At 12:34 AM 8/27/04 +0100, Ian Grigg wrote: > >David Honig wrote: > > "Security Engineer", according to Schneier... > >I don't like that term for 3 reasons: firstly, when we >build stuff, security should be top-to-bottom, integrated >in, and not seen as an add-on, an after-thought. That >is, the overall engineer should build in the security as >required from the beginning, so it is a skill that all >need, and not something thrown over the wall to the guy >with "security" in his title.
It should be, but usually isn't. In fact, the security dude often has to make recommendations out of his prescribed niche, to others. Often on a project which is already under way. E.g., I recently contracted to implement a crypto protocol. When I suggested that, if a pad of paper be provided for folks to write their passphrases down, it be a single glass-backed sheet (lest impressions be taken), much laughter ensued. But if its worth encrypting, it must be interesting, right? >Secondly, anything to do with security has a very strong >hype-to-value ratio, so much so that it's quite hard to >find a "security" company selling good security stuff. Security is much more than crypto, I've learned, so I don't have a problem with the word. Security includes human and physical security, and although they're not cool comp sci or math, they are vital. Crypto being fairly refined, its not the weakest link any more. And a 'security' mindset (being able to think like the adversary, much like in tic-tac-toe or chess) is important, but not so common. Its not like things titled "crypto" aren't often marianated in snake oil... :-) >Thirdly, good security engineering, as it should be done, >doesn't necessarily involve crypto. The art is in using >as little crypto as possible - in precise and well placed >doses. IMHO. Yes. "Applications can't be any more secure than their operating system." -Bram Cohen Oftentimes, however, security engineers >start from the pov that crypto is a hammer, and their >job is to go find a nail to encrypt. I'll admit to this tunnel vision when I started my interest, over a decade ago when I learned how the IP worked and got into dissecting crypto algorithms to find the magic. Since then I've learned that other things are more important to understand; crypto components are just black boxes to an engineer, like a sorting routine or the like. Cryptoplumber is cute, in a self-depreciating way, but its all engineering, albeit less mature than say civil engineering, which stopped building bridges that collapse some time ago. "The ultimate in paranoia is not when everyone is against you but when everything is against you." --PKD ================================================= 36 Laurelwood Dr Irvine CA 92620-1299 VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP ICBM: -117.7621, 33.7275 HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable) PGP PUBLIC KEY: by arrangement Send plain ASCII text not HTML lest ye be misquoted ------ "Don't 'sir' me, young man, you have no idea who you're dealing with" Tommy Lee Jones, MIB ---- No, you're not 'tripping', that is an emu ---Hank R. Hill --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]