[Cryptography] Dark Mail Alliance specs?

Phillip Hallam-Baker hallam at gmail.com
Thu Mar 27 11:17:27 EDT 2014

On Thu, Mar 27, 2014 at 12:26 AM, Sampo Syreeni <decoy at iki.fi> wrote:

> On 2014-03-26, Ralf Senderek wrote:
>  It's not an inherent property of a cloud to be insecure.
> How is it not? You have to be able to contact the cloud in some way. Once
> you've contacted it in some way, they know your real name. They can then
> kill you off if you do something suspicious, including you contacting the
> cloud in a way they can't make sense of.

Security is not a product, it is the mitigation of risks.

There is a risk that an outsourcer will attack you or be suborned by an
attacker. But that is only one of the risks to consider. The risk that they
screw up accidentally is probably larger. If you are deciding to insource
or outsource you have to consider both sets of risks.

The risks for insourcing include:

* Untrustworthy employees (insider risk)
* Incompetent employees
* Can't hire any employees at all
* Insufficient resources to do the job right

An outsource supplier has to convince customers to trust her. So most
invest heavily in security and process and audits. Those are not a
guarantee that the right thing is done but they have economies of scale on
their side and they do at least have the resources to do the right thing.

Inhouse teams usually don't face anything like the same scrutiny as the
outsource providers.

The main downside to the cloud security wise is that they are a bigger
target. So a successful attack is likely to be more profitable.

Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140327/33b0434f/attachment.html>

More information about the cryptography mailing list