[cryptography] philosophical question about strengths and attacks at impossible levels

James A. Donald jamesd at echeque.com
Fri Nov 19 22:10:53 EST 2010

Ian G wrote:
> On this I would demure.  We do have a good metric:  losses.  Risk
> management starts from the business, and then moves on to how losses are
> effecting that business, which informs our threat model.
> We now have substantial measureable history of the results of open use
> of cryptography.  We can now substantially and safely predict the result
> of any of the familiar cryptographic components in widespread use,
> within the bounds of risk management.
> The result of 15-20 years is that nobody has ever lost money because of
> a cryptographic failure, to a high degree of reliability.

How about all the money lost because Wifi security does not work?

If the administrator selects encryption for the wifi network, follows 
good practices with passwords, and yet attackers get in, is that not an 
a cryptographic failure?

A common, perhaps the most common, attack on corporations is to get 
inside the corporate network through wifi, then mount an sql injection 
attack on the corporate database, then steal the corporate database. 
This often causes extremely large monetary losses.

More information about the cryptography mailing list