> Marcus J. Ranum wrote:
> > For the last 15 years we've been presented with a constant litany of
> > important agencies, sites, and systems that have been hacked into
> > because people don't believe that doing security right is practical.

>
> By the way, I'm not saying it _IS_ practical.
>
> That's the point. Sometimes "practical" doesn't enter into the picture.
> If your systems need to be secure then it's not a matter of practicality;
> they either are secure or they aren't. Actually securing systems is
> hard brain-work and is definitely going to affect the user experience
> in various inconvenient ways. "So what?"
>
> We've seen where "practical" has gotten us.


We've also seen where failing to take the user experience into account
has gotten us - it's fine to say "make the user experience suck" - but
that's one of the sure, documented ways to make sure that the user -will-
find ways to bypass security (whether technical or layer 9).

If nothing else, we can learn from the military, where the user experience
is sometimes dramatically sucky - but there's usually a well understood
threat model and process associated with the suck.

cheers!
================================================== ========================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards