On Jun 18, 2012, at 4:21 PM, Jon Callas wrote:
Reviewers don't want a review published that shows they gave a pass on a crap system. Producing a crap product hurts business more than any thing in the world. Reviews are products. If a professional organization gives a pass on something that turned out to be bad, it can (and has) destroyed the organization.
On Jun 18, 2012, at 9:03 PM, Matthew Green wrote:
I would really love to hear some examples from the security world. I'm not being skeptical: I really would like to know if any professional security evaluation firm has suffered meaningful, lasting harm as a result of having approved a product that was later broken. I can think of several /counterexamples/, a few in particular from the satellite TV world. But not the reverse. Anyone?
On 2012-06-19 4:14 PM, Jon Callas wrote:
The canonical example I was thinking of was Arthur Anderson, which doesn't meet your definition, I'm sure.
Arthur Andersen was shut down for excessively creative accounting, and if things had stopped there, all would have been fine.
Unfortunately, the shutdown of Arthur Andersen led to Sarbanes–Oxley, which appears to have either made excessively creative accounting mandatory, or or else given the remaining big four accountants a roadmap of how to do creative accounting and never have to say you are sorry when MF Global was stealing from its customers on your watch.
Sarbannes Oxley is best interpreted as the big accountants saying "Hey, we all doing what Arthur Anderson did, so it needs to be made legal, indeed mandatory.
MF Global stole shitloads of money, but because its theft was Sarbanes–Oxley compliant, there appear to be no consequences
In general, when the elite are caught lying, cheating, or stealing, the elite close ranks. Similarly, climategate revealed climate scientists cooking their data, with total lack of consequences. Now cooking your data to accord with the expectations of your peers is the new scientific method.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography