Arshad Noor
Sun, 29 Jun 2008 14:10:00 -0700
[Moderator's note: "Top posting considered uncool." --Perry] While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. This is the reason why we in the OASIS Enterprise Key Management Infrastructure Technical Committee have made educating IT Auditors and providing them guidelines on how to audit symmetric key-management infrastructures, one of the four (4) primary goals of the TC. While the technology is well understood by most people on this forum, until we educate the gate-keepers, we have failed in our jobs to secure IT infrastructure. Arshad Noor StrongAuth, Inc. Allen wrote:
Hi gang,All quiet on the cryptography front lately, I see. However, that does not prevent practices that *appear* like protection but are not even as strong as wet toilet paper.I had to order a medical device today and they need a signed authorization for payment by my insurance carrier. No biggie. So they ask how I want it set to me and I said via e-mail. Okay. /Then/ they said it was an encrypted file and I thought, cool. How wrong could I be?Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters!My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]