[Ach] 30C3 talk "The Internet (Doesn't) need another security guide"
David Durvaux
david.durvaux at gmail.com
Tue Jan 14 11:10:22 CET 2014
Hello,
> I finally came around to watching evacide's talk "The Internet (Doesn't)
> need another security guide" [1]
> where she mentions our small project in minute ~ 18 or 19 [2] (Yay!
> Thanks). Spoiler alert: Eva actually says that we need more (targeted,
> good, correct and well defined) guides for sure.
>
That's great!! :-D
1. Eva mentioned that bettercrypto.org could use a section on how to
> convince your boss that the company needs hardened Crypto settings and that
> the sysadmins should invest time into that. Do you agree with that point of
> view?
> Should we add such a section?
>
Yes, definitively. Maybe as an appendix / side document / something on the
website?
In my experience, some management level doesn't care about those technical
stuff. They saw the cost not necessary associated risks (of not using ;)).
So having a good (really short!) paragraph that could serve to convince
your boss that crypto is really useful and why it worth to put some time
and effort to correctly use it.
> 2. Threat modelling: Eva mentioned that most guides first focus on a
> threat model. We don't really do that so much in ours.
> Are we missing something here?
>
I think that it's not our case. We limit ourself to really practical
settings and good algo (theory section). The document is not doing any
emphasis risks, threads, attacks... I would even say that this document is
not trying to afraid anybody, just help admin to use crypto :-D.
> 3. Understanding your target audience: it seems we have been doing
> something right, because we first focused on our clearly defined target
> audience. However, I think we need to improve even more in this field: we
> should hand this guide to multiple sysadmins and let them test the guide
> and collect as much feedback as possible.
>
Yes!!
Kr,
David
> So much for my thoughts after watching this talk.
> Hope my thoughts helped or at least inspired you :)
>
> a.
>
>
> [1] https://www.youtube.com/watch?v=VHgs3YcxzXw
> [2] https://www.youtube.com/watch?v=VHgs3YcxzXw&t=18m0s
>
>
> ---
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
>
>
>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
--
David DURVAUX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140114/675af6e9/attachment.html>
More information about the Ach
mailing list