On Jun 18, 2012, at 9:03 PM, Matthew Green wrote: > On Jun 18, 2012, at 4:21 PM, Jon Callas wrote: > >> Reviewers don't want a review published that shows they gave a pass on a >> crap system. Producing a crap product hurts business more than any thing in >> the world. Reviews are products. If a professional organization gives a pass >> on something that turned out to be bad, it can (and has) destroyed the >> organization. > > > I would really love to hear some examples from the security world. > > I'm not being skeptical: I really would like to know if any professional > security evaluation firm has suffered meaningful, lasting harm as a result of > having approved a product that was later broken. > > I can think of several /counterexamples/, a few in particular from the > satellite TV world. But not the reverse. > > Anyone?
The canonical example I was thinking of was Arthur Anderson, which doesn't meet your definition, I'm sure. But we'll never get to requiring security reviews if we don't start off seeing them as desirable. Jon
PGP.sig
Description: PGP signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography