lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 23 Jul 2010 11:29:00 -0700
From: bk <chort0@...il.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Expired certificate


On Jul 22, 2010, at 10:12 PM, Marsh Ray wrote:
> On 07/22/2010 10:40 PM, Dan Kaminsky wrote:

> 
>> There are fundamental sources of these failures that are not just
>> "people are stupid".  Remember the tales of failed +$100M PKI
>> deployments around the turn of the millenium?
> 
> I can imagine a PKI project failing.
> 
> But failing after $100M is spent can be only explained by business 
> management problems. This is not a space program we're talking about 
> after all, the PKI technology just isn't that risky.

It's not that it's risky, it's just that the techy people got all carried away with how it should work technically, and by the time they rolled it out to actual workers they realized that it was a usability disaster.  No one is going to deal with that big of a disruption to how they perform their work on a daily basis.  The biggest, grandest schemes always get torpedoed by the smallest human problems.

So far as I know, the only environment PKI is really widely adopted in is the military, because they get to say "you WILL use this smartcard, soldier!  YOU HAVE A PROBLEM WITH THAT?"  Private sector workers can just say "Hah, I'll call that head-hunter back."  Soldiers?  Not so much...

>> Why do you think so much money got spent?
> 
> Consultants!


Consultants:  The people you call when you just can't admit the requirements were ridiculous, but are willing to burn a few million more dollars proving it conclusively.

> The worst idea I've ever heard is probably this:
> http://news.techworld.com/security/3228198/obama-internet-kill-switch-plan-approved-by-us-senate/?olo=rss

Should go without saying.  Oops.

--
chort
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ