security Maxims from Roger Johnston, Ph.D., CPP Argonne Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory U.S. Department of Energy (D.O.E.) - Leo Laporte

Maxim I: Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys). Comment: We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa. - Leo Laporte

Maxim II: Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong. - Leo Laporte

Maxim III: Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper- proof”. - Leo Laporte

Maxim IV: Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product. Comment: Fear is a good vaccine against both arrogance and ignorance. - Leo Laporte

Maxim V: So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys. - Leo Laporte

Maxim VI: Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it. Comment: Security looks easy if you’ve never taken the time to think carefully about it. - Leo Laporte

Maxim VII: Weakest Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right. Comment: Because the bad guys typically attack deliberately and intelligently, not randomly. - Leo Laporte

Maxim VIII: High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses. Comment: In security, high-technology is often taken as a license to stop thinking critically. - Leo Laporte

Maxim IX: High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses. Comment: In security, high-technology is often taken as a license to stop thinking critically. - Leo Laporte

Maxim X: Dr. Who Maxim: “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.” - Leo Laporte

Maxim XI: Low-Tech Maxim: Low-tech attacks work (even against high-tech devices and systems). Comment: So don’t get too worked up about high-tech attacks. - Leo Laporte

Maxim XII: Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand: (1) that technology, and, (2) their own security problems. Comment: From security guru Bruce Schneier. - Leo Laporte

Maxim XIII: Too Good Maxim: If a given security product, technology, vendor, or techniques sounds too good to be true, it is. And it probably sucks big time. - Leo Laporte

Maxim XIV: Schneier’s Maxim #2 (Control Freaks Maxim): Control will usually get confused with Security. Comment: From security guru Bruce Schneier. Even when Control doesn’t get confused with Security, lots of people and organizations will use Security as an excuse to grab Control, e.g., the Patriot Act. - Leo Laporte

Maxim XV: Father Knows Best Maxim: The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro- manage security and invent arbitrary rules. - Leo Laporte

Maxim XVI: Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy. - Leo Laporte

Maxim XVII: Huh Maxim: When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or naïve. - Leo Laporte

Maxim XVIII: Voltaire’s Maxim: The problem with common sense is that it is not all that common. Comment: Real world security blunders are often stunningly dumb. - Leo Laporte

Maxim XIX: Yippee Maxim: There are effective, simple, & low-cost counter-measures (at least partial countermeasures) to most vulnerabilities . . . - Leo Laporte

Maxim XX: . . . Arg Maxim: But users, manufacturers, managers, & bureaucrats will be reluctant to implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance. - Leo Laporte

Love your show as always! Thanks!! - mahjongmi

oh that happened to me :P - Ryan

Hi, Leo, I'll comment for you. - Daropedia

Love it. Great show! - mahjongmi

How about ending every show with a new security maxim? - Philip Griego

Spin Rite has saved me many times! - Scott Free

great show, most of these maximums are true for technology and life in general - Kim Landwehr

Leo, thanks for post these great show notes. - Tom Stiles