Philosophy of door locks

When working on security, there is something extremely important to keep in mind at all times. We are not trying to make systems impenetrable. We are trying to make it real, real hard for the attacker, that’s all.

If an attacker has physical access to your system, you lost. All measures, passwords, firewalls, everything is there to deter an attacker that is attacking remotely. But the only thing that actually stands between your system and a determined attacker is your door lock. Never thought of that, did you? The security of your computer at home is only as good as your door lock.

Yes, there are smart cards that are physically secure computers. But their application is limited and most if the time we have to deal with systems that we protect in the “virtual world” while in the real world they are basically defenseless. So we make it harder for the attackers with door locks, security guards and CCTV cameras.

Again, we are just making it harder, not impossible. Impossible would be impossible, not to mention prohibitively expensive. Given that an attack is always possible and there are many venues of attack, the attacker will always tend to choose a path that is most economical – the cheapest way to break into your system.

My task as I see it is to convince you to use such security measures that it becomes cheaper for the attacker to break into your house than to attack your computer through the software. Once we are at that point, you start looking into the well-understood world of physical security and my task is done. But we are far from there.