At 09:34 PM 2/1/2008 +0100, Ian G wrote:
* Browser vendors don't employ security people as we know them on this
mailgroup, they employ cryptoplumbers. Completely different layer. These
people are mostly good (and often very good) at fixing security bugs. We
thank them for that! But they are completely at sea when it comes to
systemic security failings or designing new systems.
An excellent observation Ian!!
I too have run into this mindset at enterprises with inhouse security teams
(mostly in Silicon Valley). They focus on the nuts and bolts like
producing/using cryptographic libaries, fixing security bugs in code or
configuring network appliances to stop intrusions. But it is really hard
to find any of them with decent experience or knowledge at the overall
software/hardware/people system design level. They are often very smart and
educated engineers. I find that there's this "mindless" focus on using
groups of "security" standards, e.g PKI / LDAP / SSL type of combinations,
etc. The DoD contractor firms seem to be a little bit better at
recognizing the system level aspects of security, although they too are
often blinded by the emphasis on "COTS" security products.
- Alex
--
Alex Alten
[EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
