On Jul 29, 2010, at 22:23, Anne & Lynn Wheeler wrote:
> On 07/28/2010 10:34 PM, d...@geer.org wrote:
>> The design goal for any security system is that the number of
>> failures is small but non-zero, i.e., N>0. If the number of
>> failures is zero, there is no way to disambiguate good luck
>> f
for the fun of it ... from today ...
Twenty-Four More Reasons Not To Trust Your Browser's "Padlock"
http://blogs.forbes.com/firewall/2010/07/29/twenty-four-more-reasons-not-to-trust-your-browsers-padlock/?boxes=Homepagechannels
from above:
On stage at the Black Hat security conference Wednesday
On 07/28/2010 10:34 PM, d...@geer.org wrote:
The design goal for any security system is that the number of
failures is small but non-zero, i.e., N>0. If the number of
failures is zero, there is no way to disambiguate good luck
from spending too much. Calibration requires differing outcomes.
Reg
d...@geer.org wrote:
Regulatory compliance, on the other hand, stipulates N==0 failures
and is thus neither calibratable nor cost effective. Whether
the cure is worse than the disease is an exercise for the reader.
I do not believe regulations require that there be zero compromises
to systems
> It is important to remember what we're trying to defend against. As
> many of us have learned through bitter experience, the costs and
> benefits of security systems we deploy are the important part. No one
> needs perfect security in the face of no attackers at all, and even if
> attackers are