On Tue, Dec 17, 2024 at 12:37:33PM -0500, Jeffrey Walton wrote: > On Tue, Dec 17, 2024 at 12:29 PM <to...@tuxteam.de> wrote: > > > > On Tue, Dec 17, 2024 at 10:59:40AM -0500, Michael Stone wrote: > > > On Tue, Dec 17, 2024 at 06:45:05AM +0100, to...@tuxteam.de wrote: > > > > Do you have a reference? > > > > > > > > I ask because I'm in the middle of a discussion (and that was my advice, > > > > too). Seeing what Schneier has to say on that would be very interesting. > > > > > > All of this advice is overly simplistic. The right answer depends on > > > understanding your threats and making a conscious decision what risks you > > > want to mitigate [...] > > > > I know, I know. My introductory sentence is almost literally yours. > > > > As times shift, threat models shift accordingly. Back then, when > > computers and environments were more shared, post-its and shoulder > > surfing were the main password leak threat, in-between it was the > > (clear text) transport, these days it's probably phishing and > > server-side breaches, which -- hopefully! -- yield a database of > > salted hashes, in which case strong passwords are vital. > > > > I'm still very interested in those references, not to follow them > > blindly, but because they may contain insights I haven't had myself. > > Especially in the case of Schneier, I'm doubly eager to listen. > > Schneier is security on training wheels. (Not to impune his work). It > is a good introduction, but it is written for a different audience.
Perfect for my purposes. I'm trying to get people to understand that security is relative (to everything else around it, i.e. the famous "threat model"). If they end up digesting Schneier's "process, not product", I'm happy. > If you really want to satisfy your security related hunger, then read > Gutmann's Engineering Security[1] or Ross Anderson's Security > Engineering.[2] I prefer Gutmann because it is so well cited. I often > pull the cited papers and read them for myself. Gutmann was mentioned in this thread. Anderson wrote in CACM's "Inside Risks", right? Cheers -- t
signature.asc
Description: PGP signature
