Trust…
As an individual you can develop trust in another individual through getting to know them, seeing how they respond to situations, etc. Through this information you can determine whether you trust the person or not, as you believe you can guess how that person will respond to a given event (e.g., I trust my wife to buy my clothes as she has shown that she has very good taste and understands what I like through her own clothes and what she has bought for me in the past). This shows that trust is really just personal experience allowing you a level of confidence in the person’s reactions being favourable to yourself.
Unfortunately we are talking about trusting a company here. A company is not an individual. It is a group of individuals each with their own drivers, beliefs, morals and ethics. As such a company cannot be trusted to the same level that a person can. There is no way to truly be confident in your ability to guess how the company will respond to an event, as there will likely be a number of people involved in determining that response. These people are not normally known to you as individuals, and hence may make inconsistent responses based on a number of factors (e.g., inter-personal politics, other company agreements, etc.).
As such, is trust really obtainable in dealing with a company (on a person->company or company->company basis)?
You can hope that the company remains consistant in its actions, but that is probably the limit.
So would I trust WabiSabiLabi? No! While they may have the best intentions and be rigourous in their screening, all it takes is one person to decide to make a quick buck, or one screened company to change its stance internally, and the whole system comes crashing down.
Besides, who would be the buyers? The company who developed the software, security companies looking to sell workarounds…. Can’t really think who else would be interested for legit reasons. The best solution would be for the developers to fix the vunerability, not to have to buy a workaround from a security company.
If you want to improve trust of systems, then the developers need to show that they have done everything possible to secure that system, which should include independent evaluation. If security researchers want to monetize their work, it should be through offering certification based on rigourous testing, not through this almost extortion-like method. Testing such as the DoD OS testing that certifies Operating Systems for particular types of work is what I am thinking of, only aimed at commercial or even consumer levels.
Posted by
on 07/18 at 07:25 PM
Dave,
“Trusted certification” doesn’t fly for me, because not only does the “state of the art” change frequently, so the testing method must adapt—invalidating all previous certifications (good business model, but this is why we have the Common Criteria, really)—but trusted languages and trusted hardware aren’t easy or cheap. Just ask Defence. Take a look at this: http://www.austlii.edu.au/au/other/privacy/smart/ and think what digital trust really means.
You’re absolutley right about software quality, particularly when “software as product/service” is concerned. But I don’t think we’ll solve this problem until after something like this thought provoker becomes law, globally:
http://www.anu.edu.au/people/Roger.Clarke/SOS/PaperLiaby.html
For me, the essence of SOX is to enforce better ethics on a world where the use of technology has permitted much to become possible whose absence underpinned society’s comfort. For me, Trust going digital has, initially, at least been of major benefit only to the untrustworthy.
Posted by
on 07/19 at 12:56 AM
Dave,
There has always been a lot of discussion about what “trust” is and who or what can give and/or receive it. If you Google “digital trust” you’ll get more than 50,000 hits. When, in fact, digital trust is defined as in the Digital Trust report series (download Volume 1 at /aboutus/leadingedgeforum/knowledgelibrary/uploads/LEFReports2007_DigitalTrustVol1.pdf and see all of the references about how trust has historically been defined and used), then I think the answer clearly is “yes” to whether trust can be generated, grown and used to advantage by both organizations and technology. It is more than a matter of examination of software/systems a la the Common Criteria. That only handles one dimension. How technology is deployed and operated (and the generation of evidence during deployment and operation) is just as important as how “good” the software/system was judged to be according to some target of evaluation.
Let the conversation continue!!
Posted by
on 07/19 at 10:43 AM
DIGITAL FORTRESS - The unbreakable code
or “Do you TRUST encryption?“
Are you aware of the book “Digital Fortress” written by Dan Brown? (See: http://www.danbrown.com/novels/digital_fortress/plot.html)
Although not the best book in the world, I found it interesting that a famous writer like Dan Brown picks up encryption as the theme for a novel. I also like the main idea behind the plot:
The NSA has a machine that is able to break any code within a few minutes or hours, until one day when the machine is started and seems to run forever. The NSA eventually finds out that they are being blackmailed by someone (actually a former encryption specialist of the NSA) to disclose the fact they have the machine (telling the whole world that NSA is able to read everything in the world) or else the blackmailer will release the unbreakable code to the world. So all of a sudden the whole world would able to encrypt everything without anyone being ever able to decrypt anything with the encryption secret (including the NSA, which is a big threat to the NSA).
The book has a few flaws and is rather low quality compared to others by the author, but the idea itself is nice, I think, and relates to “Digital Trust” quite well.
Posted by
on 07/23 at 02:36 AM
