On 1243421494 seconds since the Beginning of the UNIX epoch "Marcus Brinkmann" wrote: >
> However, it also sounds like they are shifting the >burden of proof. Shouldn't they convince "you" (whoever they make the DRM >for) that their system is working? Have we really reached a situation where >non-experts believe that DRM works until proven otherwise? That seems an >extraordinary marketing success of the sellers of DRM technology, because it >stands against a mountain of evidence in the history of computing. I have noticed in my years as a security practitioner, that in my experience non-security people seem to assume that a system is perfectly secure until it is demonstrated that it is not with an example of an exploit. Until an exploit is generated, any discussion of insecurity is filed in their minds as ``academic'', ``theoretical'' or ``not real world''. This of course makes it quite difficult to cause various issues to be fixed in practice as it is generally more time consuming to construct and explain an exploit than to simply fix the bug that has been discovered. The next refrain that one is likely to hear even after demonstrating that a security issue exists is ``How many people know how to do that?'' I've actually heard that in some rather amusing circumstances such as ``Well, how many people actually know how to read or edit XML?'' It is a tricky conversation to explain to people that XML is not in fact an encryption mechanism---especially if they have seen any machine produced XML recently. Of course, this is one of the more amusing examples but others abound. I'm interested in asking people what rhetorical techniques they use to overcome such difficulties in practice? -- Roland Dowdeswell http://Imrryr.ORG/~elric/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com