[Cryptography] Cryptographic signing of software is security theater
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Dec 6 04:41:05 EST 2022
Stephen Farrell writes:
>On 04/12/2022 00:01, Peter Gutmann wrote:
>>Ah yes, "we take security seriously", the thoughts and prayers of computer
>>security.
>
>There must by now be enough examples of completely defunct companies who made
>such statements that someone could have described what went happened on the
>inside before issuing such a statement. I can't recall examples of such
>though, so does anyone have some?
Although I didn't think of this at the time, there's another parallel to
"thoughts and prayers" here in that there are no consequences and nothing
changes after a "we take security seriously". There might be a brief stock
market blip, but after a few weeks it's business as usual.
There are a few examples of businesses that were shonky anyway, cryptocurrency
exchanges and things like Ashley Madison spring to mind, but at the risk of
getting a bit no true Scotsman-ey, I'm not aware of any serious enterprise
that's experienced long-term consequences from not taking security seriously.
Look at the company that had the Mother of All Breaches, select "Max" for the
share price, and see if you can spot when they were breached:
https://markets.ft.com/data/equities/tearsheet/charts?s=EXPN:LSE
https://finance.yahoo.com/quote/EXPN.L/
Peter.
More information about the cryptography
mailing list