burning-brick

I’d like to propose a simple test for any definition of security success: the Brick Test.

As Security Team people, we tend to evaluate our own work in terms of prevention. Under a certain threat model: the secrets are prevented from being exfiltrated; the messages are prevented against being forged; the company property is prevented against being misused.

If we’re being good engineers about it, we usually try to agree on a definition of success before we start: otherwise it’s not clear when we’re done or if we’ve done anything at all. Knowing what success looks like can also help us avoid starting unrealistic projects.

What should be considered in the definition of success? Certainly all the things we want to prevent (and the threat models under which they should be prevented), as discussed above. But what else?

The Brick Test asks just one question:

could a standard brick (i.e., a bit of masonry, any color, heavy enough to break glass when propelled) satisfy your definition of success?

If success is “the user’s disk can’t be decrypted by an attacker,” then a brick could achieve success more more permanently and completely than a whole team of very smart engineers. Bricks are also considered post-quantum.

If a brick can achieve success, it’s probably cheaper than you are. In this case, re-think your definition of success! (Or, shut down the project, job’s done!)

Corollary: any system that uses machine learning to satisfy criteria that fail the Brick Test is called “BrickGPT.”