Ben,
Good comments. It may be true that "older" technology is what today's Sr
Managers have the most familiarity with, however... In my opinion, it's not
that familiarity that we (or they) should rely on, in order to be
well-informed, and thus be making good security-related decisions. It's no
lo
Hi Gary (good to see you at Gartner, BTW),
I recall way back in the bad old days of the Orange Book that we used to
look for both Developmental Assurance and (emphasis here) Operational
Assurance. To that end, systems are designed and implemented with certain
limitations or "assumptions" (shudde
Hi Gary,
In one of your prior posts you mentioned documentation. I believe that the
problem with WMF was that someone had not examined WMF as a postential
source of vulnerabilities, since the embedded code was an legacy capability.
My belief is that one of the keys to finding flaws lies in the p
Hi Jeremy (and Ken),
Obfuscation of Java bytecode (like other "machine-level" instruction sets)
will ultimately depend on what level of hiding is being done. Principally,
whether
you're really just scattering the data (i.e. using a secret scatter
algorithm),
or actually encrypt/decrypting it, it
