<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d7134549\x26blogName\x3dJonathan\x27s+Liverstone\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://liverstone.blogspot.com/search\x26blogLocale\x3den_GB\x26v\x3d2\x26homepageUrl\x3dhttp://liverstone.blogspot.com/\x26vt\x3d-3181951560992862409', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script>
Jonathan's Liverstone

A place of Bile & other Humours.

BlogRoll


Schneier on Product Security  

This quote for Bruce Schneier took my fancy ...
Security is orthogonal to functionality. Security has nothing to with what the product does, or how well it does it, or how good the user interface is.

You can't give a product to a thousand random people, have them beta test it for a month and really learn anything about the security. They can tell you if it works and how functional it is, but they can't tell you if it's broken or not.
Generally, to test security, at least in the real world, you just put the product out there and experienced security professionals, either working for industry, or in academia, or working on their own (commonly known as hackers), find flaws and alert the New York Times and you get your feedback that way. Not terribly useful. But it's where we've ended up.
B. Schneier, "Security in the Real World: How to Evaluate Security Technology," Computer Security Journal, v 15, n 4, 1999, pp. 1-14.


0 Comments:

Disclaimer: (I stole this from Internal Affairs.)
All links and references to other websites, organisations or people not within my control are provided for the user's convenience only, and should not be taken as endorsement of those websites, or of the information contained in those websites, nor of organisations or people referred to. I also do not implicitly or impliedly endorse any website, organisation or people who have off-site links to this website.
... But then again; I only link to sites 'cos I see something there that's worth linking to.