[127112] in cryptography@c2.net mail archive
Re: The wisdom of the ill informed
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Jun 30 12:18:48 2008
Date: Mon, 30 Jun 2008 09:18:04 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Arshad Noor <arshad.noor@strongauth.com>
CC: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4867F80B.3040606@strongauth.com>
Arshad Noor wrote:
> While programmers or business=people could be ill-informed, Allen,
> I think the greater danger is that IT auditors do not know enough
> about cryptography, and consequently pass unsafe business processes
> and/or software as being secure.
Committees of experts regularly get cryptography wrong - consider, for
example the Wifi debacle. Each wifi release contains classic and
infamous errors - for example WPA-Personal is subject to offline
dictionary attack.
One would have thought that after the first disaster they would have
hired someone who could do it right, but as Ian long ago pointed out, in
"the market for silver bullets", they are unable to tell who can do it
right. The only people who know who the real experts are, are the real
experts. If you knew who to hire, you could do it yourself, and
probably should do it yourself. So they hire expert salesmen, not
cryptography experts.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
