consulting question....

[Roland Dowdeswell]

On 1243421494 seconds since the Beginning of the UNIX epoch
"Marcus Brinkmann" wrote:
>

>                         However, it also sounds like they are shifting the
>burden of proof.  Shouldn't they convince "you" (whoever they make the DRM
>for) that their system is working?  Have we really reached a situation where
>non-experts believe that DRM works until proven otherwise?  That seems an
>extraordinary marketing success of the sellers of DRM technology, because it
>stands against a mountain of evidence in the history of computing.

I have noticed in my years as a security practitioner, that in my
experience non-security people seem to assume that a system is
perfectly secure until it is demonstrated that it is not with an
example of an exploit.  Until an exploit is generated, any discussion
of insecurity is filed in their minds as ``academic'', ``theoretical''
or ``not real world''.  This of course makes it quite difficult to
cause various issues to be fixed in practice as it is generally
more time consuming to construct and explain an exploit than to
simply fix the bug that has been discovered.

The next refrain that one is likely to hear even after demonstrating
that a security issue exists is ``How many people know how to do
that?''  I've actually heard that in some rather amusing circumstances
such as ``Well, how many people actually know how to read or edit
XML?''  It is a tricky conversation to explain to people that XML
is not in fact an encryption mechanism---especially if they have
seen any machine produced XML recently.  Of course, this is one of
the more amusing examples but others abound.

I'm interested in asking people what rhetorical techniques they
use to overcome such difficulties in practice?

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com