[cryptography] preventing protocol failings

Arshad Noor arshad.noor at strongauth.com
Tue Jul 5 12:40:41 EDT 2011


On 07/05/2011 09:09 AM, Steven Bellovin wrote:
>
> More importantly (and to pick a less extreme scenario), security isn't
> an absolute, it's a matter of economics.  If the resource you're
> protecting isn't worth much, why should you spend a lot?

And, one does not need to guess at how much "a lot" is; the legal
community uses a ruling from 1947, issued by Judge Learned Hand in
the case of United States vs. Carroll Towing Co., to determine how
much someone should have spent:

http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co.
or
http://en.wikipedia.org/wiki/Calculus_of_negligence

The only issue with our rather immature security industry is, that
without a central repository of information about attacks (that
might have provided quantitative data to researchers), its very hard
to calculate estimated damage.

Arshad Noor
StrongAuth, Inc.



More information about the cryptography mailing list