XKCD #538, Security
XKCD #538, Security

It’s worth a discussion. Is Randall Munroe, writer of xkcd.com correct? Is there an unreasonable investment in cryptography and information security?

My take: Since the ‘drug him and hit him with a wrench’ probably violates several very enforceable laws, the attacker is taking a pretty big risk going down that path. Whereas if the attacker was just trying to expose flaws or use massively parallel processing to crack a key, that may violate some laws on paper (ahem) which are harder to enforce–and an attacker would be pretty dumb to let slip that they were up to something like that. What are your thoughts?

7 thoughts on “XKCD Humor

  1. Walt says:

    Easy solution – ban the sale of wrenches.

  2. Anil says:

    First of all, you don’t need to drug the person, just use a wrench. You don’t even need that, just snatch and grab.

  3. Walt says:

    I don’t think that the point is that there’s an unreasonable investment in security, just that we security folks are a little self-deluded, thinking our algorithms and policies and what-have-you actually make something reasonably foolproof. Not putting effort into security would be foolish, but it’s equally foolish to think that someone who really, really wants your data isn’t going to be able to get at it somehow.

  4. Serren says:

    I just wanted to say that I love this site

  5. Jordan says:

    found your site on digg and must say that i am pretty surprised. your site has a lot of potential keep it up. my domain is in my email let me know what you think.

  6. Greg Bassett says:

    A security investment is unreasonable when it exceeds the cost of what it is going to protect. You don’t buy a $10,000 safe to protect $1000 of jewlery. The investment calculation has to take into account the value of the information, the cost of a loss of the information (recovery, recreation) loss/damage of company reputation and the potential for regulatory problems. Once this value is determined, you have a ceiling for the maximum you would spend. Then you begin to determine the likely hood of any of the potential loss scenarios and rank them against the tool or technology that is being purchased. At some point you will reach a balance of investment that will reduce the risk to an acceptable level for the business.

    Easy, right? 🙂

Comments are closed.