On 07/05/2011 09:09 AM, Steven Bellovin wrote:
More importantly (and to pick a less extreme scenario), security isn't an absolute, it's a matter of economics. If the resource you're protecting isn't worth much, why should you spend a lot?
And, one does not need to guess at how much "a lot" is; the legal community uses a ruling from 1947, issued by Judge Learned Hand in the case of United States vs. Carroll Towing Co., to determine how much someone should have spent: http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co. or http://en.wikipedia.org/wiki/Calculus_of_negligence The only issue with our rather immature security industry is, that without a central repository of information about attacks (that might have provided quantitative data to researchers), its very hard to calculate estimated damage. Arshad Noor StrongAuth, Inc. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography