Announcing Uncommon Criteria

While there is a desperate need for creative ideas or inventions in the general area of information risk and security controls, specifically for defensive purposes, the implementation phase of innovation is also in need of creativity and care.

Information security products (both goods and services) that are inherently insecure are not uncommon, unfortunately. Aside from simple bugs, implementation issues, incompetence and ineptitude, we occasionally see evidence of fundamental security flaws in the designs, while rumours of backdoors being deliberately inserted by the authorities persist (partly a reflection of justifiable distrust in Big Brother). 

Given the trusted nature of their products, social engineering, insider threats and subterfuge are likely to occur in organizations that produce security products .... so we also need innovation in the area of security assessment and certification of security products, as well as various internal security controls.

In government and military circles, schemes such as Common Criteria improve product assurance but are unbelievably costly. A more affordable version of CC for the general commercial and personal markets would be cool ... so today I am delighted to announce UC (Uncommon Criteria), a brand new cut-price assessment scheme for security innovations. 

Simply send me your idea to evaluate, along with US$10 via PayPal. I'll take a quick look at your suggestion and let you know what I think of it. 

To keep costs down, and in light of my IT audit expertise, I'll respond with a simple numeric code as follows:
  1. Already in production
  2. Already on the market
  3. Already broken
  4. Already withdrawn as a dead loss
  5. Already superceded
  6. Been there done that
  7. Been tried a million times already
  8. Bends the rules
  9. Breaks the law
  10. Breaks the laws of physics
  11. Commercially-challenged
  12. Clumsy
  13. Crude
  14. Costly
  15. Cheesy
  16. Details missing
  17. Details excessive
  18. Details hid the devil
  19. Ethically-challenged
  20. Environmentally unsound
  21. Fantastic, call me, let's talk!
  22. Flammable
  23. Go find another hobby
  24. Grrrrr
  25. Hackers' delight
  26. Have you checked the patent databases?
  27. Impractical
  28. Impracticable
  29. Inflammable
  30. Inherently flawed
  31. Inherently insecure
  32. Intellectually-challenged
  33. Interesting, special even
  34. Joking, right?
  35. JAiT (Just Another insecure Thing)
  36. Killer idea, literally: step away from the keyboard
  37. Lewd
  38. Likely to plummet like a lead brick
  39. Makes no sense
  40. Makes me wonder what you are on
  41. Makes Bill Gates look like a security evangelist
  42. Life, the universe and EVERYTHiNG
  43. Needs more work
  44. Need more coffee
  45. Not new: have you even Googled it yet?
  46. Now I know this, you'll probably have to shoot me
  47. Now you know I know, I know
  48. Over-simplified
  49. Overly-complex
  50. Over-ambitious
  51. Peturbing
  52. Practically infeasible
  53. Risky as a Chinese bungy cord (the jump off a cliff kind)
  54. Shows promise
  55. Shows signs of having been backdoored (painful!)
  56. Shows total disregard for the field
  57. Terrible
  58. Terrifying
  59. Terminal
  60. Trust me, this is the rottenest thing since Edward the Rotter of Rotterdam
  61. Trust me I'm a doctor
  62. Trust me I'm an infosec pro
  63. Trust me, just trust me OK?
  64. Unattractive
  65. Unable to evaluate
  66. Unwilling to evaluate
  67. Unbelievable
  68. Unbelievably naive
  69. Unethical
  70. Unimaginable
  71. Unimpressed
  72. Unconscionable
  73. Unlikely to be fundable
  74. Unworkable
  75. Very very very over-blown: are you in marketing?
  76. Won't fly
  77. Wouldn't even glide
  78. Worst thing since sliced bread
  79. X marks the spot
  80. You should be ashamed, ashamed I say
  81. Zero points, computer says "no"