titles

David Honig dahonig at cox.net
Thu Aug 26 20:07:35 EDT 2004 

At 12:34 AM 8/27/04 +0100, Ian Grigg wrote:
>
>David Honig wrote:
> > "Security Engineer", according to Schneier...
>
>I don't like that term for 3 reasons:  firstly, when we
>build stuff, security should be top-to-bottom, integrated
>in, and not seen as an add-on, an after-thought.  That
>is, the overall engineer should build in the security as
>required from the beginning, so it is a skill that all
>need, and not something thrown over the wall to the guy
>with "security" in his title.

It should be, but usually isn't.  In fact, the security
dude often has to make recommendations out of his
prescribed niche, to others.  Often on a project which
is already under way.

E.g., I recently contracted to implement a crypto protocol.
When I suggested that, if a pad of paper be provided for
folks to write their passphrases down, it be a single 
glass-backed sheet (lest impressions be taken), much
laughter ensued.  But if its worth encrypting, it must
be interesting, right?   


>Secondly, anything to do with security has a very strong
>hype-to-value ratio, so much so that it's quite hard to
>find a "security" company selling good security stuff.

Security is much more than crypto, I've learned, so 
I don't have a problem with the word.  Security includes
human and physical security, and although they're not
cool comp sci or math, they are vital.  Crypto being
fairly refined, its not the weakest link any more.  And a 'security'
mindset (being able to think like the adversary, much
like in tic-tac-toe or chess) is important, but not
so common.

Its not like things titled "crypto" aren't often marianated in snake oil...
:-)

>Thirdly, good security engineering, as it should be done,
>doesn't necessarily involve crypto.  The art is in using
>as little crypto as possible - in precise and well placed
>doses.  IMHO.  

Yes.    

"Applications can't be any more secure than their
operating system." -Bram Cohen

Oftentimes, however, security engineers
>start from the pov that crypto is a hammer, and their
>job is to go find a nail to encrypt.

I'll admit to this tunnel vision when I started my interest,
over a decade ago when I learned how the IP worked and
got into dissecting crypto algorithms to find the magic.
Since then I've learned that other things are more 
important to understand; crypto components are just black 
boxes to an engineer, like a sorting routine or the like.

Cryptoplumber is cute, in a self-depreciating way, but
its all engineering, albeit less mature than say civil
engineering, which stopped building bridges that collapse
some time ago.

"The ultimate in paranoia is not when everyone is against you but when
everything is against you." --PKD


=================================================
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP

ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted

------

"Don't 'sir' me, young man, you have no idea who you're dealing with"
Tommy Lee Jones, MIB

----

No, you're not 'tripping', that is an emu ---Hank R. Hill

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list