Evidence of Absence

Ryan McGeehan
Starting Up Security
3 min readMay 17, 2016

--

It’s impossible to prove that you haven’t suffered a security breach.

For instance, Google can’t prove that an adversary isn’t reading your email *right now*.

This is not a criticism and is unfair to hold this fact against any company.

Here’s why:

A security team can only describe their efforts to prevent and detect an intrusion. This strengthens their Evidence of Absence. Evidence of absence is weak. However, it’s how everyone trusts everything:

I trust that the measures you’ve taken prove the absence of a security breach.

This trust is undone completely when a breach is discovered.

THE EXCEPTION

Bitcoin companies can tell you that they didn’t lose their bitcoin yesterday.

They have cryptographic certainty of this fact. This is because an intrusion in bitcoin has its own strange version of the observer effect. They know for certain that up until right now… they’ve succeeded.

An intrusion involving bitcoin theft requires that the victim is alerted.

Can Twitter say that your private messages weren’t read by anyone but you yesterday?

This cuts two ways: We hear about every serious bitcoin breach. A bitcoin company breach is highly visible on the blockchain. Stealth intrusions do not exist when key material becomes involved. Long lasting, stealthy intrusions are common and expected at every other type of company.

If content (emails, passwords, photos) had this same property, how many more breaches would we hear about?

SUCCESS IN SECURITY

We did not suffer any game ending key material breach during my time at Coinbase. I know this because there is cryptographic proof on the blockchain of that track record. Coinbase is still in business.

This characteristic doesn’t measure other types of incident (phishing, malware, social engineering, etc) but a game ending breach was entirely measurable and didn’t happen.

Can Dropbox prove that no one has ever read your files, or can they only claim it is unlikely?

This philosophy prevents any accumulation of confidence for a security team. It’s always possible that your security team’s adversaries were victorious in areas that haven’t been checked yet. This results in a never ending “evidence of absence” game where security can never say with certainty if they’ve succeeded. Security can only list the preventions they’ve taken, or the areas they regularly check for breach, and estimate.

Every security professional should seek this quality in what they protect. You will know about your failures immediately, but you’ll also build confidence over time.

MODERN EVIDENCE OF ABSENCE

This area of security thinking is why I’m such a strong advocate for bug bounty. It’s a measurable “evidence of absence” that does not guarantee total absence of bugs. By illustrating the amount of effort that is currently being attracted and exerted to discover something that is hoped to be absent, you have a really consumable way to measure security.

At some point, we could hopefully be offering millions of dollars for bugs to prove their absence, and these bounties will be left unmet.

CONCLUSION

I predict that security teams at successful bitcoin companies will lead our industry in defensive innovation over the next decade. These are the only groups in the security profession who are able to prove they were successful over a long term.

@magoo

I’m formerly Director of Security @ Facebook and Coinbase, and currently founding advisor at HackerOne.

--

--