David Fetter <david(at)fetter(dot)org> wrote:
> One of the things the security community has learned is that the
> only way it's even possible to get an information leak rate of zero
> is to have a system which does nothing at all. It's a fact we need
> to bear in mind when addressing this or any other issue of access
> control.
And to get all old-school about it, I tend to go with the position put
forward by Admiral Grace Hopper[1] when I heard her speak at an ACM
meeting here. She said that *any* security could be broken, and that
the goal should be to put the cost of creating the breach higher for
the perpetrators than the benefits which would accrue to them. That
informs my perspective, anyway.
So, one of the first questions I ask about an information leak is
"what good would it do someone to know that?" So I don't worry too
much about someone knowing the size of my database or the number of
rows in a table, or for that matter whether county 12 has a
2009GN000317 case or how many party records have a Social Security
Number stored. I care very much that the SSN associated with a person
or a document flagged as confidential doesn't leak to unauthorized
viewers, because that information could benefit someone who obtains it
and harm others.
Perspective is more important that purity here.
-Kevin
[1] http://en.wikipedia.org/wiki/Grace_Hopper