On 7/21/15 11:01 AM, [1]dan@geer.org wrote: Continuing to think about this, an analogy presents itself. If I tell you a secret after getting your agreement that you will not yourself tell anyone else, then I am trusting in non-recursive disclosure, i.e., you break the chain and I trust that you will not fail to do so. If I place my execution or my storage in the hands of others, then I am trusting in non-recursive propagation of my code and/or my data. If the pinnacle goal of security engineering is "No silent failure," then creating a dependence on non-recursive exposure of execution or storage is resolved either by blind trust or by a sufficient degree of surveillability that prevents silent breaking of the non-recursion constraint. But what would that be? Is this a kind of supply chain argument that devolves to whether a target is or is not big enough to sue? If I have proven, workable recourse, then perhaps I can trust -- which is to say I am able to then choose to take no additional, proactive countermeasures. If I do not have proven, workable recourse, then how can I prevent not just silent failure but silent failure plus a clean getaway even post-discovery? Daniel Solove suggested that the greatest danger to privacy is a blythe "I live a good life and have nothing to hide;" so, in parallel, is not the greatest danger to data integrity something of a parallel construction, something like "No one would want to screw with my cloud, I'm just a nobody"? Thinking out loud; no need to answer, --dan +1 There are multiple avenues possible of assurance, architecture, audit, obfuscation, canaries, etc. Perhaps encrypted computing will be useful; already encrypted storage is relatively easy to use for at least some circumstances (object stores, backup). If billions of lightweight container-based compute transactions are flowing through a system that pools payment and has secure distributed storage and communication, is it possible to be too obscure to identify and tap? Spammer scammers are practicing this kind of thing daily, and countermeasures are being created too, but as for most of that there is a final traceable step, email etc., that's not quite the same as some other private security goals. sdw References 1. mailto:dan@geer.org