Barney Wolff wrote:
>It all depends on whose requirements are being met.


In order to talk meaningfully about requirements, we need to
have informed consumers. We don't. So it's pointless.

How many end customers of computer systems do you know
who could reason effectively about the security properties of
a system vis-a-vis their mission? I think, in my career, I have
met a few dozen - and almost always they're getting hammered
from above and below by co-workers who don't.

I stand by my earlier comment; we're doing it all wrong and
to actually _solve_ these problems we're going to either need
to do something revolutionary or we're going to wind up reinventing
trusted systems very slowly and painfully. It's not the most
efficient way to go about it, especially since the roadmap was
laid out in the early 80s - but computer "science" is the art of
ignoring the past while leaping blindly toward a speculative


PS - ruthless marketing plug! Framed prints of computer security
posters now available from

firewall-wizards mailing list