Eugene’s Law of Security:

There’s always someone smarter.

Corollary:

Beware of stupid, malicious people in groups.


Eugene’s Law of Security is my way of describing what the designer or implementer of a system claiming to be secure needs to be aware of. Specifically, no matter how smart you are, just because you can’t break into something you designed, doesn’t mean there isn’t someone a little bit smarter who will tear it to shreds.

Of course, you might still have questions about the corollary, like “I get that there is someone smarter than me, but why should I care about the dumb people?”, or perhaps just “you realize that’s technically not a corollary, right?”.

Well, as it happens, when a lot of people look at something, they tend to be able to find bugs. So even if you are absolutely the smartest person in the world (and as we’ve established, you aren’t) if enough people are looking to break your system they’ll still manage it eventually.

A perfect example of where Eugene’s Law of Security should be applied is the programmer who stubbornly defends using XOR encryption. The justification always seems to be the same - “I can’t break it, so it must be good”. Which of course, as anyone even passingly familiar with cryptography knows, is utterly wrong.

Eugene’s Law is not a justification for omitting security from systems, but rather the recognition that creating your own security mechanisms in isolation is a sure recipe for failure.

For those still in doubt, feel free to take a look at Schneier’s Law which is, while not exactly the same, similar to Eugene’s Law of Security. Amusingly I found out about Schneier’s Law the day following my writing out Eugene’s Law for the ISC (pictured).