Mada R Perdhana <mrp....@gmail.com> writes: > I think, it is too careless if this is just a scam, because the developers > also threw a request to the public (the information security community) to > perform tests on their application.
This is a pretty certain sign of ... well, not a scam, but a sign that this is snake oil - something that doesn't really do what it claims. The most important this is a sign of that is that it is an effort to prove that something is secure by demanding other people take the trouble to prove it is *not* secure. Which fails disastrously: if no one in the "security community" actually bothers to test it, is it secure, or just untested? It also fails disastrously because it proves that a set of people, if they actually bother, can't break it. That proves *nothing* about the ability of other folks to do so. This /sounds/ like proof of security, but isn't (even if done as intended), which is a classic sign of snake oil. > from existing web (https://www.xecureit.com/xb/), we could also seen that > they had an affiliation with ISACA and CISSP certification, which in my > personal opinion it is to reckless to "drag" this two bid name into, since > it would make a big reaction from the information security communities. No, there wouldn't, for several reasons. The most important one is that offering CISSP training has nothing at all to do with the "secure" browser they are offering, and they make absolutely no claim that it is connected. The second, and pretty much equally important reason, is that the "information security community" doesn't really give a damn about a fight between Cisco and some tiny little company over the inappropriate use of a Cisco certification. Now, you might make an argument that they were trying to conflate the presence of those things with any sort of actual security of the product - which would be supporting evidence that they were selling snake oil, not evidence against. > May be some of security experts in here could also do some test with that > thing, to prove whether ,xb just a scam or it is really works to secure ib > transaction. Why on earth would I spend my time trying to prove something like that, rather than just recommend things that are known and understood to work? You seem to be assuming that the burden of proof is on the "Internet security community" to prove that this is a bad thing. That isn't really how actual security stuff works: there, the burden of proof is on the claimant. If you want us to believe that XB is worth something, prove it. Show the proof that it actually, measurably improves user security. > anyway, again.. everything returns to the user, to determine which are the > most secure (or convenience?) way to conduct an ib transactions. Are you trying to argue that popularity is a good way to identify the security of a product? Didn't FireSheep show us that was ... hard to support? (Not to mention that we have decades of other proof that security is not a pressing concern for users, but whatever. :) ...and, frankly, that claim only serves to convince me that the term you want is "sucker", not "user", here: the audience are people who are convinced that there is some secret security sauce in the product without actually understanding anything about why it might make them more secure. Daniel -- ✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html