makrober
Wed, 28 Oct 2009 08:07:57 -0700
Ivan Krsti wrote:
On Oct 24, 2009, at 2:31 PM, Jerry Leichter wrote:The article at http://www.net-security.org/article.php?id=1322 claims that both are easily broken.Shrug. He doesn't explain what 'broken' means to him or under what threat model, and dammit, security without a threat model is like motherhood without apple pie...
This is a perfectly valid point; however, it cuts both ways. I'm sure all on this list have more than once encountered a user of some security product or system component for which the vendor completely failed to define the threat model it was effective under, and which was, consequently, misused to the point of offering no protection at all. But back to the article pointed out by the OP: it is indeed an example of writing where a fault in a security product is implied, but not substantiated. And this (quote: "...This is partly because Apple has not policed its developer network. Everyone has access to the iPhone's technologies, so the hacking community has used this against Apple....") is surprising, to say the least: when someone claims these days that the security should be based on the "policing the access to [some technology]", he's unlikely to be teken very seriously. Mark R. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com