Publicity we can all do without

Publicity-seeking security researchers are a welcome boost to journalists, but they are a pain for serious security practitioners who spend many years developing and justifying security solutions for a largely resistant and doubting community of business managers and customers, only to find their efforts undermined by sensational media claims that their countermeasures are not 100% perfect. 
This week we have seen two sets of claims that undermine existing security solutions, and as a result might hold back their exploitation. The first is a claim by a former US Army computer security specialist that he has devised a way to break the security of Trusted Platform Module (TPM) chips through a sophisticated attack. Of course the press failed to point out that such an attack requires a high degree of skill and hundreds of thousands dollars worth of equipment to break a single chip, not something your average criminal is likely to have at their disposal. The second is the claim by Cambridge University that they can manipulate a stolen chip and PIN card to carry out a seemingly authentic transaction, despite the fact the attack requires specialised skills and equipment and is claimed to be detectable. 
Theoretical attacks prove little or nothing that we don’t already know. Information systems are not designed to have perfect security. They are designed to resist the level of anticipated attacks at an affordable cost. One would have thought that Cambridge University would have grasped this point having spent many man years attempting to research the economics of security. 
Whatever you might think about TPM chips and chip and PIN card systems, they both represent significant advances in security solutions, something that is unfortunately in short supply in an academic security community that increasingly prefers to break rather than build security systems.