[cryptography] Intel RNG

Jon Callas jon at callas.org
Tue Jun 19 02:14:35 EDT 2012


On Jun 18, 2012, at 9:03 PM, Matthew Green wrote:

> On Jun 18, 2012, at 4:21 PM, Jon Callas wrote:
> 
>> Reviewers don't want a review published that shows they gave a pass on a crap system. Producing a crap product hurts business more than any thing in the world. Reviews are products. If a professional organization gives a pass on something that turned out to be bad, it can (and has) destroyed the organization.
> 
> 
> I would really love to hear some examples from the security world. 
> 
> I'm not being skeptical: I really would like to know if any professional security evaluation firm has suffered meaningful, lasting harm as a result of having approved a product that was later broken.
> 
> I can think of several /counterexamples/, a few in particular from the satellite TV world. But not the reverse.
> 
> Anyone?

The canonical example I was thinking of was Arthur Anderson, which doesn't meet your definition, I'm sure.

But we'll never get to requiring security reviews if we don't start off seeing them as desirable.

	Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120618/fa1ecdf3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120618/fa1ecdf3/attachment.sig>


More information about the cryptography mailing list