

Nice Security Mindset Example - cpeterso
https://www.schneier.com/blog/archives/2013/04/nice_security_m.html

======
polemic
Real link: <http://blog.tanyakhovanova.com/?p=277>

~~~
tokenadult
You're right. Khovanova is the original author of the point, and Schneier
added nothing there, so the Schneier link is blogspam.

<http://ycombinator.com/newswelcome.html>

~~~
lloeki
> _blogspam_

Given his expertise, Schneier acts as an excellent curator/aggregator. Also,
by cherry-picking relevant excerpts and framing them with an apt title, the
added value is subtle yet significant enough. Here, the focus in his post is
markedly different than in Khovanova's.

That's why I follow his RSS feed.

------
Maxious
Oh dear. In one of Schneier's previous posts, he mentions graduate students
learning the security mindset though analysing everyday products. One of these
products was 24/7 video monitoring for elderly care... and the CEO of that
company took offense to the security of his product being questioned,
eventually pulling the security-through-obscurity card
[https://cubist.cs.washington.edu/Security/2008/02/10/securit...](https://cubist.cs.washington.edu/Security/2008/02/10/security-
review-quiet-care/)

Many of the other products such as OnStar have similar responses - security-
through-obscurity requires the eternal vigilance of constantly googling your
product + "security" ;)

~~~
nnq
If you're in the infosec business you should have a small army of bots looking
for new results on google searches of "your-product security/exploit/..." and
monitoring sec forums, exploit databases and other things as well, regardless
of whether you do security properly or not. A 12hrs difference between someone
finding news of an exploit and the info getting around to your client or you
finding out 12hrs earlier from your bots and be already working on a fix or
have it fixed might be the difference between being in and out of business...

~~~
_cash_
Can you give some info on how to setup some of these?

------
markild
I think it's a better example of flawed analogy, but it's still an
entertaining anecdote.

~~~
Androsynth
The post has nothing to do with one-way functions. The point was that its very
difficult, if not impossible, to consider all the possible attack vectors in a
system, even for someone with a lot of experience, even for a very simple
system.

(also, its important to get as many eyeballs as possible to examine the
system)

~~~
Scriptor
> (also, its important to get as many eyeballs as possible to examine the
> system)

More importantly, it's important to get eyeballs that don't have any old
knowledge or assumptions.

------
gluczywo
People say that the smart 8th grader used social engineering, but who knows,
maybe it was an example of hard core information engineering. He might
thought: "The white pages book is only one representation of the algorithm,
this information may be available somewhere else. Eureka! Rainbow table exists
in the field!"

