[Cryptography] best practices considered bad term

Jerry Leichter leichter at lrw.com
Mon Feb 2 21:55:22 EST 2015


On Feb 2, 2015, at 8:02 PM, Kent Borg <kentborg at borg.org> wrote:
>> But what is the alternative to best practice recommendations for cybersecurity? Telling every business to hire a consultant?
> Admit we are in a wild-west era--say so--tell businesses that there are no magic bullets, they need to be cautious, worried, and skeptical buyers. Give is a few decades (!) and things will maybe calm down some.
Given the degree to which we are all dependent on these technologies already, that just won't fly.

>> Leaving the field to marketing departments with breathless claims of 5000-bit security or trade magazine articles written by writer who know little about the subject? 
> 
> Promote open source software: cheaper, less need to be buzzword-compliant, more hope of being well implemented.
You can actually say that with a straight face after the last 12 months?  Heartbleed - and all the other bugs that the first serious look at OpenSSL then revealed?  Multiple serious bugs in bash?  Now GHOST?

Prediction for 2015:  As HTML5 begins to take over from Flash, the first serious vulnerability in an HTML5 implementation will appear this year.  It won't be the last.

The dream that OSS would magically give us bug-free, secure code died in 2014.  There is no magic, only hard work - and we don't even know exactly *what* we should be working on.
                                                        -- Jerry



More information about the cryptography mailing list