- security News Forums
- > NIST-certified USB Flash drives with har...
- > FIPS-validated, but not real-world hacker tested
Posting 
FIPS-validated, but not real-world hacker tested 07 January 2010 15:56
The entire FIPS-validation and EAL-security accreditation processes
are simply not designed for the real world. They are near-laboratory
tests within constrained environments on defined equipment testing
for specific, precisely claimed abilities. Its "untestable" to make
a marketing claim of super-duper security. They are a means to make
sure the system that makes products can be (somewhat) trusted, not
necessarily the product themselves. For example, Windows is
accredited but look at its zillions of vulnerabilities.
To realistically test, hire a penetration and/or reverse engineering
team, give them plenty of sample, all the data anyone could possibly
find out about the product, and a good bit of time.
To REALLY test a product, next do the same in a public forum by
holding a hack / crack contest and offer a large reward paid
anonymously and optionally recognition.
- Threaded View
- Flat View
