The Infosec Bucket

Yup! That hold water, like drizzle in a paper cup
This one etched in stone, the chisel with the paper up

I need a cut: a taper-up, edge-up
Niggas can't measure up, I'm here to get the treasure up

MF DOOM

 

Information is water in an infosec bucket.

How well does your bucket hold water?

We're going to push this analogy for all it's worth, spinning the bucket around in circles to centrifuge our data if we have to, touching on bitcoin of course, so buckle in.

Information security can occasionally be a bit like running from a man-eating bear.  You don't have to be able to outrun the bear, you only have to be able to outrun the slowest camper.

Basically, if you are spending a lot of time patching holes in your bucket in the upper half, while all leaks you have witnessed are happening to people in the lower half of their buckets, even with the same or more valuable information, you are probably wasting your time.

Lets step back a bit before I get too far with this, and look at the larger picture:

There is no perfect bucket.

That is to say there is no absolute information security.  Chances are a few neutrinos made it through your bucket and it's conceivable that one could use them to figure out what's inside.  That's a leak.  There are meteors, cosmic rays, and nuclear bombs, in addition to regular old RF emanations.  There is an actual world out there, which is unpredictable (yes I am a nagualist).  As you get to the top of the bucket, it's basically open.  We also have to remember that we have our own taps put on the thing, so we can take a drink when we need to.  Those taps can be leaky as well.

Sounds tricky doesn't it.  If there's no perfect bucket, why do we even try?  Well, we have specific goals.  Some of us might lock our doors, even though we know that tanks exist and laugh at our door locks.  We try because we have to.  We climb because the mountain is there.  We live even though we know we will die.  We try because we don't want to be that slowest camper.

So, lets take a look at a few common infosec objects and see how they look when we bucketize them.

Proprietary Software  

Proprietary software, that is, software that is not open source, is very simple: it is a hose tapped directly into the bottom of your bucket.  Some people refer to this kind of software as "backdoored".  This can be a bit confusing because open source software could also be backdoored.  The difference is that so-called "proprietary" software is declared as backdoored.  The bucket has a nice shiny labeled tap right on the bottom and a decently secured hose coming out of it.  Sound like a bad idea?  Well, yeah.  It really is.  There is no need for this nonsense at all apart from a very broken pathway of human psychology which incidentally is that one which says "anything I can label as 'power' is always good".  Gotta have more power right?  So you can like, control things!  MMhhmm.  Couldn't leave well enough alone could you, had to "control" things.  Children.  But I digress.

Encryption

Information can be at once both much easier to dam than water, and much more difficult.  Being massless and teleportable is a bit of a strain on the analogy, but hey we have already established that we will pursue the unattainable.  Encryption is essential in any information bucket.  Without a cup, water spills on the Earth and is absorbed.  Without encryption we have no information.  We have no communication, as Claude Shannon first told us.  Language is encryption.  Putting ones and zeros into memory is encryption.  The immediate question is, who has the key?  Wait where did I put those keys again?  Oh you locked them.  And where are those keys?  Oh in that safe.  The combination?

For the purposes of this essay, we will leave this remarkable topic for later, when we return to drink from the swiss cheese infobucket with a broken straw.  Amazingly this shit not only works but tastes great.