Quote:
Originally Posted by EssQue
So basically Lee's statement is worthless?
He is trying to imply Cake is 100% safe, as reported by a "3rd party", but who in their right mind would verify something as 100% safe?
Auditing firms do not even give this level of assurance.
I think it's obvious that Lee meant that network communications have been secured and are up to par with industry standards (PTR seems to confirm), and if so the risk level is acceptable.
It is sort of accepted in the industry that reasonable security happens when it becomes more expensive to attack the system than any potential gains (adjusted for probability of success) from an attack.
From Schneier (
http://www.schneier.com/essay-037.html):
No one can guarantee 100% security. But we can work toward 100% risk acceptance. Fraud exists in current commerce systems: cash can be counterfeited, checks altered, credit card numbers stolen. Yet these systems are still successful because the benefits and conveniences outweigh the losses. Privacy systems--wall safes, door locks, curtains--are not perfect, but they're often good enough. A good cryptographic system strikes a balance between what is possible and what is acceptable.
[...]
The good news about cryptography is that we already have the algorithms and protocols we need to secure our systems. The bad news is that that was the easy part; implementing the protocols successfully requires considerable expertise. The areas of security that interact with people--key management, human/computer interface security, access control--often defy analysis. And the disciplines of public-key infrastructure, software security, computer security, network security, and tamper-resistant hardware design are very poorly understood.