[Info-vax] Free Pascal for VMS ?

Arne Vajhøj arne at vajhoej.dk
Wed May 23 21:16:41 EDT 2018 

On 5/23/2018 8:19 PM, seasoned_geek wrote:
> On Wednesday, May 23, 2018 at 6:48:04 PM UTC-5, Arne Vajhøj wrote:
>> 
>> The security requirements in GDPR are rather basic.
>> 
>> The companies will get a lot of new obligations towards the people
>> whose data they store.
>> 
>> And some of them will require significant changes to software.
>> 
>> But more robust? I doubt it!
> 
> That certainly wasn't the impression the EU left with their
> questioning of Mark Z.

It is the impression you get if you actually read the GDPR.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Here are all the places where encryption is mentioned.

<quote>
(83) In order to maintain security and to prevent processing in 
infringement of this Regulation, the controller or processor should 
evaluate the risks inherent in the processing and implement measures to 
mitigate those risks, such as encryption. Those measures should ensure 
an appropriate level of security, including confidentiality, taking into 
account the state of the art and the costs of implementation in relation 
to the risks and the nature of the personal data to be protected. In 
assessing data security risk, consideration should be given to the risks 
that are presented by personal data processing, such as accidental or 
unlawful destruction, loss, alteration, unauthorised disclosure of, or 
access to, personal data transmitted, stored or otherwise processed 
which may in particular lead to physical, material or non-material damage.
</quote>

<quote>
4.Where the processing for a purpose other than that for which the 
personal data have been collected is not based on the data subject's 
consent or on a Union or Member State law which constitutes a necessary 
and proportionate measure in a democratic society to safeguard the 
objectives referred to in Article 23(1), the controller shall, in order 
to ascertain whether processing for another purpose is compatible with 
the purpose for which the personal data are initially collected, take 
into account, inter alia:
...
(e) the existence of appropriate safeguards, which may include 
encryption or pseudonymisation.
</quote>

<quote>
1.Taking into account the state of the art, the costs of implementation 
and the nature, scope, context and purposes of processing as well as the 
risk of varying likelihood and severity for the rights and freedoms of 
natural persons, the controller and the processor shall implement 
appropriate technical and organisational measures to ensure a level of 
security appropriate to the risk, including inter alia as appropriate: 
(a) the pseudonymisation and encryption of personal data;
</quote>

<quote>
3.The communication to the data subject referred to in paragraph 1 shall 
not be required if any of the following conditions are met: (a) the 
controller has implemented appropriate technical and organisational 
protection measures, and those measures were applied to the personal 
data affected by the personal data breach, in particular those that 
render the personal data unintelligible to any person who is not 
authorised to access it, such as encryption;
</quote>

The word "appropriate" appears frequently.

And nobody will disagree with that appropriate steps should be taken.

But prove that a given solution is not appropriate will not
that easy.

It is way to vague.

> The list of viable transport and storage encryptions will change with
> each discovered vulnerability. There are already whispers and rumors
> of groups able to breach TLS.

I will recommend one of these:
   https://en.wikipedia.org/wiki/Tin_foil_hat

>                               Companies will be left with two
> choices.
> 
> 1) Use an OS with a TCP/IP Software Appliance so transport layer
> encryption/security can be changed at will by enabling a different
> plug-in.
> 
> 2) Scramble to hack a new transport layer security method into
> _every_ application in use on their systems.
> 
> Option 2 will prove unsustainable.

No.

SSL (aka TLS) libraries usually get updated centrally.

Not if linked static into the applications, but that is almost
never done.

Arne

More information about the Info-vax mailing list