* Posts by Bhavin Desai

9 posts • joined 3 Oct 2007

TSA says 'checkpoint friendly' laptop bags on the way

Bhavin Desai
Flame

Why the fuss about liquids?

What about Semtex and C4, which are more like a plastic or a paste?

Nigerian duped gullible NASA employee

Bhavin Desai
Paris Hilton

The "S" in NASA...

...is not for "Security".

Of laptops and US border searches

Bhavin Desai
Paris Hilton

The Arnold Search

Although I am not a lawyer, I think the search on Michael Timothy Arnold was reasonable and justified because:

"They were also suspicious because Arnold could not remember the name of the company where he had once worked as a night auditor and appeared "fidgety." "

Probably a lot of material in other laptops has already got through because the carrier stayed calm. Although a knowledge of Body Language is useful, the theory sometimes breaks down in a real life stressful scenario.

eBay gets negative feedback about ban on negative feedback

Bhavin Desai
Linux

There are easier ways to find physical addresses!!!

Physical addresses of businesses and companies are freely available in local newspapers, Yellow Pages, The Phone Book, Companies House website, and many other sources. Is there anything particularly special about eBay requiring companies to display their physical address?

What exactly is the problem?

Telling lies to a computer is still lying, rules High Court

Bhavin Desai
Happy

A bit of synchronicity

"closed his or her eyes to what, if they had thought about it for a moment, was blindingly obvious"

A nice bit of synchronicity: they closed their eyes since it was "blindingly obvious".

'Fiendish' Trojan pickpockets eBay users

Bhavin Desai
Paris Hilton

Chargeback

There are many stories of PayPal (for eample) transactions where the buyer pays and gets the item, but then does a chargeback (even as late as six months).

Therefore, surely she can do a chargeback on the destination account?

Check Point plays down FireWall-1 bug reports

Bhavin Desai

A Quick Note on Common Criteria and Penetration Testing

There is a difference in scope and objectives between Common Criteria evaluation and penetration testing.

Common Criteria evaluation focuses primarly on ensuring that there are no exploitable vulnerabilities in the composite environment formed by the Product being evaluated together with the Physical, Procedureal, and Personnel countermeasures established by the System (or Site) Security Policy.

Penetration testing attempts to find ANY kind of security problem and focuses ONLY on the product being tested (regardless of any other aspects of the environment).

The difference in scope between Common Criteria and penetration testing often leads to misunderstanding and confusion. Each side has its "truth" but the other side "can't handle the truth". This has been the case for many years.

In particular, it is possible for a product to get a Common Criteria certificate even if it has multiple security faults, provided that the securely configured product in its securely configured environment has no exploitable vulnerabilities.

There are also the usual issues about the attacker wanting recognition & prestige, and the victim wanting damage limitation to preserve image & business.

This post has been deleted by a moderator

Bhavin Desai

A Quick Note on Common Criteria and Penetration Testing

There is a difference in scope and objectives between Common Criteria evaluation and penetration testing.

Common Criteria evaluation focuses primarly on ensuring that there are no exploitable vulnerabilities in the composite environment formed by the Product being evaluated together with the Physical, Procedureal, and Personnel countermeasures established by the System (or Site) Security Policy.

Penetration testing attempts to find ANY kind of security problem and focuses ONLY on the product being tested (regardless of any other aspects of the environment).

The difference in scope between Common Criteria and penetration testing often leads to misunderstanding and confusion. Each side has its "truth" but the other side "can't handle the truth". This has been the case for many years.

In particular, it is possible for a product to get a Common Criteria certificate even if it has multiple security faults, provided that the securely configured product in its securely configured environment has no exploitable vulnerabilities.

There are also the usual issues about the attacker wanting recognition & prestige, and the victim wanting damage limitation to preserve image & business.

Biting the hand that feeds IT © 1998–2019