The wisdom of the ill informed
netsecurity at sound-by-design.com
Mon Jun 30 10:16:17 EDT 2008
Arshad Noor wrote:
> While programmers or business=people could be ill-informed, Allen,
> I think the greater danger is that IT auditors do not know enough
> about cryptography, and consequently pass unsafe business processes
> and/or software as being secure.
> This is the reason why we in the OASIS Enterprise Key Management
> Infrastructure Technical Committee have made educating IT Auditors
> and providing them guidelines on how to audit symmetric key-management
> infrastructures, one of the four (4) primary goals of the TC. While
> the technology is well understood by most people on this forum, until
> we educate the gate-keepers, we have failed in our jobs to secure IT
Yep. It seems like we've had a bit of this conversation recently,
haven't we? ;-> And it is not just the gatekeepers, but also the
users who need education. We know that we will not have enough
"gatekeepers" to watch all users and uses.
Given this, the real question is, /"Quis custodiet ipsos custodes?"/
(Given as either "Who will watch the watchers themselves?" or "Who
will guard the guardians?" from Juvenal.) Here we have the perfect
examples of the conundrum in No Such Agency or the Company, who
evade oversight or it is so obfuscated that the watchers at the
political level either don't know what is really going on or they
are complicit. Funny how something as off the main track of society
as cryptography still reflects the identical problems of the greater
whole, isn't it?
I also argue that badly structured protocol requirements that
potentially obfuscate what is going on is a serious issue as well.
Then too, there is documentation that does not get down to the bare
metal, so to speak, so that those who are not skilled at reading
code, and its implications, can understand what is going on. The
Romans knew that and mad it law: /Quod non est in actis, non est in
mundo./ ("What is not in the documents does not exist")
All of this requires team thinking so that everyone who is looking
at the issues involved, no matter from what direction, creator,
auditor or end user, gets "it."
> Arshad Noor
> StrongAuth, Inc.
> Allen wrote:
>> Hi gang,
>> All quiet on the cryptography front lately, I see. However, that does
>> not prevent practices that *appear* like protection but are not even
>> as strong as wet toilet paper.
>> I had to order a medical device today and they need a signed
>> authorization for payment by my insurance carrier. No biggie. So they
>> ask how I want it set to me and I said via e-mail. Okay. /Then/ they
>> said it was an encrypted file and I thought, cool. How wrong could I be?
>> Very. The (I hate to use this term for something so pathetic) password
>> for the file is 6 (yes, six) numeric characters!
>> My 6 year old K6-II can crack this in less than one minute as there
>> are only 1.11*10^6 possible.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography