Gilles Gravier's Weblog

Security : Are we doing the right things for the wrong reasons?

So looking at some of the things we do, I can't help but wonder if we aren't completely missing the boat sometimes.

Take the example of preventing counterfeit money. Vendors of photo manipulation software have been coerced into embedding code in their applications that, if they see that they are manipulating a file that has certain patterns, then they prevent you from saving it, and bring up a pop-up saying that you are a naughty person trying to manipulate the image of a banknote. Wouldn't it be much better to design banknotes that are much harder to copy? What this behavior is encourraging is for people to use open source software like TheGIMP which has no such controls. Of course, soon, you will have printers, and scanners, and maybe computer BIOS that will all collaborate, so people will turn to OpenBIOS, and keep old printers and scanners to keep making funny-money for their kids playing monopoly.

What is more frustrating is that I never saw an official announce from the software vendors about this feature (I would have imagined this as part of the "What's new in version XX" documentation). This is being done covertly, pushed by entities that we have little control on. The latest example is the fact that more and more printers implement a hidden watermarking feature that enables law enforcement to trace printouts to the printer's serial number, so to the legitimate owner. Of course, not taking into account stolen machines, gray market machines... so encourraging that kind of behavior in criminals which are not going to stop at that.

Why don't we learn to fix problems at the root? Security features should be built into things at their design. Not slapped on afterwards. It doesn't help anything to have software prevent you from scanning banknotes. Design banknotes that are close to impossible to print easily. It doesn't help to add copy protection to media. Design business models that make copying of media irrelevant.

We live in a world where too often we try to fix things that were designed broken, or for which the security model has become irrelevant in our modern times, and instead of going back to the drawing board to build a new version, redesigned from scratch, adapted to the current context, we desperately try to slap patches on, ignoring that we are closing small holes in a wide open structure.

Posted at 10:51AM Oct 26, 2005 by gravax in Security  |  Comments[1]