[Ach] 30C3 talk "The Internet (Doesn't) need another security guide"

David Durvaux david.durvaux at gmail.com
Tue Jan 14 11:10:22 CET 2014


> I finally came around to watching evacide's talk "The Internet (Doesn't)
> need another security guide" [1]
> where she mentions our small project in minute ~ 18 or 19 [2] (Yay!
> Thanks). Spoiler alert: Eva actually says that we need more (targeted,
> good, correct and well defined) guides for sure.

That's great!! :-D

1. Eva mentioned that bettercrypto.org could use a section on how to
> convince your boss that the company needs hardened Crypto settings and that
> the sysadmins should invest time into that. Do you agree with that point of
> view?
> Should we add such a section?

Yes, definitively.  Maybe as an appendix / side document / something on the
In my experience, some management level doesn't care about those technical
stuff.  They saw the cost not necessary associated risks (of not using ;)).

So having a good (really short!) paragraph that could serve to convince
your boss that crypto is really useful and why it worth to put some time
and effort to correctly use it.

> 2. Threat modelling: Eva mentioned that most guides first focus on a
> threat model. We don't really do that so much in ours.
> Are we missing something here?

I think that it's not our case.  We limit ourself to really practical
settings and good algo (theory section).  The document is not doing any
emphasis risks, threads, attacks... I would even say that this document is
not trying to afraid anybody, just help admin to use crypto :-D.

> 3. Understanding your target audience: it seems we have been doing
> something right, because we first focused on our clearly defined target
> audience. However, I think we need to improve even more in this field: we
> should hand this guide to multiple sysadmins and let them test the guide
> and collect as much feedback as possible.




> So much for my thoughts after watching this talk.
> Hope my thoughts helped or at least inspired you :)
> a.
> [1] https://www.youtube.com/watch?v=VHgs3YcxzXw
> [2] https://www.youtube.com/watch?v=VHgs3YcxzXw&t=18m0s
> ---
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140114/675af6e9/attachment.html>

More information about the Ach mailing list