BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:The Unfalsifiability of security claims - Cormac Herley\, Microsof t Research\, Redmond DTSTART:20160209T140000Z DTEND:20160209T150000Z UID:TALK64340@talks.cam.ac.uk CONTACT:Laurent Simon DESCRIPTION:*Abstract:*\nThere is an inherent asymmetry in computer securi ty: things can be declared insecure by observation\, but not the reverse\; there is no test that allows us to declare an arbitrary system or techniq ue secure. We show that this implies that claims of necessary conditions f or security (and sufficient conditions for insecurity) are unfalsifiable ( or untestable). This in turn implies an asymmetry in self-correction: whil e the claim that countermeasures are sufficient can always be refuted\, th e claim that they are necessary cannot. Thus\, the response to new informa tion can only be to ratchet upward: newly observed or speculated attack ca pabilities can argue a countermeasure in\, but no possible observation ar gues one out. So errors accumulate. Further\, when justifications are unfa lsifiable\, deciding the relative importance of defensive measures reduces to a subjective comparison of assumptions. \n\nWe argue that progress h as been slow in security precisely because of a failure to identify mista kes. Bad ideas that have received no corroboration persist indefinitely an d the resources they consume crowds out sensible measures to reduce harm\; examples of this abound. Many things that deliver no observed benefit are declared necessary for security\, either because they have defined to be so\, or have been reached through logically muddled arguments. \n\n*Bio:* \nCormac Herley's main current interests are data analysis problems\, aut hentication and the economics of information security. He has published wi dely in signal and image processing\, information theory\, multimedia\, n etworking and security. He is the inventor on over 70 US patents\, and ha s shipped technologies used by hundreds of millions of users. His research has been widely covered in outlets such as the Economist\, NY Times\, Was hington Post\, Wall St Journal\, BBC\, the Guardian\, Wired and the Atlant ic. He received the PhD degree from Columbia University\, the MSEE from Ge orgia Tech\, and the BE(Elect) from the National University of Ireland. LOCATION:LT2\, Computer Laboratory\, William Gates Building END:VEVENT END:VCALENDAR