lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat May 21 17:13:58 2005
From: h_hikita at yahoo.co.jp (HHikita)
Subject: Can ISO15408 evaluated products be trusted?

Nora Barrera wrote:

>I was told that "internal risk" is not taken into
>account in Japan. No employee would hack his own
>company.
>  
>
The traditional employment system in Japan was  "Shuushin Koyou".
You were basically assured your job until retirement.
So before there were any Information technology,  30years of your
annual income was enough to mitigate most threats.

There are still companies  which do not take "internal risk"  into
account, and you are able to read about their consequences
in the newspapers daily.

>How can this be evaluated? The evaluation laboratory
>says "Not clear, not understandable". And the guy who
>wrote the description answers "you are too stupid to
>understand it". What happens next?
>  
>

The evaluator would at least have to specify where and/or what in the
Security Target
that he finds to be "Not clear, not understandable". And the developer
is given a chance to
take action against these claims.

If the issue is not resolved at the end of the evaluation, then the
verdict would be
"fail" or "inconclusive".

>_Supposed_
>You said it!
>
You would have to do some homework on the kind of product the PP or ST
is about.

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

Powered by blists - more mailing lists