Security of Mac Keychain, File Vault
makrober
makrober at gmail.com
Tue Oct 27 17:02:44 EDT 2009
Ivan Krsti wrote:
> On Oct 24, 2009, at 2:31 PM, Jerry Leichter wrote:
>> The article at http://www.net-security.org/article.php?id=1322 claims
>> that both are easily broken.
>
> Shrug. He doesn't explain what 'broken' means to him or under what
> threat model, and dammit, security without a threat model is like
> motherhood without apple pie...
This is a perfectly valid point; however, it cuts both ways. I'm sure
all on this list have more than once encountered a user of some
security product or system component for which the vendor completely
failed to define the threat model it was effective under, and which
was, consequently, misused to the point of offering no protection at all.
But back to the article pointed out by the OP: it is indeed an example
of writing where a fault in a security product is implied, but not
substantiated. And this (quote: "...This is partly because Apple has not
policed its developer network. Everyone has access to the iPhone's
technologies, so the hacking community has used this against Apple....")
is surprising, to say the least: when someone claims these days that the
security should be based on the "policing the access to [some technology]",
he's unlikely to be teken very seriously.
Mark R.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list