Minimalism in security
October 10, 2013  

As I hoped, Bruce Schneier’s writings on the security measures he is taking due to his involvement with the Snowden documents have started a useful conversation in the security community.

One thing that stands out in his post on air gaps and in the subsequent comments is a reliance on minimalism as a defensive measure. Some examples from the comments are to use text files instead of PDF files; use a serial line for communication rather than ethernet; use a wired keyboard and mouse instead of Bluetooth variants; and, in general, don’t use a complicated system when a simpler one will do.

While I am a fan of the minimalist philosophy, I think what it shows here is a massive failure of the security community: we can’t build secure systems of any complexity. Network communication is not secure. Document readers are not secure. Viewing an image is not secure. Maybe, 7-bit ascii is secure, if you are very careful.

This is the end result of an infatuation with attacks over defenses. Attacks are “sexier,” it is easier to publish a paper on an attack, and it is easier to get a lot of attention for an attack.

Defenses are harder: harder to think up and harder to build. It’s harder to make a system secure than to break it. It’s also harder to publish a paper on a defense. Defensive work is more often published outside of the mainstream conferences.

You get what you deserve.