- A capable attacker will look for plaintext
- red/black separation
- Schneiers's principle
- Zooko's tradeoff
- Kerckhoffs's Principle
- Corollary to Metcalfe's principle [2]
- It is easier for insiders to steal information - also janitors, cleaners
- Design for known threats
- Design for future threats
- Design for unknown threats as far as possible
- existing systems persist
- defence in depth
- monoculture -> target more attractive, usually more brittle
- the capital and operating costs of well-designed secure systems are about the same as those of insecure ones until the insecure ones fail
- keep intrusion records
- keep i/o records
- cheap and effective security needs good system design.
- if it's expensive, it probably won't be effective.
- Unless it is for your use alone you do not control what a system is to be used for
- Even if it is for your use alone you do not control the resources which will be pitted against your system
- cryptanalysis is difficult - but people can do difficult things
- people offering the impossible are lying
- in code, nothing ever really goes away
The principles can sometimes be broken or wrong, unlike the laws.
[2] the security of a secret is inversely proportional to the square of the number of people who know it
- Peter Fairbrother