The wisdom of the ill informed

Allen netsecurity at
Mon Jun 30 10:16:17 EDT 2008

Arshad Noor wrote:
> While programmers or business=people could be ill-informed, Allen,
> I think the greater danger is that IT auditors do not know enough
> about cryptography, and consequently pass unsafe business processes
> and/or software as being secure.
> This is the reason why we in the OASIS Enterprise Key Management
> Infrastructure Technical Committee have made educating IT Auditors
> and providing them guidelines on how to audit symmetric key-management
> infrastructures, one of the four (4) primary goals of the TC.  While
> the technology is well understood by most people on this forum, until
> we educate the gate-keepers, we have failed in our jobs to secure IT
> infrastructure.

Yep. It seems like we've had a bit of this conversation recently, 
haven't we? ;-> And it is not just the gatekeepers, but also the 
users who need education. We know that we will not have enough 
"gatekeepers" to watch all users and uses.

Given this, the real question is, /"Quis custodiet ipsos custodes?"/ 
(Given as either "Who will watch the watchers themselves?" or "Who 
will guard the guardians?" from Juvenal.) Here we have the perfect 
examples of the conundrum in No Such Agency or the Company, who 
evade oversight or it is so obfuscated that the watchers at the 
political level either don't know what is really going on or they 
are complicit. Funny how something as off the main track of society 
as cryptography still reflects the identical problems of the greater 
whole, isn't it?

I also argue that badly structured protocol requirements that 
potentially obfuscate what is going on is a serious issue as well. 
Then too, there is documentation that does not get down to the bare 
metal, so to speak, so that those who are not skilled at reading 
code, and its implications, can understand what is going on. The 
Romans knew that and mad it law: /Quod non est in actis, non est in 
mundo./ ("What is not in the documents does not exist")

All of this requires team thinking so that everyone who is looking 
at the issues involved, no matter from what direction, creator, 
auditor or end user, gets "it."

> Arshad Noor
> StrongAuth, Inc.
> Allen wrote:
>> Hi gang,
>> All quiet on the cryptography front lately, I see. However, that does 
>> not prevent practices that *appear* like protection but are not even 
>> as strong as wet toilet paper.
>> I had to order a medical device today and they need a signed 
>> authorization for payment by my insurance carrier. No biggie. So they 
>> ask how I want it set to me and I said via e-mail. Okay. /Then/ they 
>> said it was an encrypted file and I thought, cool. How wrong could I be?
>> Very. The (I hate to use this term for something so pathetic) password 
>> for the file is 6 (yes, six) numeric characters!
>> My 6 year old K6-II can crack this in less than one minute as there 
>> are only 1.11*10^6 possible.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list