Ian G wrote:
On this I would demure. We do have a good metric: losses. Risk
management starts from the business, and then moves on to how losses are
effecting that business, which informs our threat model.
We now have substantial measureable history of the results of open use
of cryptography. We can now substantially and safely predict the result
of any of the familiar cryptographic components in widespread use,
within the bounds of risk management.
The result of 15-20 years is that nobody has ever lost money because of
a cryptographic failure, to a high degree of reliability.
How about all the money lost because Wifi security does not work?
If the administrator selects encryption for the wifi network, follows
good practices with passwords, and yet attackers get in, is that not an
a cryptographic failure?
A common, perhaps the most common, attack on corporations is to get
inside the corporate network through wifi, then mount an sql injection
attack on the corporate database, then steal the corporate database.
This often causes extremely large monetary losses.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
