Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [] [@jschauma] [RSS]

The Zen of Infosec

March 26th, 2019

Sure, you may know the Zen of Python, aka 'import this'. But did you know that you can also 'import cyber'?

The Zen of Infosec, by Jan Schaumann

Boring is better than clever.

Explicit is better than implicit.

Simple is better than complex.

Complex is better than complicated.

Fail closed is better than fail open.

Layers are better than bulwarks.

Usability counts.

Integrity without authenticity is rarely what you want.

Although confidentiality without authenticity may be ok.

Shamir's Three Laws still hold.

And Kerckhoff's Principle extends beyond pure crypto.

In the face of an audit, refuse the temptation to tick checkboxes.

Hanlon's Razor is sharp as ever.

Although that may not be obvious if you've been here for a while.

100% security is impossible.

Although raising the bar is often sufficient.

If the system is hard to explain, it's a bad idea.

If the system is easy to explain, it may be a good idea.

Threat models are one honking great idea -- let's do more of those!

March 26th, 2019

[Capturing specific SSL and TLS version packets using tcpdump(8)] [Index] [New Adventures in DNSSEC and DANE]