lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 27 Sep 2006 10:14:29 +0100
From: "Tom Harrison" <Tom.Harrison@...is.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Rothman: Belva's a Joker (was Could InfoSec
	beWorse than Death?)

Hi Ken,

Sorry to chime in at this late stage in the thread, but it's one I've been watching and trying to get my head around since you started it and I'm running across similar "problems" to Paul. Because this all seems a little abstract (as such theoretical discussions are wont to be), I'm going to try and put into words (using the least detailed of all descriptions, an analogy) where I fail to see how "Virtual Trust" is anything other than at worst a misnomer and at best a slight marketing advantage:

Cyril lives in Hackton and owns a local news paper, The Hackton Times. Every morning Cyril needs to distribute his product to the general populace (be they subscribers or resellers), to do this he uses paperboys. The paperboys all ride bicycles to get them around Hackton (it's a fairly large area so delivering by hand is impractical). Occasionally these bikes break and need repairing.

In my mind, both the Loss Prevention and Virtual Trust paradigm focus on the delivery condition (the bikes being functional), the only difference being that the Virtual Trust paradigm would advocate the active servicing of bikes (the security of the delivery mechanism) on the basis that this would establish more "Trust" with customers (they're guaranteed to get their paper) as opposed to just actively servicing the bikes as part of a standard working practice.

What I can't see is what actual advantage the Virtual Trust model is bringing beyond the one that loss prevention brings, the same process is happening, the same costs are being incurred and I can't see the slight establishment of trust (even when we get into areas where the reliability of the delivery mechanism is paramount) making much of a difference business wise. The fact you service the bikes isn't going to let you do anything beyond keep the bikes going and say that you service them - there's no extra product or anything new that's created by servicing them. It seems to me that the limited advantage gained by using the Virtual Trust paradigm is outweighed by the fact that a lot of people (myself included atm) are going to see it as a way of highlighting a fairly irrelevant point (Look! We're Secure!) to obfuscate the security process in order to encourage more expenditure. It seems like you're trying to sell Security as something other than a method for making somethin
 g secure.

Sorry if my innane rambling got a little off the mark, I hope you can clear some of this up for me.

Tom Harrison


> Paul, I admit it takes a bit to change one's perspective from the loss
> prevention to the virtual trust perspective. The loss 
> prevention paradigm
> is very embedded so it is easier to think in those terms. But once you
> begin to think about virtual trust, it will come. You will 
> begin to see
> how the security mechanisms allow us to do things rather than simply
> prevent loss. That's the point (which you actually agree with 
> already). It
> just takes a bit to actually live it.
> 
> Ken
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ