Certification; India & US crippleware

[Ian Brown]

    ..Cyber Underwriters Laboratories

    The field of computer security has few hard standards: no company
    can certify that its software product is secure. Writing on the
    l0pht Heavy Industries site, Tan <tan@l0pht.com> suggests look-
    ing to Underwriters Laboratories [11] for a model of Net security
    certification. Using the example of a UL-certified manufacturer
    of safes, Tan writes:

      > Vendors claim to be resistant to certain toolsets for cer-
      > tain amounts of time. This is not what the computer security
      > field looks like today, but is where it needs to go... Cus-
      > tomers are pressured by insurance underwriters to use pro-
      > ducts that meet UL specifications... Until [Net] losses be-
      > come intolerable and insurance is necessary, there may be no
      > motivation to drive the certification, approval, or listing
      > of [Net security] products by UL or any similar organization.

    Thanks to Keith Bostic <nev@bostic.com> for pointing out this pro-
    posal.

    [11] http://www.l0pht.com/cyberul.html
    ____________

    ..India warns against US crippleware

    An Indian defense official issued a "red alert" [12] against the
    dangers of depending on cryptography products developed in the US,
    because almost by definition their codes can be broken by US gov-
    ernment agencies. Indian might require all local banks and finan-
    cial institutions to buy only home-grown crypto software. The let-
    ter from the Defence Research and Development Organisation says:

      > To put it bluntly, only insecure software can be exported.
      > When various multinational companies go around peddling
      > 'secure communication software' products to gullible Indian
      > customers, they conveniently neglect to mention this aspect
      > of the US export law.

    [12] http://www.economictimes.com/120199/lead2.htm