Senin, 06 Agustus 2007

Kung Fu Wisdom on Threats

21.01  ,  No comments

Given the seriousness of my last post, I though some words of wisdom from the great Kwai Chang Caine would improve everyone's mood. Consider a scene from Kung Fu.

Caine is talking to an Amish man who says "When someone hits me with a stick, I have three choices: I can hit him back, I can let him hit me again, or I can run away.” Caine replies with a fourth option: "You can take the stick away from him."

The unspoken element of Caine's reply is that you can peacefully disarm an opponent, which may require Shaolin-like skill. Most people do not have such skills and are stuck with one of the three previous options.

None of these work approaches for digital security.


  1. If you hit the intruder back, unless he's incapacitated he remains ready for another attack. If you do knock out one of his drones, he activiates number two of ten thousand.

  2. If you let him attack again, you lose a second time. The threat is also free to hit again.

  3. If you run away by disconnecting from the network, you lose all the network's benefits.

  4. Taking away the stick (perhaps by criminalizing "hacker tools") only punishes law-abiding citizens. If you do peacefully shut down a drone, again he activates number two of ten thousand.


The answer to this problem is you apprehend the criminal for assault, prosecute, and incarcerate. "Rehabilitation" is nice, but at least for the duration of his prison time he can't hurt those outside prison. You may enjoy a deterrence effect, although this is debatable. Regardless, this is the only way to deal with a threat once it has obtained evil capabilities and intentions. (You can argue for shaping the threat's life such that those evil capabilities and intentions are not reached, but that's an issue for social scientists.)

It's all about the risk equation: Risk = Asset value * Vulnerability * Cost

  • No one is deploying worthless assets.

  • 30+ years of trying to develop resources that are vulnerability-free has failed.

  • Only the threat component has a chance to be reduced, thereby reducing overall risk (assuming it outpaces the asset and vulnerability categories, which is problematic still).

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)